Output task execution role from ecs cluster

terraform/modules/ecs_cluster/iam.tf

@@ -1,6 +1,13 @@
-# Make Execution role for task to run on ECS cluster
+# Make ECS cluster task execution role
+# This role is used by ECS to execute tasks, and has the following permissions:
+# - Read secrets from SSM
+# - Write to cloudwatch logs
+# - Execute ECS tasks
 
-data "aws_iam_policy_document" "ecs_task_execution_role" {
+# -- Policies -- #
+
+# Policy document for ECS task execution
+data "aws_iam_policy_document" "ecs_task_execution_policy_document" {
   statement {
     effect = "Allow"
 
@@ -15,12 +22,81 @@ data "aws_iam_policy_document" "ecs_task_execution_role" {
   }
 }
 
+# Policy document for reading secrets from SSM
+data "aws_iam_policy_document" "secrets_policy_document" {
+  version = "2012-10-17"
+  statement {
+    effect = "Allow"
+    actions = [
+      "secretsmanager:GetResourcePolicy",
+      "secretsmanager:GetSecretValue",
+      "secretsmanager:DescribeSecret",
+      "secretsmanager:ListSecretVersionIds",
+    ]
+    resources = "arn:aws:secretsmanager:eu-west-1:008129123253:secret:*"
+  }
+  statement {
+    effect = "Allow"
+    actions = [
+      "secretsmanager:ListSecrets",
+    ]
+    resources = "*"
+  }
+}
+# Associated policy
+resource "aws_iam_policy" "read_regional_secrets_policy" {
+    name        = "ecs-cluster-${var.name}-read-regional-secrets-policy"
+    path        = "/ecs-cluster/${var.name}/secrets"
+    description = "Policy to read secrets from SSM"
+
+    policy = data.aws_iam_policy_document.secrets_policy_document.json
+}
+
+# Policy documents for cloudwatch logging
+data "aws_iam_policy_document" "cloudwatch_policy_document" {
+    Version = "2012-10-17"
+    statement {
+        actions = [
+          "logs:PutLogEvents",
+          "logs:CreateLogStream",
+          "logs:CreateLogGroup",
+          "logs:DescribeLogStreams",
+          "logs:DescribeLogGroups",
+          "logs:DeleteLogGroup",
+          "logs:PutRetentionPolicy"
+        ]
+        effect = "Allow"
+        resources = ["arn:aws:logs:*:*:log-group:/aws/ecs*"]
+      }
+}
+# Associated policy
+resource "aws_iam_policy" "write_cloudwatch_policy" {
+    name        = "ecs-cluster-${var.name}-write-cloudwatch-policy"
+    path        = "/ecs-cluster/${var.name}/cloudwatch"
+    description = "Policy to write to cloudwatch logs"
+
+    policy = data.aws_iam_policy_document.cloudwatch_policy_document.json
+}
+
+# -- Role -- #
+
+# Create role for ECS task execution
 resource "aws_iam_role" "ecs_task_execution_role" {
   name = "ecs-cluster_${var.name}_task-execution-role"
-  assume_role_policy = data.aws_iam_policy_document.ecs_task_execution_role.json
+  path = "/ecs-cluster/${var.name}/"
+  assume_role_policy = data.aws_iam_policy_document.ecs_task_execution_policy_document.json
 }
 
+# Attach policies to role
 resource "aws_iam_role_policy_attachment" "ecs-task-execution-role-policy-attachment" {
   role       = aws_iam_role.ecs_task_execution_role.name
   policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy"
 }
+resource "aws_iam_role_policy_attachment" "ecs-task-execution-role-policy-attachment-cloudwatch" {
+  role       = aws_iam_role.ecs_task_execution_role.name
+  policy_arn = aws_iam_policy.write_cloudwatch_policy.arn
+}
+resource "aws_iam_role_policy_attachment" "ecs-task-execution-role-policy-attachment-secrets" {
+  role       = aws_iam_role.ecs_task_execution_role.name
+  policy_arn = aws_iam_policy.read_regional_secrets_policy.arn
+}

terraform/modules/ecs_cluster/output.tf

@@ -2,6 +2,6 @@ output "ecs_cluster" {
   value = aws_ecs_cluster.main
 }
 
-output "ecs_task_execution_role" {
-  value = aws_iam_role.ecs_task_execution_role
+output "ecs_task_execution_role_arn" {
+  value = aws_iam_role.ecs_task_execution_role.arn
 }