feat(terraform): add permissions to ECS tasks role (#101)

* feat(terraform): add permissions to ECS tasks role * fix(terraform): fix data source name `aws_cognito_user_pools` * fix(terraform): * fix(terraform): fix type error * fix(terraform): fix secret naming * fix(terraform): fix SSM action typo
dvsa · May 1, 2024 · e9c7938 · e9c7938
1 parent 6369ca4
commit e9c7938
Show file tree

Hide file tree

Showing 4 changed files with 129 additions and 5 deletions.
diff --git a/infra/terraform/environments/dev/main.tf b/infra/terraform/environments/dev/main.tf
@@ -13,7 +13,7 @@ data "aws_ecr_repository" "this" {
 data "aws_security_group" "this" {
   for_each = toset(local.legacy_service_names)
 
-  name = "DEV/APP/DA-OLCS-PRI-${each.key}-SG"
+  name = "DEV/APP/DEV-OLCS-PRI-${each.key}-SG"
 }
 
 data "aws_subnets" "this" {
@@ -22,13 +22,23 @@ data "aws_subnets" "this" {
   filter {
     name = "tag:Name"
     values = [
-      "DEV/APP/DA-OLCS-PRI-${each.key}-1A",
-      "DEV/APP/DA-OLCS-PRI-${each.key}-1B",
-      "DEV/APP/DA-OLCS-PRI-${each.key}-1C"
+      "DEV/APP/DEV-OLCS-PRI-${each.key}-1A",
+      "DEV/APP/DEV-OLCS-PRI-${each.key}-1B",
+      "DEV/APP/DEV-OLCS-PRI-${each.key}-1C"
     ]
   }
 }
 
+data "aws_secretsmanager_secret" "this" {
+  for_each = toset(local.service_names)
+
+  name = "DEVAPPDEV-BASE-SM-APPLICATION-${upper(each.key)}"
+}
+
+data "aws_cognito_user_pools" "this" {
+  name = "DVSA-DEVAPPDEV-COGNITO-USERS"
+}
+
 module "service" {
   source = "../../modules/service"
 
@@ -44,6 +54,71 @@ module "service" {
 
       image = "${data.aws_ecr_repository.this["api"].repository_url}:${var.api_image_tag}"
 
+      task_iam_role_statements = [
+        {
+          effect = "Allow"
+          actions = [
+            "secretsmanager:GetSecretValue"
+          ]
+          resources = [
+            data.aws_secretsmanager_secret.this["api"].arn
+          ]
+        },
+        {
+          effect = "Allow"
+          actions = [
+            "ssm:GetParametersByPath"
+          ]
+          resources = [
+            "arn:aws:ssm:eu-west-1:054614622558:parameter/applicationparams/dev/*"
+          ]
+        },
+        {
+          effect = "Allow"
+          actions = [
+            "sts:AssumeRole"
+          ]
+          resources = [
+            "arn:aws:iam::000081644369:role/txc-int-consumer-role"
+          ]
+        },
+        {
+          effect = "Allow"
+          actions = [
+            "cognito-idp:AdminUpdateUserAttributes",
+            "cognito-idp:AdminSetUserPassword",
+            "cognito-idp:AdminRespondToAuthChallenge",
+            "cognito-idp:AdminResetUserPassword",
+            "cognito-idp:AdminInitiateAuth",
+            "cognito-idp:AdminGetUser",
+            "cognito-idp:AdminEnableUser",
+            "cognito-idp:AdminDisableUser",
+            "cognito-idp:AdminDeleteUser",
+            "cognito-idp:AdminCreateUser",
+          ]
+          resources = data.aws_cognito_user_pools.this.arns
+        },
+        {
+          effect = "Allow"
+          actions = [
+            "sqs:SendMessageBatch",
+            "sqs:SendMessage",
+            "sqs:ReceiveMessage",
+            "sqs:PurgeQueue",
+            "sqs:ListDeadLetterSourceQueues",
+            "sqs:GetQueueAttributes",
+            "sqs:DeleteMessageBatch",
+            "sqs:DeleteMessage"
+          ]
+          resources = [
+            "arn:aws:sqs:eu-west-1:054614622558:DEVAPPDEV-OLCS-PRI-CHGET-INSOLVENCY-DLQ",
+            "arn:aws:sqs:eu-west-1:054614622558:DEVAPPDEV-OLCS-PRI-CHGET-INSOLVENCY",
+            "arn:aws:sqs:eu-west-1:054614622558:DEVAPPDEV-OLCS-PRI-CHGET-DLQ",
+            "arn:aws:sqs:eu-west-1:054614622558:DEVAPPDEV-OLCS-PRI-CHGET"
+          ]
+        }
+      ]
+
       subnet_ids = data.aws_subnets.this["API"].ids
 
       security_group_ids = [
@@ -57,6 +132,27 @@ module "service" {
 
       image = "${data.aws_ecr_repository.this["internal"].repository_url}:${var.internal_image_tag}"
 
+      task_iam_role_statements = [
+        {
+          effect = "Allow"
+          actions = [
+            "secretsmanager:GetSecretValue"
+          ]
+          resources = [
+            data.aws_secretsmanager_secret.this["internal"].arn
+          ]
+        },
+        {
+          effect = "Allow"
+          actions = [
+            "ssm:GetParametersByPath"
+          ]
+          resources = [
+            "arn:aws:ssm:eu-west-1:054614622558:parameter/applicationparams/dev/*"
+          ]
+        },
+      ]
+
       subnet_ids = data.aws_subnets.this["IUWEB"].ids
 
       security_group_ids = [
@@ -70,6 +166,27 @@ module "service" {
 
       image = "${data.aws_ecr_repository.this["selfserve"].repository_url}:${var.selfserve_image_tag}"
 
+      task_iam_role_statements = [
+        {
+          effect = "Allow"
+          actions = [
+            "secretsmanager:GetSecretValue"
+          ]
+          resources = [
+            data.aws_secretsmanager_secret.this["selfserve"].arn
+          ]
+        },
+        {
+          effect = "Allow"
+          actions = [
+            "ssm:GetParametersByPath"
+          ]
+          resources = [
+            "arn:aws:ssm:eu-west-1:054614622558:parameter/applicationparams/dev/*"
+          ]
+        },
+      ]
+
       subnet_ids = data.aws_subnets.this["SSWEB"].ids
 
       security_group_ids = [

diff --git a/infra/terraform/modules/service/README.md b/infra/terraform/modules/service/README.md
@@ -42,7 +42,7 @@
 | <a name="input_assets_version"></a> [assets\_version](#input\_assets\_version) | The version of the assets | `string` | n/a | yes |
 | <a name="input_domain_name"></a> [domain\_name](#input\_domain\_name) | The domain name for the environment | `string` | n/a | yes |
 | <a name="input_environment"></a> [environment](#input\_environment) | The environment to deploy to | `string` | n/a | yes |
-| <a name="input_services"></a> [services](#input\_services) | The services to deploy | <pre>map(object({<br>    image              = string<br>    cpu                = number<br>    memory             = number<br>    security_group_ids = list(string)<br>    subnet_ids         = list(string)<br>  }))</pre> | `{}` | no |
+| <a name="input_services"></a> [services](#input\_services) | The services to deploy | <pre>map(object({<br>    image              = string<br>    cpu                = number<br>    memory             = number<br>    security_group_ids = list(string)<br>    subnet_ids         = list(string)<br>    task_iam_role_statements = list(object({<br>      effect    = string<br>      actions   = list(string)<br>      resources = list(string)<br>    }))<br>  }))</pre> | `{}` | no |
 
 ## Outputs
 

diff --git a/infra/terraform/modules/service/ecs.tf b/infra/terraform/modules/service/ecs.tf
@@ -25,6 +25,8 @@ module "ecs_service" {
   name        = "vol-app-${var.environment}-${each.key}-service"
   cluster_arn = module.ecs_cluster[each.key].arn
 
+  tasks_iam_role_statements = var.services[each.key].task_iam_role_statements
+
   enable_execute_command = true
 
   task_exec_iam_role_arn = module.ecs_cluster[each.key].task_exec_iam_role_arn

diff --git a/infra/terraform/modules/service/variables.tf b/infra/terraform/modules/service/variables.tf
@@ -20,6 +20,11 @@ variable "services" {
     memory             = number
     security_group_ids = list(string)
     subnet_ids         = list(string)
+    task_iam_role_statements = list(object({
+      effect    = string
+      actions   = list(string)
+      resources = list(string)
+    }))
   }))
   description = "The services to deploy"
   default     = {}