feat(src): update iam role

vpino · Jun 16, 2024 · 7baa994 · 7baa994
1 parent 0fb6f4a
commit 7baa994
Showing 1 changed file with 34 additions and 1 deletion.
diff --git a/terraform/fuap-backend/iam.tf b/terraform/fuap-backend/iam.tf
@@ -1,5 +1,5 @@
 resource "aws_iam_role" "ecs_task_execution_role" {
-  name               = "ecsTaskExecutionRoleV2"  # Cambia el nombre aquí
+  name               = "ecsTaskExecutionRoleV2"
   assume_role_policy = jsonencode({
     Version = "2012-10-17",
     Statement = [
@@ -23,3 +23,36 @@ resource "aws_iam_role" "ecs_task_execution_role" {
     ]
   }
 }
+
+resource "aws_iam_policy" "ecs_task_execution_policy" {
+  name        = "ecsTaskExecutionPolicyV2"
+  description = "Policy for ECS Task Execution Role to pull images from ECR and send logs to CloudWatch"
+  policy      = jsonencode({
+    Version = "2012-10-17",
+    Statement = [
+      {
+        Effect   = "Allow",
+        Action   = [
+          "ecr:GetDownloadUrlForLayer",
+          "ecr:BatchGetImage",
+          "ecr:BatchCheckLayerAvailability",
+          "ecr:GetAuthorizationToken"
+        ],
+        Resource = "*"
+      },
+      {
+        Effect   = "Allow",
+        Action   = [
+          "logs:CreateLogStream",
+          "logs:PutLogEvents"
+        ],
+        Resource = "*"
+      }
+    ]
+  })
+}
+
+resource "aws_iam_role_policy_attachment" "ecs_task_execution_policy_attachment" {
+  role       = aws_iam_role.ecs_task_execution_role.name
+  policy_arn = aws_iam_policy.ecs_task_execution_policy.arn
+}