create department ecs passrole policy

LBHackney-IT · Nov 22, 2024 · 9e4c8a6 · 9e4c8a6
1 parent 48cab13
commit 9e4c8a6
Show file tree

Hide file tree

Showing 2 changed files with 18 additions and 15 deletions.
diff --git a/terraform/modules/department/50-aws-iam-policies.tf b/terraform/modules/department/50-aws-iam-policies.tf
@@ -900,36 +900,38 @@ data "aws_iam_policy_document" "airflow_base_policy" {
       "arn:aws:ecs:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:cluster/*"
     ]
   }
+}
 
+resource "aws_iam_policy" "airflow_base_policy" {
+  tags = var.tags
+
+  name   = lower("${var.identifier_prefix}-${local.department_identifier}-ariflow-base-policy")
+  policy = data.aws_iam_policy_document.airflow_base_policy.json
+}
+
+data "aws_iam_policy_document" "department_ecs_passrole" {
   statement {
-    sid    = "AirflowPassRolePolicy"
+    sid    = "AirflowDepartmentECSPassrolePolicy"
     effect = "Allow"
     actions = [
       "iam:PassRole"
     ]
     resources = [
+      aws_iam_role.department_ecs_role.arn,
+      "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/${local.department_identifier}-ecs-execution-role",
       "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/dap-ecs-execution-role",
-      "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/dap-ecs-task-role",
-      "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/parking-ecs-execution-role",
-      "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/${var.identifier_prefix}-ecs-parking",
-      "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/housing-ecs-execution-role",
-      "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/${var.identifier_prefix}-ecs-housing",
+      "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/dap-ecs-task-role"
     ]
-    condition {
-      test     = "StringEquals"
-      variable = "iam:PassedToService"
-      values   = ["ecs-tasks.amazonaws.com"]
-    }
   }
 }
 
-resource "aws_iam_policy" "airflow_base_policy" {
-  tags = var.tags
-
-  name   = lower("${var.identifier_prefix}-${local.department_identifier}-ariflow-base-policy")
+resource "aws_iam_policy" "department_ecs_passrole" {
+  name   = lower("${var.identifier_prefix}-${local.department_identifier}-department-ecs-passrole")
   policy = data.aws_iam_policy_document.airflow_base_policy.json
+  tags   = var.tags
 }
 
+
 # ECS Department task role policy
 
 # Todo: departments should probably have their own log groups

diff --git a/terraform/modules/department/50-aws-iam-roles.tf b/terraform/modules/department/50-aws-iam-roles.tf
@@ -102,6 +102,7 @@ locals {
     s3_access                 = aws_iam_policy.s3_access.arn,
     secrets_manager_read_only = aws_iam_policy.secrets_manager_read_only.arn,
     airflow_base_policy       = aws_iam_policy.airflow_base_policy.arn,
+    department_ecs_passrole   = aws_iam_policy.department_ecs_policy.arn
   }
 }