feat: use inline policy rather than AWS-managed policy

bigeyedata · Feb 28, 2024 · f68a32f · f68a32f
1 parent 776ebd5
commit f68a32f
Showing 1 changed file with 31 additions and 6 deletions.
diff --git a/modules/bigeye/main.tf b/modules/bigeye/main.tf
@@ -547,13 +547,38 @@ resource "aws_iam_role" "ecs" {
   })
 }
 
-data "aws_iam_policy" "ecs_managed" {
-  name = "AmazonECSTaskExecutionRolePolicy"
-}
+resource "aws_iam_role_policy" "ecs_execution" {
+  role = aws_iam_role.ecs.id
+  name = "ECSTaskExecution"
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Sid    = "AllowECRAccess"
+        Effect = "Allow"
+        Action = [
+          "ecr:GetAuthorizationToken",
+          "ecr:BatchCheckLayerAvailability",
+          "ecr:GetDownloadUrlForLayer",
+          "ecr:BatchGetImage"
+        ]
+        Resource = "*"
+      },
+      {
+        Sid    = "AllowCloudWatch"
+        Effect = "Allow"
+        Action = [
+          "logs:CreateLogStream",
+          "logs:PutLogEvents"
+        ]
+        Resource = [
+          "${aws_cloudwatch_log_group.bigeye.arn}:log-stream:*",
+          "${aws_cloudwatch_log_group.temporal.arn}:log-stream:*",
+        ]
+      }
+    ]
+  })
 
-resource "aws_iam_role_policy_attachment" "ecs" {
-  role       = aws_iam_role.ecs.name
-  policy_arn = data.aws_iam_policy.ecs_managed.arn
 }
 
 resource "aws_iam_role_policy" "ecs_secrets" {