add task role to id-broker for AppConfig access

silinternational · Feb 13, 2024 · b207887 · b207887
1 parent 6dd61b2
commit b207887
Show file tree

Hide file tree

Showing 2 changed files with 63 additions and 1 deletion.
diff --git a/terraform/040-id-broker/main.tf b/terraform/040-id-broker/main.tf
@@ -202,6 +202,7 @@ module "ecsservice" {
   tg_arn             = aws_alb_target_group.broker.arn
   lb_container_name  = "web"
   lb_container_port  = "80"
+  task_role_arn      = aws_iam_role.app_config.arn
 }
 
 /*
@@ -421,6 +422,57 @@ data "cloudflare_zone" "domain" {
 }
 
 
+/*
+ * Create role for access to SES
+ */
+resource "aws_iam_role" "app_config" {
+  name = "appconfig-${var.idp_name}-${var.app_name}-${var.app_env}-${local.aws_region}"
+
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Sid    = "ECSAssumeRoleAppConfig"
+        Effect = "Allow"
+        Principal = {
+          Service = [
+            "ecs-tasks.amazonaws.com",
+          ]
+        }
+        Action = "sts:AssumeRole"
+        Condition = {
+          ArnLike = {
+            "aws:SourceArn" = "arn:aws:ecs:${local.aws_region}:${local.aws_account}:*"
+          }
+          StringEquals = {
+            "aws:SourceAccount" = local.aws_account
+          }
+        }
+      }
+    ]
+  })
+}
+
+resource "aws_iam_role_policy" "app_config" {
+  name = "app_config"
+  role = aws_iam_role.app_config.id
+  policy = jsonencode(
+    {
+      Version = "2012-10-17"
+      Statement = [
+        {
+          Sid    = "AppConfig"
+          Effect = "Allow"
+          Action = [
+            "appconfig:GetLatestConfiguration",
+            "appconfig:StartConfigurationSession",
+          ]
+          Resource = "arn:aws:appconfig:${local.aws_region}:${local.aws_account}:application/${var.app_id}/environment/${var.env_id}/configuration/${var.config_id}"
+        }
+      ]
+  })
+}
+
 /*
  * AWS data
  */

diff --git a/terraform/040-id-broker/vars.tf b/terraform/040-id-broker/vars.tf
@@ -25,7 +25,7 @@ variable "app_name" {
 }
 
 variable "aws_region" {
-  description = "This is deprecated. The region is more reliably determined from the aws_region data source."
+  description = "This is not used. The region is more reliably determined from the aws_region data source."
   type        = string
   default     = ""
 }
@@ -580,3 +580,13 @@ variable "vpc_id" {
 variable "wildcard_cert_arn" {
   type = string
 }
+
+variable "app_id" {
+  default = ""
+}
+variable "env_id" {
+  default = ""
+}
+variable "config_id" {
+  default = ""
+}