Fix failing ECS policy when S3 access is omitted (#48)

* do not fail to create policy if S3 access is omitted

* update changelog

CHANGELOG.md

@@ -8,6 +8,14 @@ This project does not follow SemVer, since modules are independent of each other
 
 
 
+## [v2021.11.12] - 2021-11-12
+
+### ECS
+
+- `grant_read_access_to_s3_arns` and `grant_write_access_to_s3_arns` can now be omitted [#48](https://github.com/dbl-works/terraform/pull/48)
+
+
+
 ## [v2021.11.09] - 2021-11-09
 
 ### Added

ecs/execution-role.tf

@@ -20,64 +20,74 @@ resource "aws_iam_role" "ecs-task-execution" {
   })
 }
 
+locals {
+  ecs-task-execution-policy-default = [
+    {
+      "Effect" : "Allow",
+      "Action" : [
+        "ecr:GetAuthorizationToken",
+        "ecr:BatchCheckLayerAvailability",
+        "ecr:GetDownloadUrlForLayer",
+        "ecr:BatchGetImage",
+        "logs:CreateLogGroup",
+        "logs:CreateLogStream",
+        "logs:PutLogEvents"
+      ],
+      "Resource" : "*"
+    },
+    {
+      "Effect" : "Allow",
+      "Action" : [
+        "ssmmessages:CreateControlChannel",
+        "ssmmessages:CreateDataChannel",
+        "ssmmessages:OpenControlChannel",
+        "ssmmessages:OpenDataChannel"
+      ],
+      "Resource" : "*"
+    },
+    {
+      "Effect" : "Allow",
+      "Action" : [
+        "ecs:DescribeServices",
+        "ecs:DescribeTasks",
+        "ecs:ListTasks"
+      ],
+      "Resource" : "*"
+    }
+  ]
+
+  ecs-task-execution-policy-s3-read = length(var.grant_read_access_to_s3_arns) > 0 ? [{
+    "Effect" : "Allow",
+    "Action" : [
+      "s3:ListBucket",
+      "s3:GetObject"
+    ],
+    "Resource" : var.grant_read_access_to_s3_arns
+  }] : []
+
+  ecs-task-execution-policy-s3-write = length(var.grant_write_access_to_s3_arns) > 0 ? [{
+    "Effect" : "Allow",
+    "Action" : [
+      "s3:ListBucket",
+      "s3:GetObject",
+      "s3:PutObject",
+      "s3:DeleteObject"
+    ],
+    "Resource" : var.grant_write_access_to_s3_arns
+  }] : []
+}
+
 resource "aws_iam_role_policy" "ecs-task-execution-policy" {
   name = "ecs-task-execution-policy"
   role = aws_iam_role.ecs-task-execution.name
 
   policy = jsonencode({
     "Version" : "2012-10-17",
-    "Statement" : [
-      {
-        "Effect" : "Allow",
-        "Action" : [
-          "ecr:GetAuthorizationToken",
-          "ecr:BatchCheckLayerAvailability",
-          "ecr:GetDownloadUrlForLayer",
-          "ecr:BatchGetImage",
-          "logs:CreateLogGroup",
-          "logs:CreateLogStream",
-          "logs:PutLogEvents"
-        ],
-        "Resource" : "*"
-      },
-      {
-        "Effect" : "Allow",
-        "Action" : [
-          "ssmmessages:CreateControlChannel",
-          "ssmmessages:CreateDataChannel",
-          "ssmmessages:OpenControlChannel",
-          "ssmmessages:OpenDataChannel"
-        ],
-        "Resource" : "*"
-      },
-      {
-        "Effect" : "Allow",
-        "Action" : [
-          "ecs:DescribeServices",
-          "ecs:DescribeTasks",
-          "ecs:ListTasks"
-        ],
-        "Resource" : "*"
-      },
-      {
-        "Effect" : "Allow",
-        "Action" : [
-          "s3:ListBucket",
-          "s3:GetObject"
-        ],
-        "Resource" : var.grant_read_access_to_s3_arns
-      },
-      {
-        "Effect" : "Allow",
-        "Action" : [
-          "s3:ListBucket",
-          "s3:GetObject",
-          "s3:PutObject",
-          "s3:DeleteObject"
-        ],
-        "Resource" : var.grant_write_access_to_s3_arns
-      }
-    ]
+    "Statement" : concat(
+      local.ecs-task-execution-policy-default,
+      local.ecs-task-execution-policy-s3-read,
+      local.ecs-task-execution-policy-s3-write
+    )
   })
 }