ecs can read files from s3 buckets (#27)

* ecs can read files from s3 buckets * limit to buckets that match the project name * no region in s3 arn * no trailing commas (legacy parsing?) * pass in allowlisted buckts * Update ecs/variables.tf Co-authored-by: Marc Qualie <[email protected]> * rename var everywhere Co-authored-by: Marc Qualie <[email protected]>
dbl-works · Jul 30, 2021 · 57550bc · 57550bc
1 parent d5f0740
commit 57550bc
Show file tree

Hide file tree

Showing 3 changed files with 15 additions and 1 deletion.
diff --git a/ecs/README.md b/ecs/README.md
@@ -27,6 +27,8 @@ module "ecs" {
     local.cidr_block,
     "XX.XX.XX.XX/32", # e.g. a VPN
   ]
+
+  grant_read_access_to_s3_arns = []
 }
 ```
 

diff --git a/ecs/execution-role.tf b/ecs/execution-role.tf
@@ -55,9 +55,17 @@ resource "aws_iam_role_policy" "ecs-task-execution-policy" {
         "Action" : [
           "ecs:DescribeServices",
           "ecs:DescribeTasks",
-          "ecs:ListTasks",
+          "ecs:ListTasks"
         ],
         "Resource" : "*"
+      },
+      {
+        "Effect" : "Allow",
+        "Action" : [
+          "s3:ListBucket",
+          "s3:GetObject"
+        ],
+        "Resource" : var.grant_read_access_to_s3_arns
       }
     ]
   })

diff --git a/ecs/variables.tf b/ecs/variables.tf
@@ -32,3 +32,7 @@ variable "allowlisted_ssh_ips" {
 # The default follows the methodology of Kubernetes, see: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#define-a-liveness-http-request
 # Find more about our own standard for health checks here: https://www.notion.so/tractioneng/Health-Checks-2555294b70ce4af4849e8d0fefeb16f8
 variable "health_check_path" { default = "/healthz" }
+
+variable "grant_read_access_to_s3_arns" {
+  default = []
+}
-Original file line number
+Diff line change
@@ Expand Up / @@ -27,6 +27,8 @@ module "ecs" { @@
         local.cidr_block,
         "XX.XX.XX.XX/32", # e.g. a VPN
       ]
+      grant_read_access_to_s3_arns = []
     }
     ```
@@ Expand Down @@