assign correct permissions to task_exec role for pulling s3 env files

deploy/tf/service.tf

@@ -148,7 +148,8 @@ module "service" {
     }
   }
 
-  tasks_iam_role_statements = var.iam_statements
+  task_exec_iam_statements  = var.task_exec_iam_statements
+  tasks_iam_role_statements = var.tasks_iam_role_statements
 
   timeouts = {
     create = "10m"

deploy/tf/variables.tf

@@ -4,6 +4,20 @@ variable "alb_parameter_name" {
   type        = string
 }
 
+# task exec role
+variable "task_exec_iam_statements" {
+  description = "A map of IAM policy [statements](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document#statement) for custom permission usage"
+  type        = any
+  default     = {}
+}
+
+# tasks role
+variable "tasks_iam_role_statements" {
+  description = "A map of IAM policy [statements](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document#statement) for custom permission usage"
+  type        = any
+  default     = {}
+}
+
 # container variables
 variable "app_container_name" {
   description = "The name of the primary application container"
@@ -118,12 +132,6 @@ variable "environment" {
   type        = string
 }
 
-variable "iam_statements" {
-  description = "List of IAM statements to attach to the task role"
-  type        = any
-  default     = []
-}
-
 # Target group health checks
 variable "health_check_path" {
   description = "The health check path for the ALB target group."

deploy/vars/development/variables.yaml

@@ -19,7 +19,7 @@ environment_files:
   - value: arn:aws:s3:::app-config-sydney-450356697252/geonetwork4/development.env
     type: s3
 
-iam_statements:
+task_exec_iam_statements:
   - actions:
       - s3:GetObject
     resources:
@@ -29,7 +29,6 @@ iam_statements:
     resources:
       - arn:aws:s3:::app-config-sydney-450356697252
 
-
 health_check_path: /geonetwork/srv/eng/catalog.search#/home
 unhealthy_threshold: 10