Added permissions to service discovery task

ooni · Feb 4, 2025 · c4c8e9c · c4c8e9c
1 parent 3cfc063
commit c4c8e9c
Show file tree

Hide file tree

Showing 3 changed files with 73 additions and 2 deletions.
diff --git a/tf/modules/ooni_monitoring/main.tf b/tf/modules/ooni_monitoring/main.tf
@@ -66,6 +66,10 @@ resource "aws_ecs_task_definition" "ooni_service_discovery" {
         {
           name = "AWS_REGION"
           value = var.aws_region
+        },
+        {
+          name = "DiscoveryOptions__EcsClusters"
+          value = var.cluster_name
         }
       ]
       secrets = [
@@ -94,7 +98,6 @@ resource "aws_ecs_task_definition" "ooni_service_discovery" {
 resource "aws_ecs_service" "service" {
   name            = local.name
   cluster         = var.cluster_id
-  launch_type     = "EC2"
   task_definition = aws_ecs_task_definition.ooni_service_discovery.id
   desired_count   = 1
 
@@ -115,7 +118,7 @@ resource "aws_ecs_service" "service" {
 }
 
 resource "aws_iam_role" "ecs_sd_task" {
-  name = "${local.name}-task-role"
+  name = "${local.name}-task-role-execution"
 
   tags = var.tags
 
@@ -136,6 +139,13 @@ resource "aws_iam_role" "ecs_sd_task" {
 EOF
 }
 
+resource "aws_iam_role_policy" "ooni_ecs_sd_task" {
+  name = "${local.name}-task-role-execution"
+  role = aws_iam_role.ecs_sd_task.name
+
+  policy = templatefile("${path.module}/templates/profile_policy.json", {})
+}
+
 resource "aws_cloudwatch_log_group" "ooni_ecs_sd" {
   name = "ooni-ecs-group/${local.name}"
 }
diff --git a/tf/modules/ooni_monitoring/templates/profile_policy.json b/tf/modules/ooni_monitoring/templates/profile_policy.json
@@ -0,0 +1,57 @@
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Sid": "ecsInstanceRole",
+      "Effect": "Allow",
+      "Action": [
+        "ecs:DeregisterContainerInstance",
+        "ecs:DiscoverPollEndpoint",
+        "ecs:Poll",
+        "ecs:RegisterContainerInstance",
+        "ecs:Submit*",
+        "ecs:StartTelemetrySession"
+      ],
+      "Resource": ["*"]
+    },
+    {
+      "Sid": "CloudWatchLogsFullAccess",
+      "Effect": "Allow",
+      "Action": ["logs:*", "cloudwatch:GenerateQuery"],
+      "Resource": "*"
+    },
+    {
+      "Effect": "Allow",
+      "Action": [
+          "ssm:GetParameter",
+          "ssm:GetParameters",
+          "ssm:GetParameterHistory",
+          "ssm:GetParametersByPath"
+      ],
+      "Resource": "arn:aws:ssm:*"
+    },
+    {
+      "Effect": "Allow",
+      "Action": [
+        "ec2:Describe*",
+        "elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
+        "elasticloadbalancing:DeregisterTargets",
+        "elasticloadbalancing:Describe*",
+        "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
+        "elasticloadbalancing:RegisterTargets"
+      ],
+      "Resource": "*"
+    },
+    {
+      "Effect": "Allow",
+      "Action": [
+        "ecs:DescribeClusters",
+        "ecs:ListServices",
+        "ecs:DescribeServices",
+        "ecs:ListTasks",
+        "ecs:DescribeTasks"
+      ],
+      "Resource": "*"
+    }
+  ]
+}
diff --git a/tf/modules/ooni_monitoring/variables.tf b/tf/modules/ooni_monitoring/variables.tf
@@ -26,4 +26,8 @@ variable "task_secrets" {
 
 variable "cluster_id" {
   type = string
+}
+
+variable "cluster_name" {
+  type = string
 }