From c4c8e9c72a0a8c81f0cf990cdfe23c7f11b4bd1f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Luis=20D=C3=ADaz?= Date: Tue, 4 Feb 2025 11:26:10 +0100 Subject: [PATCH] Added permissions to service discovery task --- tf/modules/ooni_monitoring/main.tf | 14 ++++- .../templates/profile_policy.json | 57 +++++++++++++++++++ tf/modules/ooni_monitoring/variables.tf | 4 ++ 3 files changed, 73 insertions(+), 2 deletions(-) create mode 100644 tf/modules/ooni_monitoring/templates/profile_policy.json diff --git a/tf/modules/ooni_monitoring/main.tf b/tf/modules/ooni_monitoring/main.tf index c7d0e96..803095e 100644 --- a/tf/modules/ooni_monitoring/main.tf +++ b/tf/modules/ooni_monitoring/main.tf @@ -66,6 +66,10 @@ resource "aws_ecs_task_definition" "ooni_service_discovery" { { name = "AWS_REGION" value = var.aws_region + }, + { + name = "DiscoveryOptions__EcsClusters" + value = var.cluster_name } ] secrets = [ @@ -94,7 +98,6 @@ resource "aws_ecs_task_definition" "ooni_service_discovery" { resource "aws_ecs_service" "service" { name = local.name cluster = var.cluster_id - launch_type = "EC2" task_definition = aws_ecs_task_definition.ooni_service_discovery.id desired_count = 1 @@ -115,7 +118,7 @@ resource "aws_ecs_service" "service" { } resource "aws_iam_role" "ecs_sd_task" { - name = "${local.name}-task-role" + name = "${local.name}-task-role-execution" tags = var.tags @@ -136,6 +139,13 @@ resource "aws_iam_role" "ecs_sd_task" { EOF } +resource "aws_iam_role_policy" "ooni_ecs_sd_task" { + name = "${local.name}-task-role-execution" + role = aws_iam_role.ecs_sd_task.name + + policy = templatefile("${path.module}/templates/profile_policy.json", {}) +} + resource "aws_cloudwatch_log_group" "ooni_ecs_sd" { name = "ooni-ecs-group/${local.name}" } \ No newline at end of file diff --git a/tf/modules/ooni_monitoring/templates/profile_policy.json b/tf/modules/ooni_monitoring/templates/profile_policy.json new file mode 100644 index 0000000..c5a893f --- /dev/null +++ b/tf/modules/ooni_monitoring/templates/profile_policy.json @@ -0,0 +1,57 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "ecsInstanceRole", + "Effect": "Allow", + "Action": [ + "ecs:DeregisterContainerInstance", + "ecs:DiscoverPollEndpoint", + "ecs:Poll", + "ecs:RegisterContainerInstance", + "ecs:Submit*", + "ecs:StartTelemetrySession" + ], + "Resource": ["*"] + }, + { + "Sid": "CloudWatchLogsFullAccess", + "Effect": "Allow", + "Action": ["logs:*", "cloudwatch:GenerateQuery"], + "Resource": "*" + }, + { + "Effect": "Allow", + "Action": [ + "ssm:GetParameter", + "ssm:GetParameters", + "ssm:GetParameterHistory", + "ssm:GetParametersByPath" + ], + "Resource": "arn:aws:ssm:*" + }, + { + "Effect": "Allow", + "Action": [ + "ec2:Describe*", + "elasticloadbalancing:DeregisterInstancesFromLoadBalancer", + "elasticloadbalancing:DeregisterTargets", + "elasticloadbalancing:Describe*", + "elasticloadbalancing:RegisterInstancesWithLoadBalancer", + "elasticloadbalancing:RegisterTargets" + ], + "Resource": "*" + }, + { + "Effect": "Allow", + "Action": [ + "ecs:DescribeClusters", + "ecs:ListServices", + "ecs:DescribeServices", + "ecs:ListTasks", + "ecs:DescribeTasks" + ], + "Resource": "*" + } + ] +} diff --git a/tf/modules/ooni_monitoring/variables.tf b/tf/modules/ooni_monitoring/variables.tf index 835699b..9a3bc8d 100644 --- a/tf/modules/ooni_monitoring/variables.tf +++ b/tf/modules/ooni_monitoring/variables.tf @@ -26,4 +26,8 @@ variable "task_secrets" { variable "cluster_id" { type = string +} + +variable "cluster_name" { + type = string } \ No newline at end of file