From 601d7b47c7cc767b4b455ef97e79a1a2c7b9050e Mon Sep 17 00:00:00 2001 From: Ricardo Uehlein Date: Tue, 31 Dec 2024 10:33:31 -0300 Subject: [PATCH 1/3] Add IAM service linked role for ECS --- infra/deploy/ecs.tf | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/infra/deploy/ecs.tf b/infra/deploy/ecs.tf index 629c5cf3..7cc7a9ef 100644 --- a/infra/deploy/ecs.tf +++ b/infra/deploy/ecs.tf @@ -243,3 +243,7 @@ resource "aws_ecs_service" "api" { container_port = 8000 } } + +resource "aws_iam_service_linked_role" "ecs" { + aws_service_name = "ecs.amazonaws.com" +} From 6127a5b34438986b9a49a09f343672316d210ba9 Mon Sep 17 00:00:00 2001 From: Ricardo Uehlein Date: Tue, 31 Dec 2024 10:33:38 -0300 Subject: [PATCH 2/3] Add permissions for managing service linked roles in IAM policy --- infra/setup/iam.tf | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/infra/setup/iam.tf b/infra/setup/iam.tf index 12f07075..9dc27e08 100644 --- a/infra/setup/iam.tf +++ b/infra/setup/iam.tf @@ -241,7 +241,10 @@ data "aws_iam_policy_document" "iam" { "iam:AttachRolePolicy", "iam:TagRole", "iam:TagPolicy", - "iam:PassRole" + "iam:PassRole", + "iam:CreateServiceLinkedRole", + "iam:DeleteServiceLinkedRole", + "iam:GetServiceLinkedRoleDeletionStatus" ] resources = ["*"] } From d2138087a6917e945c5ce7816394e6a4a71e237a Mon Sep 17 00:00:00 2001 From: Ricardo Uehlein Date: Tue, 31 Dec 2024 10:35:15 -0300 Subject: [PATCH 3/3] Add permission to tag RDS resources in IAM policy --- infra/setup/iam.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/infra/setup/iam.tf b/infra/setup/iam.tf index 9dc27e08..1baab789 100644 --- a/infra/setup/iam.tf +++ b/infra/setup/iam.tf @@ -158,6 +158,7 @@ data "aws_iam_policy_document" "rds" { statement { effect = "Allow" actions = [ + "rds:AddTagsToResource", "rds:DescribeDBSubnetGroups", "rds:DescribeDBInstances", "rds:CreateDBSubnetGroup",