update ECS policy to enable detecting which images are actively running images

lukey-luke · lukey-luke · commit 31921339c3bf · 2026-03-10T12:12:18.000-07:00
diff --git a/terraform/services/ecr-cleanup/main.tf b/terraform/services/ecr-cleanup/main.tf
@@ -28,8 +28,9 @@ data "aws_iam_policy_document" "ecr_cleanup" {
   statement {
     sid = "ECSReadAccess"
     actions = [
-      "ecs:ListTaskDefinitions",
-      "ecs:DescribeTaskDefinition",
+      "ecs:ListClusters",
+      "ecs:ListTasks",
+      "ecs:DescribeTasks",
     ]
     resources = ["*"]
   }

Original file line number	Diff line number	Diff line change
`@@ -28,8 +28,9 @@ data "aws_iam_policy_document" "ecr_cleanup" {`
`28`	`28`	`statement {`
`29`	`29`	`sid = "ECSReadAccess"`
`30`	`30`	`actions = [`
`31`		`- "ecs:ListTaskDefinitions",`
`32`		`- "ecs:DescribeTaskDefinition",`
	`31`	`+ "ecs:ListClusters",`
	`32`	`+ "ecs:ListTasks",`
	`33`	`+ "ecs:DescribeTasks",`
`33`	`34`	`]`
`34`	`35`	`resources = ["*"]`
`35`	`36`	`}`