Feat/DL-148: Allow data-and-insight to use PassRole on datahub-task-execution-role (#2590)

Tian-2017 · web-flow · commit 19fb5e7c2213 · 2025-12-08T09:33:44.000Z
* DL-148 allow PassRole on datahub-task-execution-role

* simplify a bit
diff --git a/terraform/modules/department/50-aws-iam-policies.tf b/terraform/modules/department/50-aws-iam-policies.tf
@@ -1273,10 +1273,15 @@ data "aws_iam_policy_document" "department_ecs_passrole" {
     actions = [
       "iam:PassRole"
     ]
-    resources = [
-      aws_iam_role.department_ecs_role.arn,                                                                                  # Defined in 50-aws-iam-roles.tf
-      "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/${local.department_identifier}*-ecs-execution-role", # Defined in ecs repo.
-    ]
+    resources = concat(
+      [
+        aws_iam_role.department_ecs_role.arn,                                                                                  # Defined in 50-aws-iam-roles.tf
+        "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/${local.department_identifier}*-ecs-execution-role", # Defined in ecs repo.
+      ],
+      local.department_identifier == "data-and-insight" ? [
+        "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/datahub-task-execution-role" # Defined in dap-datahub repo
+      ] : []
+    )
     condition {
       test     = "StringEquals"
       variable = "iam:PassedToService"
