allow pass role to ecs department execution roles (#2556)

timburke-hackit · web-flow · commit 2d7fd396c898 · 2025-11-12T11:46:27.000Z
diff --git a/terraform/modules/department/50-aws-iam-policies.tf b/terraform/modules/department/50-aws-iam-policies.tf
@@ -1253,8 +1253,8 @@ data "aws_iam_policy_document" "department_ecs_passrole" {
       "iam:PassRole"
     ]
     resources = [
-      aws_iam_role.department_ecs_role.arn,                                                                                 # Defined in 50-aws-iam-roles.tf
-      "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/${local.department_identifier}-ecs-execution-role", # Defined in ecs repo.
+      aws_iam_role.department_ecs_role.arn,                                                                                  # Defined in 50-aws-iam-roles.tf
+      "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/${local.department_identifier}*-ecs-execution-role", # Defined in ecs repo.
     ]
     condition {
       test     = "StringEquals"

Original file line number	Diff line number	Diff line change
`@@ -1253,8 +1253,8 @@ data "aws_iam_policy_document" "department_ecs_passrole" {`
`1253`	`1253`	`"iam:PassRole"`
`1254`	`1254`	`]`
`1255`	`1255`	`resources = [`
`1256`		`- aws_iam_role.department_ecs_role.arn, # Defined in 50-aws-iam-roles.tf`
`1257`		`- "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/${local.department_identifier}-ecs-execution-role", # Defined in ecs repo.`
	`1256`	`+ aws_iam_role.department_ecs_role.arn, # Defined in 50-aws-iam-roles.tf`
	`1257`	`+ "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/${local.department_identifier}*-ecs-execution-role", # Defined in ecs repo.`
`1258`	`1258`	`]`
`1259`	`1259`	`condition {`
`1260`	`1260`	`test = "StringEquals"`