DL-165 allow deparmental user to pass metadata role to ecs

Tian-2017 · Tian-2017 · commit 785d535c7a58 · 2026-01-16T11:15:35.000Z
diff --git a/terraform/modules/department/50-aws-iam-policies.tf b/terraform/modules/department/50-aws-iam-policies.tf
@@ -1314,8 +1314,9 @@ data "aws_iam_policy_document" "department_ecs_passrole" {
         "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/${local.department_identifier}*-ecs-execution-role", # Defined in ecs repo.
       ],
       local.department_identifier == "data-and-insight" ? [
-        "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/datahub-task-execution-role", # Defined in dap-datahub repo
-        "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/DataHubGlueReadRole"          # Defined in dap-datahub repo
+        "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/datahub-task-execution-role",                                 # Defined in dap-datahub repo
+        "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/DataHubGlueReadRole",                                         # Defined in dap-datahub repo
+        "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/${var.identifier_prefix}-cross-department-glue-metadata-role" # Defined in terraform/core/49-aws-ecs-iam.tf
       ] : []
     )
     condition {
