reduce the size of department ecs base policy (#2116)

Tian-2017 · web-flow · commit 8ad0aac045ca · 2025-02-10T10:34:29.000Z
diff --git a/terraform/modules/department/50-aws-iam-policies.tf b/terraform/modules/department/50-aws-iam-policies.tf
@@ -959,7 +959,6 @@ resource "aws_iam_policy" "department_ecs_passrole" {
 
 data "aws_iam_policy_document" "ecs_department_policy" {
   source_policy_documents = [
-    data.aws_iam_policy_document.s3_department_access.json,
     data.aws_iam_policy_document.secrets_manager_read_only.json,
     data.aws_iam_policy_document.read_glue_scripts_and_mwaa_and_athena.json,
     data.aws_iam_policy_document.crawler_can_access_jdbc_connection.json
diff --git a/terraform/modules/department/50-aws-iam-roles.tf b/terraform/modules/department/50-aws-iam-roles.tf
@@ -157,3 +157,8 @@ resource "aws_iam_role_policy_attachment" "glue_access_attachment_to_ecs_role" {
   role       = aws_iam_role.department_ecs_role.name
   policy_arn = aws_iam_policy.glue_access.arn
 }
+
+resource "aws_iam_role_policy" "grant_s3_access_to_ecs_role" {
+  role   = aws_iam_role.department_ecs_role.name
+  policy = data.aws_iam_policy_document.s3_department_access.json
+}

Original file line number	Diff line number	Diff line change
`@@ -157,3 +157,8 @@ resource "aws_iam_role_policy_attachment" "glue_access_attachment_to_ecs_role" {`
`157`	`157`	`role = aws_iam_role.department_ecs_role.name`
`158`	`158`	`policy_arn = aws_iam_policy.glue_access.arn`
`159`	`159`	`}`
	`160`	`+`
	`161`	`+resource "aws_iam_role_policy" "grant_s3_access_to_ecs_role" {`
	`162`	`+ role = aws_iam_role.department_ecs_role.name`
	`163`	`+ policy = data.aws_iam_policy_document.s3_department_access.json`
	`164`	`+}`