Add Execution Task Role with access to DynamoDB to ECS Fargate

GuidoBR · GuidoBR · commit 95737311bc4d · 2025-04-01T18:11:08.000-04:00
diff --git a/backend/src/iac/backend-stack.ts b/backend/src/iac/backend-stack.ts
@@ -125,19 +125,49 @@ export class BackendStack extends cdk.Stack {
       'Allow inbound HTTPS traffic from within VPC',
     );
 
-    // Task Definition
+    // Create Task Execution Role - this is used during task startup
+    const taskExecutionRole = new iam.Role(this, `${appName}TaskExecutionRole-${props.environment}`, {
+      assumedBy: new iam.ServicePrincipal('ecs-tasks.amazonaws.com'),
+      description: 'Role that the ECS service uses to pull container images and publish logs to CloudWatch',
+      managedPolicies: [
+        iam.ManagedPolicy.fromAwsManagedPolicyName('service-role/AmazonECSTaskExecutionRolePolicy')
+      ]
+    });
+
+    // Create Task Role - this is used by the container during runtime
+    const taskRole = new iam.Role(this, `${appName}TaskRole-${props.environment}`, {
+      assumedBy: new iam.ServicePrincipal('ecs-tasks.amazonaws.com'),
+      description: 'Role that the containers in the task assume',
+    });
+
+    // Grant permissions to the task role
+    // DynamoDB permissions
+    reportsTable.grantReadWriteData(taskRole);
+
+    // Add permission to read Perplexity API key from Secrets Manager
+    taskRole.addToPolicy(new iam.PolicyStatement({
+      effect: iam.Effect.ALLOW,
+      actions: [
+        'secretsmanager:GetSecretValue',
+        'secretsmanager:DescribeSecret'
+      ],
+      resources: [
+        `arn:aws:secretsmanager:${this.region}:${this.account}:secret:medical-reports-explainer/${props.environment}/perplexity-api-key-*`
+      ]
+    }));
+
+    // Task Definition with explicit roles
     const taskDefinition = new ecs.FargateTaskDefinition(
       this,
       `${appName}TaskDef-${props.environment}`,
       {
         memoryLimitMiB: isProd ? 1024 : 512,
         cpu: isProd ? 512 : 256,
+        taskRole: taskRole,                // Role that the application uses to call AWS services
+        executionRole: taskExecutionRole   // Role that ECS uses to pull images and write logs
       },
     );
 
-    // Grant DynamoDB permissions to task
-    reportsTable.grantReadWriteData(taskDefinition.taskRole);
-
     // Create a secrets manager for the SSL certificate and key
     const certificateSecret = new cdk.aws_secretsmanager.Secret(
       this,
@@ -194,7 +224,7 @@ export class BackendStack extends cdk.Stack {
     });
 
     // Grant the task role access to read the SSL certificate secret
-    certificateSecret.grantRead(taskDefinition.taskRole);
+    certificateSecret.grantRead(taskRole);
 
     container.addPortMappings({
       containerPort: 3000,
diff --git a/backend/src/reports/reports.service.ts b/backend/src/reports/reports.service.ts
@@ -61,6 +61,7 @@ export class ReportsService {
   }
 
   async findLatest(queryDto: GetReportsQueryDto): Promise<Report[]> {
+    console.log('Running ReportsService.findLatest', queryDto);
     // Convert limit to a number to avoid serialization errors
     const limit =
       typeof queryDto.limit === 'string' ? parseInt(queryDto.limit, 10) : queryDto.limit || 10;

Original file line number	Diff line number	Diff line change
`@@ -61,6 +61,7 @@ export class ReportsService {`
`61`	`61`	`}`
`62`	`62`
`63`	`63`	`async findLatest(queryDto: GetReportsQueryDto): Promise<Report[]> {`
	`64`	`+ console.log('Running ReportsService.findLatest', queryDto);`
`64`	`65`	`// Convert limit to a number to avoid serialization errors`
`65`	`66`	`const limit =`
`66`	`67`	`typeof queryDto.limit === 'string' ? parseInt(queryDto.limit, 10) : queryDto.limit \|\| 10;`