cn-terraform
diff --git a/‎files/iam/scheduled_task_cw_event_role_assume_role_policy.json‎
Lines changed: 0 additions & 13 deletions b/‎files/iam/scheduled_task_cw_event_role_assume_role_policy.json‎
Lines changed: 0 additions & 13 deletions
diff --git a/‎files/iam/scheduled_task_cw_event_role_cloudwatch_policy.json‎
Lines changed: 0 additions & 21 deletions b/‎files/iam/scheduled_task_cw_event_role_cloudwatch_policy.json‎
Lines changed: 0 additions & 21 deletions
diff --git a/‎main.tf‎
Lines changed: 24 additions & 8 deletions b/‎main.tf‎
Lines changed: 24 additions & 8 deletions
@@ -1,22 +1,38 @@
 #------------------------------------------------------------------------------
 # CLOUDWATCH EVENT ROLE
 #------------------------------------------------------------------------------
-resource "aws_iam_role" "scheduled_task_cw_event_role" {
-  name               = "${var.name_prefix}-st-cw-role"
-  assume_role_policy = file("${path.module}/files/iam/scheduled_task_cw_event_role_assume_role_policy.json")
+data "aws_iam_policy_document" "scheduled_task_cw_event_role_assume_role_policy" {
+  statement {
+    effect  = "Allow"
+    actions = ["sts:AssumeRole"]
+    principals {
+      identifiers = ["events.amazonaws.com"]
+      type        = "Service"
+    }
+  }
 }
 
-data "template_file" "scheduled_task_cw_event_role_cloudwatch_policy" {
-  template = file("${path.module}/files/iam/scheduled_task_cw_event_role_cloudwatch_policy.json")
-  vars = {
-    TASK_EXECUTION_ROLE_ARN = var.ecs_execution_task_role_arn
+data "aws_iam_policy_document" "scheduled_task_cw_event_role_cloudwatch_policy" {
+  statement {
+    effect    = "Allow"
+    actions   = ["ecs:RunTask"]
+    resources = ["*"]
+  }
+  statement {
+    actions   = ["iam:PassRole"]
+    resources = [var.ecs_execution_task_role_arn]
   }
 }
 
+resource "aws_iam_role" "scheduled_task_cw_event_role" {
+  name               = "${var.name_prefix}-st-cw-role"
+  assume_role_policy = data.aws_iam_policy_document.scheduled_task_cw_event_role_assume_role_policy.json
+}
+
 resource "aws_iam_role_policy" "scheduled_task_cw_event_role_cloudwatch_policy" {
   name   = "${var.name_prefix}-st-cw-policy"
   role   = aws_iam_role.scheduled_task_cw_event_role.id
-  policy = data.template_file.scheduled_task_cw_event_role_cloudwatch_policy.rendered
+  policy = data.aws_iam_policy_document.scheduled_task_cw_event_role_cloudwatch_policy.json
 }
 
 #------------------------------------------------------------------------------