more

Author: marcoacierno

infrastructure/applications/cluster/iam.tf

@@ -20,7 +20,7 @@ data "aws_iam_policy_document" "server_assume_role" {
 
     principals {
       type        = "Service"
-      identifiers = ["ec2.amazonaws.com", "ecs-tasks.amazonaws.com"]
+      identifiers = ["ec2.amazonaws.com", "ecs-tasks.amazonaws.com", "ecs.amazonaws.com"]
     }
 
     actions = ["sts:AssumeRole"]
@@ -35,7 +35,6 @@ data "aws_iam_policy_document" "server_role_policy" {
       "ses:*",
       "ecs:*",
       "ecr:*",
-      "ec2:DescribeInstances",
     ]
     resources = [
       "*"
@@ -78,6 +77,32 @@ data "aws_iam_policy_document" "server_role_policy" {
     resources = ["*"]
     effect    = "Allow"
   }
+
+  statement {
+    actions = [
+      "ec2:DescribeAvailabilityZones",
+      "ec2:DescribeInstances",
+      "ec2:CreateVolume",
+      "ec2:AttachVolume",
+      "ec2:DetachVolume",
+      "ec2:CreateTags",
+      "ec2:DeleteVolume",
+      "ec2:DescribeVolumes",
+    ]
+    resources = ["*"]
+    effect    = "Allow"
+  }
+
+  statement {
+    actions = [
+      "ssmmessages:CreateControlChannel",
+      "ssmmessages:CreateDataChannel",
+      "ssmmessages:OpenControlChannel",
+      "ssmmessages:OpenDataChannel"
+    ]
+    resources = ["*"]
+    effect    = "Allow"
+  }
 }
 
 output "iam_role_arn" {

infrastructure/applications/cluster/security.tf

@@ -22,6 +22,25 @@ resource "aws_security_group_rule" "server_rds" {
   security_group_id = aws_security_group.server.id
 }
 
+resource "aws_security_group_rule" "in_redis" {
+  type              = "egress"
+  from_port         = 6379
+  to_port           = 6379
+  protocol          = "tcp"
+  source_security_group_id = aws_security_group.server.id
+  security_group_id = aws_security_group.server.id
+}
+
+resource "aws_security_group_rule" "out_redis" {
+  # needed by fargate to connect to the server with redis
+  type              = "ingress"
+  from_port         = 6379
+  to_port           = 6379
+  protocol          = "tcp"
+  source_security_group_id = aws_security_group.server.id
+  security_group_id = aws_security_group.server.id
+}
+
 resource "aws_security_group_rule" "web_http" {
   type              = "ingress"
   from_port         = 80

infrastructure/applications/pycon_backend/worker.tf

@@ -175,7 +175,7 @@ locals {
     },
     {
       name = "ECS_SERVICE_ROLE",
-      value = aws_iam_role.ecs_service.arn
+      value = var.iam_role_arn
     },
     {
       name = "AWS_SES_CONFIGURATION_SET"

infrastructure/applications/pycon_backend/worker_heavy_processing.tf

@@ -10,10 +10,12 @@ resource "aws_ecs_task_definition" "heavy_processing_worker" {
   ephemeral_storage {
     size_in_gib = 21
   }
+
   runtime_platform {
     operating_system_family = "LINUX"
     cpu_architecture = "ARM64"
   }
+
   container_definitions = jsonencode([
     {
       name              = "worker"