Get working aws roles for github

singhals · singhals · commit 640038c3d185 · 2025-02-26T11:27:38.000-05:00
diff --git a/terraform/ecr.tf b/terraform/ecr.tf
@@ -31,48 +31,3 @@ resource "aws_ecr_lifecycle_policy" "sync_svc_cube_lf_policy" {
 EOF
 }
 
-
-data "aws_iam_policy_document" "sync_svc_cube_policy" {
-  statement {
-    sid    = "All Accounts in the Org can pull"
-    effect = "Allow"
-    principals {
-      type        = "AWS"
-      identifiers = ["*"]
-    }
-    actions = [
-      "ecr:GetDownloadUrlForLayer",
-      "ecr:BatchGetImage",
-      "ecr:ListImages"
-    ]
-    condition {
-      test     = "StringEquals"
-      variable = "aws:PrincipalAccount"
-      values   = ["${var.aws_account_id}"]
-    }
-  }
-  statement {
-    sid    = "Allow push only from github actions"
-    effect = "Allow"
-    principals {
-      type        = "AWS"
-      identifiers = ["${module.iam_github_oidc_role.arn}"]
-    }
-    actions = ["ecr:BatchCheckLayerAvailability",
-      "ecr:CompleteLayerUpload",
-      "ecr:InitiateLayerUpload",
-      "ecr:PutImage",
-    "ecr:UploadLayerPart"]
-    condition {
-      test     = "StringEquals"
-      variable = "aws:PrincipalAccount"
-      values   = ["${var.aws_account_id}"]
-    }
-  }
-}
-
-resource "aws_ecr_repository_policy" "sync_svc_cube_repo_policy" {
-  repository = aws_ecr_repository.sync_svc_cube_repo.name
-  policy     = data.aws_iam_policy_document.sync_svc_cube_policy.json
-}
-
diff --git a/terraform/iam.tf b/terraform/iam.tf
@@ -51,6 +51,23 @@ resource "aws_iam_policy" "sync_svc_cube_ecr_policy" {
           "ecr:UploadLayerPart"
         ],
         "Resource" : aws_ecr_repository.sync_svc_cube_repo.arn
+      },
+      {
+        "Sid" : "AllowTaskDefinitionUpdates",
+        "Effect" : "Allow",
+        "Action" : [
+          "ecs:DescribeTaskDefinition",
+          "ecs:RegisterTaskDefinition"
+        ],
+        "Resource" : "*"
+      },
+      {
+        "Sid" : "AllowPassRoleToTask",
+        "Effect" : "Allow",
+        "Action" : [
+          "iam:PassRole"
+        ],
+        "Resource" : [aws_iam_role.ecs_task_role.arn, aws_iam_role.ecs_task_execution_role.arn]
       }
     ]
   })
