allow code deploy ecs task access

chrispsheehan · chrispsheehan · commit 50d9b02fd7ff · 2024-10-02T09:23:12.000+01:00
diff --git a/tf/service/deploy/data.tf b/tf/service/deploy/data.tf
@@ -49,4 +49,17 @@ data "aws_iam_policy_document" "codedeploy_policy" {
       "${data.aws_s3_bucket.app_specs.arn}/*"
     ]
   }
+
+  statement {
+    effect = "Allow"
+    actions = [
+      "iam:PassRole"
+    ]
+    resources = ["*"]
+    condition {
+      test     = "StringLike"
+      variable = "iam:PassedToService"
+      values   = ["ecs-tasks.amazonaws.com"]
+    }
+  }
 }

Original file line number	Diff line number	Diff line change
`@@ -49,4 +49,17 @@ data "aws_iam_policy_document" "codedeploy_policy" {`
`49`	`49`	`"${data.aws_s3_bucket.app_specs.arn}/*"`
`50`	`50`	`]`
`51`	`51`	`}`
	`52`	`+`
	`53`	`+ statement {`
	`54`	`+ effect = "Allow"`
	`55`	`+ actions = [`
	`56`	`+ "iam:PassRole"`
	`57`	`+ ]`
	`58`	`+ resources = ["*"]`
	`59`	`+ condition {`
	`60`	`+ test = "StringLike"`
	`61`	`+ variable = "iam:PassedToService"`
	`62`	`+ values = ["ecs-tasks.amazonaws.com"]`
	`63`	`+ }`
	`64`	`+ }`
`52`	`65`	`}`