codedeploy iams

chrispsheehan · chrispsheehan · commit f54d22323d8c · 2024-10-01T20:09:27.000+01:00
diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
@@ -1,9 +1,9 @@
 name: Deploy
 
 on:
-  push:
-    branches:
-      - 'blue-green-deploy'
+  # push:
+  #   branches:
+  #     - 'blue-green-deploy'
   workflow_dispatch:
 
 permissions:
diff --git a/.github/workflows/init.yml b/.github/workflows/init.yml
@@ -1,9 +1,9 @@
 name: Init
 
 on:
-  # push:
-  #   branches:
-  #     - 'blue-green-deploy'
+  push:
+    branches:
+      - 'blue-green-deploy'
   workflow_dispatch:
 
 permissions:
diff --git a/tf/service/deploy/data.tf b/tf/service/deploy/data.tf
@@ -18,11 +18,21 @@ data "aws_iam_policy_document" "codedeploy_assume_role_policy" {
 data "aws_iam_policy_document" "codedeploy_policy" {
   statement {
     actions = [
+      "ecs:CreateTaskSet",
       "ecs:UpdateService",
       "ecs:DescribeServices",
-      "elasticloadbalancing:*",
-      "autoscaling:*",
-      "codedeploy:*"
+      "ecs:DeleteTaskSet",
+      "ecs:DescribeTaskSets",
+      "ecs:UpdateTaskSet",
+      "elasticloadbalancing:ModifyListener",
+      "elasticloadbalancing:ModifyTargetGroup",
+      "elasticloadbalancing:DeregisterTargets",
+      "elasticloadbalancing:RegisterTargets",
+      "autoscaling:DescribeAutoScalingGroups",
+      "autoscaling:UpdateAutoScalingGroup",
+      "codedeploy:CreateDeployment",
+      "codedeploy:GetDeployment",
+      "codedeploy:StopDeployment"
     ]
     effect    = "Allow"
     resources = ["*"]
