Skip to content

Instantly share code, notes, and snippets.

@nhammad

nhammad/gtm-iam.tf

Created November 27, 2023 12:00
Show Gist options
  • Save nhammad/844fdf234418d3692f4f2722432400a7 to your computer and use it in GitHub Desktop.
Save nhammad/844fdf234418d3692f4f2722432400a7 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
gtm-iam.tf
resource "aws_iam_role" "gtm_container_exec_role" {
name = "gtm_container_exec_role"
assume_role_policy = jsonencode({
Version = "2012-10-17",
Statement = [
{
Action = "sts:AssumeRole",
Effect = "Allow",
Principal = {
Service = "ecs-tasks.amazonaws.com"
}
}
]
})
}
resource "aws_iam_policy_attachment" "cloudwatch_full_access_gtm" {
name = "CloudWatchFullAccessAttachment"
policy_arn = "arn:aws:iam::aws:policy/CloudWatchLogsFullAccess"
roles = [aws_iam_role.gtm_container_exec_role.name]
}
resource "aws_iam_policy_attachment" "AmazonECSTaskExecutionRolePolicy" {
name = "AmazonECSTaskExecutionRolePolicy"
policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy"
roles = [aws_iam_role.gtm_container_exec_role.name]
}
resource "aws_iam_role" "gtm_container_role" {
name = "gtm_container_role"
assume_role_policy = jsonencode({
Version = "2012-10-17",
Statement = [
{
Action = "sts:AssumeRole",
Effect = "Allow",
Principal = {
Service = "ecs-tasks.amazonaws.com"
}
}
]
})
}
resource "aws_iam_policy" "ecs_exec" {
name = "container-ecsExec"
description = "Give ssm permissions to use ecs exec"
policy = jsonencode(
{
"Version" : "2012-10-17",
"Statement" : [
{
"Effect" : "Allow",
"Action" : [
"ssmmessages:CreateControlChannel",
"ssmmessages:CreateDataChannel",
"ssmmessages:OpenControlChannel",
"ssmmessages:OpenDataChannel"
],
"Resource" : "*"
}
]
})
}
resource "aws_iam_role_policy_attachment" "ecs_exec" {
role = aws_iam_role.gtm_container_role.name
policy_arn = aws_iam_policy.ecs_exec.arn
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment