@@ -243,10 +243,22 @@ resource "aws_ecs_cluster_capacity_providers" "cloud-agent" {
243243 }
244244}
245245
246+ resource "aws_iam_policy" "execution-role" {
247+ count = . create ? 1 : 0
248+ name = " depot-connection-${ var . connection-id } -execution-role"
249+ policy = jsonencode ({
250+ Version = " 2012-10-17"
251+ Statement = [{
252+ Action = [" ssm:GetParameters"
253+ Effect = " Allow"
254+ Resource = [aws_ssm_parameter.connection- token[0 ].arn, aws_ssm_parameter.ceph- key[0 ].arn]
255+ }]
256+ })
257+ }
258+
246259resource "aws_iam_role" "execution-role" {
247- count = . create ? 1 : 0
248- name = " depot-connection-${ var . connection-id } -ecs-execution-role"
249- managed_policy_arns = " arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy"
260+ count = . create ? 1 : 0
261+ name = " depot-connection-${ var . connection-id } -ecs-execution-role"
250262 assume_role_policy = jsonencode ({
251263 Version = " 2012-10-17"
252264 Statement = [{
@@ -255,17 +267,105 @@ resource "aws_iam_role" "execution-role" {
255267 Principal = { Service = " ecs-tasks.amazonaws.com"
256268 }]
257269 })
258- inline_policy {
259- name = " ecs-execution-role"
260- policy = jsonencode ({
261- Version = " 2012-10-17"
262- Statement = [{
263- Action = [" ssm:GetParameters"
270+ }
271+
272+ resource "aws_iam_role_policy_attachments_exclusive" "execution-role" {
273+ count = . create ? 1 : 0
274+ role_name = . execution-role [0 ]. name
275+ policy_arns =
276+ " arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy"
277+ aws_iam_policy . execution-role [0 ]. arn
278+ ]
279+ }
280+
281+ resource "aws_iam_policy" "cloud-agent" {
282+ count = . create ? 1 : 0
283+ name = " depot-connection-${ var . connection-id } -cloud-agent"
284+ policy = jsonencode ({
285+ Version = " 2012-10-17"
286+ Statement = [
287+ {
288+ Action = [
289+ " ec2:DescribeInstances"
290+ " ec2:DescribeVolumes"
291+ ]
264292 Effect = " Allow"
265- Resource = [aws_ssm_parameter.connection- token[0 ].arn, aws_ssm_parameter.ceph- key[0 ].arn]
266- }]
267- })
268- }
293+ Resource = " *"
294+ },
295+
296+ {
297+ Action = [" ec2:CreateVolume"
298+ Effect = " Allow"
299+ Resource = " *"
300+ Condition = { StringEquals = { " aws:RequestTag/depot-connection" - id } }
301+ },
302+
303+ {
304+ Action = [" ec2:RunInstances"
305+ Effect = " Allow"
306+ Resource = concat ([
307+ aws_launch_template . arm [0 ]. arn ,
308+ aws_launch_template . x86 [0 ]. arn ,
309+ aws_security_group . instance-buildkit [0 ]. arn ,
310+ aws_security_group . instance-default [0 ]. arn ,
311+ " arn:aws:ec2:${ data . aws_region . current . name } :${ data . aws_caller_identity . current . account_id } :network-interface/*"
312+ " arn:aws:ec2:${ data . aws_region . current . name } :${ data . aws_caller_identity . current . account_id } :volume/*"
313+ " arn:aws:ec2:${ data . aws_region . current . name } ::image/*"
314+ ], [for s in aws_subnet . public : s . arn ])
315+ },
316+
317+ {
318+ Action = [" ec2:RunInstances"
319+ Effect = " Allow"
320+ Resource = " arn:aws:ec2:${ data . aws_region . current . name } :${ data . aws_caller_identity . current . account_id } :instance/*"
321+ Condition = {
322+ StringEquals = {
323+ " aws:RequestTag/depot-connection" = var.connection- id,
324+ " ec2:LaunchTemplate" = [aws_launch_template.x86[0 ].arn, aws_launch_template.arm[0 ].arn],
325+ }
326+ }
327+ },
328+
329+ {
330+ Action = [" ec2:DeleteVolume" " ec2:StartInstances" " ec2:StopInstances" " ec2:TerminateInstances"
331+ Effect = " Allow"
332+ Resource = " *"
333+ Condition = { StringEquals = { " aws:ResourceTag/depot-connection" - id } }
334+ },
335+
336+ {
337+ Action = [" ec2:AttachVolume" " ec2:DetachVolume"
338+ Effect = " Allow"
339+ Resource = [" arn:aws:ec2:*:*:instance/*" " arn:aws:ec2:*:*:volume/*"
340+ Condition = { StringEquals = { " aws:ResourceTag/depot-connection" - id } }
341+ },
342+
343+ {
344+ Action = [" ec2:CreateTags"
345+ Effect = " Allow"
346+ Resource = " arn:aws:ec2:*:*:*/*"
347+ Condition = {
348+ StringEquals = {
349+ " aws:RequestTag/depot-connection" = var.connection- id,
350+ " ec2:CreateAction" = [" CreateVolume" " RunInstances"
351+ }
352+ }
353+ },
354+
355+ {
356+ Action = [" ecs:*"
357+ Effect = " Allow"
358+ Resource = [" *"
359+ Condition = { ArnEquals = { " ecs:cluster" - agent[0 ].arn } }
360+ },
361+
362+ {
363+ Action = [" iam:PassRole"
364+ Effect = " Allow"
365+ Resource = aws_iam_role.instance[0 ].arn
366+ },
367+ ]
368+ })
269369}
270370
271371resource "aws_iam_role" "cloud-agent" {
@@ -279,94 +379,12 @@ resource "aws_iam_role" "cloud-agent" {
279379 Principal = { Service = " ecs-tasks.amazonaws.com"
280380 }]
281381 })
282- inline_policy {
283- name = " cloud-agent"
284- policy = jsonencode ({
285- Version = " 2012-10-17"
286- Statement = [
287- {
288- Action = [
289- " ec2:DescribeInstances"
290- " ec2:DescribeVolumes"
291- ]
292- Effect = " Allow"
293- Resource = " *"
294- },
295-
296- {
297- Action = [" ec2:CreateVolume"
298- Effect = " Allow"
299- Resource = " *"
300- Condition = { StringEquals = { " aws:RequestTag/depot-connection" - id } }
301- },
302-
303- {
304- Action = [" ec2:RunInstances"
305- Effect = " Allow"
306- Resource = concat ([
307- aws_launch_template . arm [0 ]. arn ,
308- aws_launch_template . x86 [0 ]. arn ,
309- aws_security_group . instance-buildkit [0 ]. arn ,
310- aws_security_group . instance-default [0 ]. arn ,
311- " arn:aws:ec2:${ data . aws_region . current . name } :${ data . aws_caller_identity . current . account_id } :network-interface/*"
312- " arn:aws:ec2:${ data . aws_region . current . name } :${ data . aws_caller_identity . current . account_id } :volume/*"
313- " arn:aws:ec2:${ data . aws_region . current . name } ::image/*"
314- ], [for s in aws_subnet . public : s . arn ])
315- },
316-
317- {
318- Action = [" ec2:RunInstances"
319- Effect = " Allow"
320- Resource = " arn:aws:ec2:${ data . aws_region . current . name } :${ data . aws_caller_identity . current . account_id } :instance/*"
321- Condition = {
322- StringEquals = {
323- " aws:RequestTag/depot-connection" = var.connection- id,
324- " ec2:LaunchTemplate" = [aws_launch_template.x86[0 ].arn, aws_launch_template.arm[0 ].arn],
325- }
326- }
327- },
328-
329- {
330- Action = [" ec2:DeleteVolume" " ec2:StartInstances" " ec2:StopInstances" " ec2:TerminateInstances"
331- Effect = " Allow"
332- Resource = " *"
333- Condition = { StringEquals = { " aws:ResourceTag/depot-connection" - id } }
334- },
335-
336- {
337- Action = [" ec2:AttachVolume" " ec2:DetachVolume"
338- Effect = " Allow"
339- Resource = [" arn:aws:ec2:*:*:instance/*" " arn:aws:ec2:*:*:volume/*"
340- Condition = { StringEquals = { " aws:ResourceTag/depot-connection" - id } }
341- },
342-
343- {
344- Action = [" ec2:CreateTags"
345- Effect = " Allow"
346- Resource = " arn:aws:ec2:*:*:*/*"
347- Condition = {
348- StringEquals = {
349- " aws:RequestTag/depot-connection" = var.connection- id,
350- " ec2:CreateAction" = [" CreateVolume" " RunInstances"
351- }
352- }
353- },
354-
355- {
356- Action = [" ecs:*"
357- Effect = " Allow"
358- Resource = [" *"
359- Condition = { ArnEquals = { " ecs:cluster" - agent[0 ].arn } }
360- },
361-
362- {
363- Action = [" iam:PassRole"
364- Effect = " Allow"
365- Resource = aws_iam_role.instance[0 ].arn
366- },
367- ]
368- })
369- }
382+ }
383+
384+ resource "aws_iam_role_policy_attachments_exclusive" "cloud-agent" {
385+ count = . create ? 1 : 0
386+ role_name = . cloud-agent [0 ]. name
387+ policy_arns = aws_iam_policy . cloud-agent [0 ]. arn ]
370388}
371389
372390resource "aws_cloudwatch_log_group" "connection" {
0 commit comments