better IAM

transparency-dev · Dec 3, 2024 · b74b341 · b74b341
1 parent 4164b56
commit b74b341
Show file tree

Hide file tree

Showing 3 changed files with 16 additions and 10 deletions.
diff --git a/deployment/live/aws/conformance/terragrunt.hcl b/deployment/live/aws/conformance/terragrunt.hcl
@@ -8,14 +8,15 @@ locals {
   region                     = get_env("AWS_REGION", "us-east-1")
   base_name                  = get_env("TESSERA_BASE_NAME", "${local.env}-conformance")
   prefix_name                = get_env("TESSERA_PREFIX_NAME", "trillian-tessera")
-  ecr_registry               = get_env("ECR_REGISTRY", "${local.env}.dkr.ecr.${local.region}.amazonaws.com")
+  ecr_registry               = get_env("ECR_REGISTRY", "${local.account_id}.dkr.ecr.${local.region}.amazonaws.com")
   ecr_repository_conformance = get_env("ECR_REPOSITORY_CONFORMANCE", "trillian-tessera/conformance:latest")
   ecr_repository_hammer      = get_env("ECR_REPOSITORY_HAMMER", "trillian-tessera/hammer:latest")
   signer                     = get_env("TESSERA_SIGNER")
   verifier                   = get_env("TESSERA_VERIFIER")
   # Roles are defined externally
-  ecs_role  = "arn:aws:iam::${local.account_id}:role/ecsTaskExecutionRole"
-  ephemeral = true
+  ecs_execution_role        = "arn:aws:iam::864981736166:role/ecsTaskExecutionRole"
+  ecs_conformance_task_role = "arn:aws:iam::864981736166:role/ConformanceECSTaskRolePolicy"
+  ephemeral                 = true
 }
 
 remote_state {

diff --git a/deployment/modules/aws/conformance/main.tf b/deployment/modules/aws/conformance/main.tf
@@ -132,12 +132,13 @@ data "aws_iam_policy_document" "allow_access_from_vpce" {
 resource "aws_ecs_task_definition" "conformance" {
   family                   = "conformance"
   requires_compatibilities = ["FARGATE"]
-  # Required network_mode for tasks running on Fargate
+  # Required network_mode for tasks running on Fargate.
   network_mode             = "awsvpc"
   cpu                      = 1024
   memory                   = 2048
-  task_role_arn            = var.ecs_role
-  execution_role_arn       = var.ecs_role
+  execution_role_arn       = var.ecs_execution_role
+  # We need a special role that has access to S3.
+  task_role_arn            = var.ecs_conformance_task_role
   container_definitions    = jsonencode([{
     "name": "${local.name}-conformance",
     "image": "${var.ecr_registry}/${var.ecr_repository_conformance}",
@@ -223,8 +224,7 @@ resource "aws_ecs_task_definition" "hammer" {
   network_mode             = "awsvpc"
   cpu                      = 1024
   memory                   = 2048
-  task_role_arn            = var.ecs_role
-  execution_role_arn       = var.ecs_role
+  execution_role_arn       = var.ecs_execution_role
   container_definitions = jsonencode([{
     "name": "${local.name}-hammer",
     "image": "${var.ecr_registry}/${var.ecr_repository_hammer}",

diff --git a/deployment/modules/aws/conformance/variables.tf b/deployment/modules/aws/conformance/variables.tf
@@ -43,7 +43,12 @@ variable "verifier" {
   type        = string
 }
 
-variable "ecs_role" {
-  description = "Role used to run the ECS containers and task."
+variable "ecs_execution_role" {
+  description = "Role used to run the ECS task."
+  type        = string
+}
+
+variable "ecs_conformance_task_role" {
+  description = "Role assumed by conformance containers when they run."
   type        = string
 }