can the task fetch secrets from a public subnet

Author: acme-cms-challenge

infrastructure/nonprod/etl/main.tf

@@ -27,6 +27,11 @@ resource "aws_iam_role" "dagster_execution_role" {
   })
 }
 
+resource "aws_iam_role_policy_attachment" "ecs_task_execution" {
+  role       = aws_iam_role.dagster_execution_role.name
+  policy_arn = "arn:${data.aws_partition.current.partition}:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy"
+}
+
 resource "aws_iam_policy" "dagster_can_access_etl_database_secret" {
   name        = "${var.account_name}-etl-service-can-access-etl-database-secret"
   description = "Allows Dagster to access the ETL database RDS secret"
@@ -130,7 +135,7 @@ resource "aws_ecs_service" "dagster_daemon" {
   task_definition = aws_ecs_task_definition.dagster_daemon.arn
 
   network_configuration {
-    subnets         = var.networking.etl_subnet_ids
+    subnets         = var.networking.public_subnet_ids
     security_groups = [var.networking.etl_security_group_id]
   }
 
@@ -195,7 +200,7 @@ resource "aws_ecs_service" "dagster-ui" {
   task_definition = aws_ecs_task_definition.dagster_ui.arn
 
   network_configuration {
-    subnets         = var.networking.etl_subnet_ids
+    subnets         = var.networking.public_subnet_ids
     security_groups = [var.networking.etl_security_group_id]
   }
 

infrastructure/nonprod/fhir-api/main.tf

@@ -25,6 +25,11 @@ resource "aws_iam_role" "fhir_api_role" {
   })
 }
 
+resource "aws_iam_role_policy_attachment" "ecs_task_execution" {
+  role       = aws_iam_role.fhir_api_role.name
+  policy_arn = "arn:${data.aws_partition.current.partition}:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy"
+}
+
 resource "aws_iam_policy" "fhir_api_can_access_fhir_api_db_secret" {
   name        = "${var.account_name}-fhir-api-can-access-fhir-database-secret"
   description = "Allows ECS to access the RDS secret"

infrastructure/nonprod/networking/outputs.tf

@@ -8,6 +8,11 @@ output "db_subnet_group_name" {
   value       = aws_db_subnet_group.database_subnets.name
 }
 
+output "db_subnet_ids" {
+  description = "The private subnets used for the API"
+  value       = data.aws_subnets.database_subnets.ids
+}
+
 output "api_security_group_id" {
   description = "The security group for the FHIR API"
   value       = aws_security_group.fhir_api_sg.id
@@ -18,11 +23,6 @@ output "alb_security_group_id" {
   value       = aws_security_group.fhir_api_alb.id
 }
 
-output "db_subnet_ids" {
-  description = "The private subnets used for the API"
-  value       = data.aws_subnets.database_subnets.ids
-}
-
 output "etl_subnet_ids" {
   description = "The private subnets used for the ETL processes"
   value       = data.aws_subnets.etl_subnets.ids
@@ -33,6 +33,11 @@ output "etl_security_group_id" {
   value = aws_security_group.fhir_etl_sg.id
 }
 
+output "etl_db_security_group_id" {
+  description = "A list of security group IDs for use with the ETL databases"
+  value       = aws_security_group.fhir_etl_db_sg.id
+}
+
 output "etl_webserver_alb_security_group_id" {
   description = "The security group for the Dagster UI load balancer"
   value = aws_security_group.etl_webserver_alb_sg.id