Skip to content

Commit 99fbd1e

Browse files
can the task fetch secrets from a public subnet
1 parent 592881b commit 99fbd1e

File tree

3 files changed

+22
-7
lines changed

3 files changed

+22
-7
lines changed

infrastructure/nonprod/etl/main.tf

Lines changed: 7 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -27,6 +27,11 @@ resource "aws_iam_role" "dagster_execution_role" {
2727
})
2828
}
2929

30+
resource "aws_iam_role_policy_attachment" "ecs_task_execution" {
31+
role = aws_iam_role.dagster_execution_role.name
32+
policy_arn = "arn:${data.aws_partition.current.partition}:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy"
33+
}
34+
3035
resource "aws_iam_policy" "dagster_can_access_etl_database_secret" {
3136
name = "${var.account_name}-etl-service-can-access-etl-database-secret"
3237
description = "Allows Dagster to access the ETL database RDS secret"
@@ -130,7 +135,7 @@ resource "aws_ecs_service" "dagster_daemon" {
130135
task_definition = aws_ecs_task_definition.dagster_daemon.arn
131136

132137
network_configuration {
133-
subnets = var.networking.etl_subnet_ids
138+
subnets = var.networking.public_subnet_ids
134139
security_groups = [var.networking.etl_security_group_id]
135140
}
136141

@@ -195,7 +200,7 @@ resource "aws_ecs_service" "dagster-ui" {
195200
task_definition = aws_ecs_task_definition.dagster_ui.arn
196201

197202
network_configuration {
198-
subnets = var.networking.etl_subnet_ids
203+
subnets = var.networking.public_subnet_ids
199204
security_groups = [var.networking.etl_security_group_id]
200205
}
201206

infrastructure/nonprod/fhir-api/main.tf

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -25,6 +25,11 @@ resource "aws_iam_role" "fhir_api_role" {
2525
})
2626
}
2727

28+
resource "aws_iam_role_policy_attachment" "ecs_task_execution" {
29+
role = aws_iam_role.fhir_api_role.name
30+
policy_arn = "arn:${data.aws_partition.current.partition}:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy"
31+
}
32+
2833
resource "aws_iam_policy" "fhir_api_can_access_fhir_api_db_secret" {
2934
name = "${var.account_name}-fhir-api-can-access-fhir-database-secret"
3035
description = "Allows ECS to access the RDS secret"

infrastructure/nonprod/networking/outputs.tf

Lines changed: 10 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -8,6 +8,11 @@ output "db_subnet_group_name" {
88
value = aws_db_subnet_group.database_subnets.name
99
}
1010

11+
output "db_subnet_ids" {
12+
description = "The private subnets used for the API"
13+
value = data.aws_subnets.database_subnets.ids
14+
}
15+
1116
output "api_security_group_id" {
1217
description = "The security group for the FHIR API"
1318
value = aws_security_group.fhir_api_sg.id
@@ -18,11 +23,6 @@ output "alb_security_group_id" {
1823
value = aws_security_group.fhir_api_alb.id
1924
}
2025

21-
output "db_subnet_ids" {
22-
description = "The private subnets used for the API"
23-
value = data.aws_subnets.database_subnets.ids
24-
}
25-
2626
output "etl_subnet_ids" {
2727
description = "The private subnets used for the ETL processes"
2828
value = data.aws_subnets.etl_subnets.ids
@@ -33,6 +33,11 @@ output "etl_security_group_id" {
3333
value = aws_security_group.fhir_etl_sg.id
3434
}
3535

36+
output "etl_db_security_group_id" {
37+
description = "A list of security group IDs for use with the ETL databases"
38+
value = aws_security_group.fhir_etl_db_sg.id
39+
}
40+
3641
output "etl_webserver_alb_security_group_id" {
3742
description = "The security group for the Dagster UI load balancer"
3843
value = aws_security_group.etl_webserver_alb_sg.id

0 commit comments

Comments
 (0)