Add IAM role and policy for API task; update S3 bucket output URL and container images

Author: iammukeshm

terraform/apps/playground/app_stack/main.tf

@@ -77,6 +77,45 @@ module "app_s3" {
   cloudfront_price_class = var.app_s3_cloudfront_price_class
 }
 
+data "aws_iam_policy_document" "api_task_assume" {
+  statement {
+    actions = ["sts:AssumeRole"]
+
+    principals {
+      type        = "Service"
+      identifiers = ["ecs-tasks.amazonaws.com"]
+    }
+  }
+}
+
+data "aws_iam_policy_document" "api_task_s3" {
+  statement {
+    sid     = "AllowBucketReadWrite"
+    actions = [
+      "s3:PutObject",
+      "s3:DeleteObject",
+      "s3:GetObject",
+      "s3:ListBucket"
+    ]
+    resources = [
+      "arn:aws:s3:::${var.app_s3_bucket_name}",
+      "arn:aws:s3:::${var.app_s3_bucket_name}/*"
+    ]
+  }
+}
+
+resource "aws_iam_role" "api_task" {
+  name               = "${var.environment}-api-task"
+  assume_role_policy = data.aws_iam_policy_document.api_task_assume.json
+  tags               = local.common_tags
+}
+
+resource "aws_iam_role_policy" "api_task_s3" {
+  name   = "${var.environment}-api-task-s3"
+  role   = aws_iam_role.api_task.id
+  policy = data.aws_iam_policy_document.api_task_s3.json
+}
+
 module "rds" {
   source = "../../../modules/rds_postgres"
 
@@ -133,6 +172,8 @@ module "api_service" {
 
   health_check_path = "/health/live"
 
+  task_role_arn = aws_iam_role.api_task.arn
+
   environment_variables = {
     ASPNETCORE_ENVIRONMENT            = local.aspnetcore_environment
     DatabaseOptions__ConnectionString = local.db_connection_string
@@ -141,7 +182,6 @@ module "api_service" {
     CorsOptions__AllowedOrigins__0    = "http://${module.alb.dns_name}"
     Storage__Provider                 = "s3"
     Storage__S3__Bucket               = var.app_s3_bucket_name
-    Storage__S3__PublicRead           = false
     Storage__S3__PublicBaseUrl        = module.app_s3.cloudfront_domain_name != "" ? "https://${module.app_s3.cloudfront_domain_name}" : ""
   }
 

terraform/apps/playground/envs/dev/us-east-1/main.tf

@@ -69,5 +69,5 @@ output "s3_bucket_name" {
 }
 
 output "s3_cloudfront_domain" {
-  value = module.app.s3_cloudfront_domain
+  value = "https://${module.app.s3_cloudfront_domain}"
 }

terraform/apps/playground/envs/dev/us-east-1/terraform.tfvars

@@ -33,13 +33,13 @@ db_name     = "fshdb"
 db_username = "fshadmin"
 db_password = "password123!" # Note: In production, use a more secure method for managing secrets.
 
-api_container_image = "ghcr.io/fullstackhero/fsh-playground-api:1c555545cee10cb9703f5ecbbb928e45e5ba8990"
+api_container_image = "ghcr.io/fullstackhero/fsh-playground-api:a6838728a6314c4a635d732e90f8c51c5f890732"
 api_container_port  = 8080
 api_cpu             = "256"
 api_memory          = "512"
 api_desired_count   = 1
 
-blazor_container_image = "ghcr.io/fullstackhero/fsh-playground-blazor:1c555545cee10cb9703f5ecbbb928e45e5ba8990"
+blazor_container_image = "ghcr.io/fullstackhero/fsh-playground-blazor:a6838728a6314c4a635d732e90f8c51c5f890732"
 blazor_container_port  = 8080
 blazor_cpu             = "256"
 blazor_memory          = "512"

terraform/modules/ecs_service/main.tf

@@ -100,6 +100,7 @@ resource "aws_ecs_task_definition" "this" {
   network_mode             = "awsvpc"
   requires_compatibilities = ["FARGATE"]
   execution_role_arn       = aws_iam_role.task_execution.arn
+  task_role_arn            = var.task_role_arn
 
   container_definitions = jsonencode([
     {

terraform/modules/ecs_service/variables.tf

@@ -94,6 +94,12 @@ variable "environment_variables" {
   default     = {}
 }
 
+variable "task_role_arn" {
+  type        = string
+  description = "Optional task role ARN to attach to the task definition."
+  default     = null
+}
+
 variable "tags" {
   type        = map(string)
   description = "Tags to apply to resources."