fix: app runner deployment.

Author: missionmike

terraform/app_runner.tf

@@ -1,35 +1,28 @@
-resource "aws_apprunner_vpc_connector" "connector" {
-  vpc_connector_name = "app-runner-connector"
-  subnets            = aws_subnet.private[*].id
-  security_groups    = [aws_security_group.app_runner.id]
-}
-
 resource "aws_apprunner_service" "service" {
   for_each = var.environments
 
   service_name = "openresume-${each.key}"
 
   source_configuration {
-    authentication_configuration {
-      access_role_arn = aws_iam_role.app_runner_service_role.arn
-    }
+    auto_deployments_enabled = true
 
     image_repository {
       image_configuration {
-        port = "3000" # Adjust based on your application
+        port = "3000"
         runtime_environment_variables = {
           NODE_ENV     = each.key
           DB_SECRET_ID = aws_secretsmanager_secret.db_secrets[each.key].arn
         }
       }
-      image_identifier      = "public.ecr.aws/docker/library/hello-world:latest" # Placeholder image
+      image_identifier      = "public.ecr.aws/docker/library/hello-world:latest"
       image_repository_type = "ECR_PUBLIC"
     }
   }
 
   instance_configuration {
-    cpu    = "1024"
-    memory = "2048"
+    cpu               = "1024"
+    memory            = "2048"
+    instance_role_arn = aws_iam_role.app_runner_instance_role.arn
   }
 
   network_configuration {
@@ -40,7 +33,7 @@ resource "aws_apprunner_service" "service" {
   }
 
   health_check_configuration {
-    path     = "/health" # Adjust based on your application
+    path     = "/health"
     protocol = "HTTP"
   }
 

terraform/iam.tf

@@ -1,19 +1,70 @@
-data "aws_iam_policy_document" "app_runner_assume_role" {
-  statement {
-    actions = ["sts:AssumeRole"]
-    principals {
-      type        = "Service"
-      identifiers = ["build.apprunner.amazonaws.com", "tasks.apprunner.amazonaws.com"]
-    }
-  }
+# Instance Role
+resource "aws_iam_role" "app_runner_instance_role" {
+  name = "app-runner-instance-role"
+
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Action = "sts:AssumeRole"
+        Effect = "Allow"
+        Principal = {
+          Service = "tasks.apprunner.amazonaws.com"
+        }
+      }
+    ]
+  })
 }
 
+# Service Role
 resource "aws_iam_role" "app_runner_service_role" {
-  name               = "app-runner-service-role"
-  assume_role_policy = data.aws_iam_policy_document.app_runner_assume_role.json
+  name = "app-runner-service-role"
+
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Action = "sts:AssumeRole"
+        Effect = "Allow"
+        Principal = {
+          Service = "build.apprunner.amazonaws.com"
+        }
+      }
+    ]
+  })
+}
+
+# Attach policies to the instance role
+resource "aws_iam_role_policy_attachment" "app_runner_instance_policy" {
+  role       = aws_iam_role.app_runner_instance_role.name
+  policy_arn = "arn:aws:iam::aws:policy/service-role/AWSAppRunnerServicePolicyForECRAccess"
 }
 
+# Attach policies to the service role
 resource "aws_iam_role_policy_attachment" "app_runner_service_policy" {
   role       = aws_iam_role.app_runner_service_role.name
   policy_arn = "arn:aws:iam::aws:policy/service-role/AWSAppRunnerServicePolicyForECRAccess"
 }
+
+# Add SecretsManager access policy for the instance role
+resource "aws_iam_role_policy" "secrets_access" {
+  name = "secrets-access"
+  role = aws_iam_role.app_runner_instance_role.id
+
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Effect = "Allow"
+        Action = [
+          "secretsmanager:GetSecretValue",
+          "secretsmanager:DescribeSecret"
+        ]
+        Resource = [
+          aws_secretsmanager_secret.db_secrets["test"].arn,
+          aws_secretsmanager_secret.db_secrets["prod"].arn
+        ]
+      }
+    ]
+  })
+}