CUMULUS-4707: Refactored iceberg iam role.

Author: ygliuvt

packages/api/app/env.local.example

@@ -6,4 +6,3 @@ NODE_ENV=development
 api_config_secret_id=<Secret manager api config arn>
 dynamoTableNameString={"AccessTokensTable":<Access token table name>}
 ICEBERG_GLUE_SCHEMA=<Iceberg glue schema>
-

tf-modules/cumulus/iceberg_api.tf

@@ -18,8 +18,6 @@ module "iceberg_api" {
 
   ecs_execution_role_arn          = aws_iam_role.ecs_execution_role.arn
 
-  ecs_task_role_arn        = aws_iam_role.ecs_task_role.arn
-
   ecs_cluster_arn                 = aws_ecs_cluster.default.arn
   ecs_cluster_name                = aws_ecs_cluster.default.name
   ecs_cluster_instance_subnet_ids = var.ecs_cluster_instance_subnet_ids

tf-modules/iceberg_api/iam.tf

@@ -1,25 +1,83 @@
-data "aws_iam_policy_document" "iceberg_ecs_task_policy" {
+# --- Iceberg ECS Task Role ---
+
+data "aws_iam_policy_document" "iceberg_task_assume_role_policy" {
+  statement {
+    principals {
+      type        = "Service"
+      identifiers = ["ecs-tasks.amazonaws.com"]
+    }
+    actions = ["sts:AssumeRole"]
+  }
+}
+
+resource "aws_iam_role" "iceberg_task_role" {
+  name                 = "${var.prefix}-iceberg-task-role"
+  assume_role_policy   = data.aws_iam_policy_document.iceberg_task_assume_role_policy.json
+  permissions_boundary = var.permissions_boundary_arn
+}
+
+data "aws_iam_policy_document" "iceberg_task_role_policy" {
+  
   statement {
     actions = [
-      "s3:GetObject",
-      "s3:ListBucket",
-      "s3:PutObject",
-      "s3:DeleteObject",
+      "s3:GetBucket*",
+      "s3:ListBucket*",
     ]
     resources = [
       "arn:aws:s3:::${var.iceberg_s3_bucket}",
+    ]
+  }
+
+  statement {
+    actions = [
+      "s3:GetObject*",
+      "s3:ListMultipartUploadParts",
+    ]
+    resources = [
       "arn:aws:s3:::${var.iceberg_s3_bucket}/*",
     ]
   }
 
+  statement {
+    actions = [
+      "dynamodb:GetItem",
+      "dynamodb:Scan",
+      "dynamodb:Query",
+    ]
+    resources = ["arn:aws:dynamodb:*:*:table/*"]
+  }
+
+  statement {
+    actions   = ["dynamodb:Query"]
+    resources = ["arn:aws:dynamodb:*:*:table/*/index/*"]
+  }
+
+  statement {
+    actions = [
+      "states:DescribeActivity",
+      "states:DescribeExecution",
+      "states:GetActivityTask",
+      "states:GetExecutionHistory",
+      "states:SendTaskFailure",
+      "states:SendTaskSuccess",
+    ]
+    resources = ["arn:aws:states:*:*:*"]
+  }
+
+  statement {
+    actions   = ["secretsmanager:GetSecretValue"]
+    resources = [var.api_config_secret_arn]
+  }
+
+  # Iceberg-specific: Glue catalog access
   statement {
     actions   = ["glue:*"]
     resources = ["*"]
   }
 }
 
-resource "aws_iam_role_policy" "iceberg_ecs_task_policy" {
-  name   = "${var.prefix}-iceberg-ecs-task-policy"
-  role   = split("/", var.ecs_task_role_arn)[1]
-  policy = data.aws_iam_policy_document.iceberg_ecs_task_policy.json
+resource "aws_iam_role_policy" "iceberg_task_role_policy" {
+  name   = "${var.prefix}-iceberg-task-role-policy"
+  role   = aws_iam_role.iceberg_task_role.name
+  policy = data.aws_iam_policy_document.iceberg_task_role_policy.json
 }

tf-modules/iceberg_api/main.tf

@@ -27,7 +27,7 @@ resource "aws_ecs_task_definition" "iceberg_api" {
   cpu                      = var.iceberg_api_cpu
   memory                   = var.iceberg_api_memory
   execution_role_arn       = var.ecs_execution_role_arn
-  task_role_arn            = var.ecs_task_role_arn
+  task_role_arn            = aws_iam_role.iceberg_task_role.arn
 
   runtime_platform {
     operating_system_family = "LINUX"

tf-modules/iceberg_api/variables.tf

@@ -121,8 +121,3 @@ variable "default_log_retention_days" {
   default     = 30
   description = "default value that user chooses for their log retention periods"
 }
-
-variable "ecs_task_role_arn" {
-  description = "ARN of the ECS task role"
-  type        = string
-}