github.com/in4it/ecs-deploy@v0.0.42-0.20240508120354-ed77ff16df25/templates/export/iam_paramstore.tf

github.com/in4it/ecs-deploy@v0.0.42-0.20240508120354-ed77ff16df25/templates/export/iam_paramstore.tf (about)

     1  resource "aws_iam_role_policy" "ecs-${SERVICE}-paramstore" {
     2      name = "paramstore-${SERVICE}"
     3      role = "${aws_iam_role.ecs-${SERVICE}.id}"
     4      policy = <<EOF
     5  {
     6      "Version": "2012-10-17",
     7      "Statement": [
     8        {
     9          "Action": [
    10            "ssm:GetParameterHistory",
    11            "ssm:GetParameter",
    12            "ssm:GetParameters",
    13            "ssm:GetParametersByPath"
    14          ],
    15          "Resource": [
    16            "arn:aws:ssm:${AWS_REGION}:${ACCOUNT_ID}:parameter/${PARAMSTORE_PREFIX}-${AWS_ACCOUNT_ENV}/${NAMESPACE}/*"
    17          ],
    18          "Effect": "Allow"
    19        },
    20        {
    21          "Action": [
    22            "kms:Decrypt"
    23          ],
    24          "Resource": [
    25            "${PARAMSTORE_KMS_ARN}"
    26          ],
    27          "Effect": "Allow"
    28        }
    29      ]
    30  }
    31  EOF
    32  }