Update iam rds secrets in ecs task role

chapter-gtm · Aug 10, 2024 · d12734b · d12734b
1 parent ada1c71
commit d12734b
Show file tree

Hide file tree

Showing 4 changed files with 12 additions and 1 deletion.
diff --git a/deploy/aws/tf/main.tf b/deploy/aws/tf/main.tf
@@ -116,6 +116,7 @@ module "iam" {
   aws_account_id            = data.aws_caller_identity.current.account_id
   app_bucket_name           = module.s3.app_bucket_name
   rds_db_id                 = module.rds.rds_db_id
+  rds_db_secret_arn         = module.rds.rds_db_secret_arn
   cloudwatch_log_group_name = module.cloudwatch.cloudwatch_log_group_name
   github_repo               = var.github_repo
   github_branch             = var.github_branch

diff --git a/deploy/aws/tf/modules/iam/main.tf b/deploy/aws/tf/modules/iam/main.tf
@@ -61,7 +61,7 @@ resource "aws_iam_role" "ecs_task_role" {
         {
           Effect   = "Allow",
           Action   = ["secretsmanager:GetSecretValue"],
-          Resource = "arn:aws:secretsmanager:${var.region}:${var.aws_account_id}:secret:${var.app_name}/${var.environment}/*"
+          Resource = var.rds_db_secret_arn
         },
         {
           Effect   = "Allow",

diff --git a/deploy/aws/tf/modules/iam/variables.tf b/deploy/aws/tf/modules/iam/variables.tf
@@ -30,6 +30,11 @@ variable "rds_db_id" {
   type        = string
 }
 
+variable "rds_db_secret_arn" {
+  description = "RDS database secret arn"
+  type        = string
+}
+
 variable "cloudwatch_log_group_name" {
   description = "Cloudwatch log group name"
   type        = string

diff --git a/deploy/aws/tf/modules/rds/outputs.tf b/deploy/aws/tf/modules/rds/outputs.tf
@@ -9,3 +9,8 @@ output "rds_endpoint" {
   description = "Endpoint of the RDS instance"
   value       = aws_db_instance.app_db.endpoint
 }
+
+output "rds_db_secret_arn" {
+  description = "RDS database secret arn"
+  value       = aws_secretsmanager_secret.app_db_password.arn
+}