| |
| AWSTemplateFormatVersion: '2010-09-09' |
| Description: Deploy execution role for the Gerrit task |
| |
| Resources: |
| # This is a role which is used by the ECS tasks themselves. |
| ECSTaskExecutionRole: |
| Type: AWS::IAM::Role |
| Properties: |
| AssumeRolePolicyDocument: |
| Statement: |
| - Effect: Allow |
| Principal: |
| Service: [ecs-tasks.amazonaws.com] |
| Action: |
| - sts:AssumeRole |
| Path: / |
| Policies: |
| - PolicyName: AmazonECSTaskExecutionRolePolicy |
| PolicyDocument: |
| Statement: |
| - Effect: Allow |
| Action: |
| # Allow the ECS Tasks to download images from ECR |
| - 'ecr:GetAuthorizationToken' |
| - 'ecr:BatchCheckLayerAvailability' |
| - 'ecr:GetDownloadUrlForLayer' |
| - 'ecr:BatchGetImage' |
| # Allow the ECS tasks to upload logs to CloudWatch |
| - 'logs:CreateLogStream' |
| - 'logs:PutLogEvents' |
| # Allow the ECS tasks to push metrics to CloudWatch |
| - 'cloudwatch:PutMetricData' |
| # Allow the ECS tasks to perform CRUD actions to dynamodb table: |
| # Used for global refs-db operations. |
| - 'dynamodb:DeleteItem' |
| - 'dynamodb:CreateTable' |
| - 'dynamodb:DescribeTable' |
| - 'dynamodb:GetItem' |
| - 'dynamodb:ListTables' |
| - 'dynamodb:PutItem' |
| - 'dynamodb:Query' |
| - 'dynamodb:Scan' |
| - 'dynamodb:UpdateItem' |
| Resource: '*' |
| - PolicyName: AmazonECSTaskSecretManagerRolePolicy |
| PolicyDocument: |
| Statement: |
| - Effect: Allow |
| Action: |
| # Allow the ECS Tasks to get SSH Keys |
| - 'secretsmanager:GetSecretValue' |
| - 'kms:Decrypt' |
| Resource: '*' |
| - PolicyName: AmazonECSTaskXRayRolePolicy |
| PolicyDocument: |
| Statement: |
| - Effect: Allow |
| Action: |
| - "xray:PutTraceSegments" |
| - "xray:PutTelemetryRecords" |
| - "xray:GetSamplingRules" |
| - "xray:GetSamplingTargets" |
| - "xray:GetSamplingStatisticSummaries" |
| Resource: '*' |
| |
| Outputs: |
| TaskExecutionRoleRef: |
| Value: !Ref ECSTaskExecutionRole |
| TaskExecutionRoleArn: |
| Value: !GetAtt ECSTaskExecutionRole.Arn |
