fix: permission to use DynamoDB was not properly set in the ECS task configuration

[craigzour]

Summary | Résumé

• Fixes permission to use DynamoDB not properly set in the ECS task configuration

[github-actions[bot]]

⚠ Terrform update available

Terraform: 1.9.5 (using 1.9.2)
Terragrunt: 0.66.9 (using 0.63.2)

[github-actions[bot]]

Staging: api

✅   Terraform Init: success ✅   Terraform Validate: success ✅   Terraform Format: success ✅   Terraform Plan: success ✅   Conftest: success

Plan: 2 to add, 2 to change, 0 to destroy

Show summary

| CHANGE | NAME | |--------|--------------------------------------------------------------| | update | `module.api_ecs.aws_ecs_service.this` | | | `module.api_ecs.aws_iam_policy.this_task_exec` | | add | `module.api_ecs.aws_iam_policy.this_task[0]` | | | `module.api_ecs.aws_iam_role_policy_attachment.this_task[0]` |

Show plan

```terraform Resource actions are indicated with the following symbols: + create ~ update in-place Terraform will perform the following actions: # module.api_ecs.aws_ecs_service.this will be updated in-place ~ resource "aws_ecs_service" "this" { id = "arn:aws:ecs:ca-central-1:687401027353:service/Forms/forms-api" name = "forms-api" tags = { "CostCentre" = "forms-platform-staging" "Terraform" = "true" } ~ task_definition = "forms-api:12" -> "forms-api" # (15 unchanged attributes hidden) # (4 unchanged blocks hidden) } # module.api_ecs.aws_iam_policy.this_task[0] will be created + resource "aws_iam_policy" "this_task" { + arn = (known after apply) + attachment_count = (known after apply) + id = (known after apply) + name = "forms-api_ecs_task_policy" + name_prefix = (known after apply) + path = "/" + policy = jsonencode( { + Statement = [ + { + Action = [ + "dynamodb:UpdateItem", + "dynamodb:Query", + "dynamodb:PutItem", + "dynamodb:GetItem", + "dynamodb:BatchWriteItem", + "dynamodb:BatchGetItem", ] + Effect = "Allow" + Resource = [ + "arn:aws:dynamodb:ca-central-1:687401027353:table/Vault/index/*", + "arn:aws:dynamodb:ca-central-1:687401027353:table/Vault", ] + Sid = "DynamoDBVault" }, + { + Action = [ + "s3:ListBucket", + "s3:GetObjectVersionTagging", + "s3:GetObjectVersion", + "s3:GetObjectTagging", + "s3:GetObject", ] + Effect = "Allow" + Resource = [ + "arn:aws:s3:::forms-staging-vault-file-storage/*", + "arn:aws:s3:::forms-staging-vault-file-storage", ] + Sid = "S3Vault" }, ] + Version = "2012-10-17" } ) + policy_id = (known after apply) + tags = { + "CostCentre" = "forms-platform-staging" + "Terraform" = "true" } + tags_all = { + "CostCentre" = "forms-platform-staging" + "Terraform" = "true" } } # module.api_ecs.aws_iam_policy.this_task_exec will be updated in-place ~ resource "aws_iam_policy" "this_task_exec" { id = "arn:aws:iam::687401027353:policy/forms-api_ecs_task_exec_policy" name = "forms-api_ecs_task_exec_policy" ~ policy = jsonencode( ~ { ~ Statement = [ # (2 unchanged elements hidden) { Action = [ "logs:PutLogEvents", "logs:DescribeLogStreams", "logs:CreateLogStream", ] Effect = "Allow" Resource = "arn:aws:logs:ca-central-1:687401027353:log-group:/aws/ecs/Forms/forms-api:*" }, - { - Action = [ - "dynamodb:UpdateItem", - "dynamodb:Query", - "dynamodb:PutItem", - "dynamodb:GetItem", - "dynamodb:BatchWriteItem", - "dynamodb:BatchGetItem", ] - Effect = "Allow" - Resource = [ - "arn:aws:dynamodb:ca-central-1:687401027353:table/Vault/index/*", - "arn:aws:dynamodb:ca-central-1:687401027353:table/Vault", ] - Sid = "DynamoDBVault" }, { Action = [ "kms:GenerateDataKey", "kms:Encrypt", "kms:Decrypt", ] Effect = "Allow" Resource = "arn:aws:kms:ca-central-1:687401027353:key/1f3edb85-9eac-4da9-8c7c-43a68e339ede" Sid = "KMSVault" }, - { - Action = [ - "s3:ListBucket", - "s3:GetObjectVersionTagging", - "s3:GetObjectVersion", - "s3:GetObjectTagging", - "s3:GetObject", ] - Effect = "Allow" - Resource = [ - "arn:aws:s3:::forms-staging-vault-file-storage/*", - "arn:aws:s3:::forms-staging-vault-file-storage", ] - Sid = "S3Vault" }, { Action = "secretsmanager:GetSecretValue" Effect = "Allow" Resource = "arn:aws:secretsmanager:ca-central-1:687401027353:secret:zitadel_application_key-3hJWOl" }, ] # (1 unchanged attribute hidden) } ) tags = { "CostCentre" = "forms-platform-staging" "Terraform" = "true" } # (7 unchanged attributes hidden) } # module.api_ecs.aws_iam_role_policy_attachment.this_task[0] will be created + resource "aws_iam_role_policy_attachment" "this_task" { + id = (known after apply) + policy_arn = (known after apply) + role = "forms-api_ecs_task_role" } Plan: 2 to add, 2 to change, 0 to destroy. ───────────────────────────────────────────────────────────────────────────── Saved the plan to: plan.tfplan To perform exactly these actions, run the following command to apply: terraform apply "plan.tfplan" ```

Show Conftest results

```sh 20 tests, 20 passed, 0 warnings, 0 failures, 0 exceptions ```