From f7f4986142c95f9a0190ea98ea25110160dbe1c6 Mon Sep 17 00:00:00 2001
From: Jianrong <wjrjerome@gmail.com>
Date: Sun, 2 Oct 2022 22:22:02 +1100
Subject: [PATCH] XIN-240: Add IAM roles for ecs task execution

---
 cicd/devnet/terraform/main.tf | 30 ++++++++++++++++++++++++++++++
 1 file changed, 30 insertions(+)

diff --git a/cicd/devnet/terraform/main.tf b/cicd/devnet/terraform/main.tf
index 7b38b0c9ae..937d797dd5 100644
--- a/cicd/devnet/terraform/main.tf
+++ b/cicd/devnet/terraform/main.tf
@@ -119,4 +119,34 @@ resource "aws_security_group" "devnet_efs_security_group" {
   tags = {
     Name = "TfDevnetEfs"
   }
+}
+
+# IAM policies
+
+data "aws_iam_policy_document" "xdc_ecs_tasks_execution_role" {
+  statement {
+    actions = ["sts:AssumeRole"]
+
+    principals {
+      type        = "Service"
+      identifiers = ["ecs-tasks.amazonaws.com"]
+    }
+  }
+}
+
+# Create the role
+resource "aws_iam_role" "devnet_xdc_ecs_tasks_execution_role" {
+  name               = "devnet-xdc-ecs-task-execution-role"
+  assume_role_policy = "${data.aws_iam_policy_document.xdc_ecs_tasks_execution_role.json}"
+}
+
+# Attached the AWS managed policies to the new role
+resource "aws_iam_role_policy_attachment" "devnet_xdc_ecs_tasks_execution_role" {
+  for_each = toset([
+    "arn:aws:iam::aws:policy/AmazonElasticFileSystemClientFullAccess", 
+    "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy",
+    "arn:aws:iam::aws:policy/AmazonElasticFileSystemsUtils"
+  ])
+  role       = aws_iam_role.devnet_xdc_ecs_tasks_execution_role.name
+  policy_arn = each.value
 }
\ No newline at end of file