fix: 7077 batch role (#1395)

* feat: create custom cli job execution role

* fix: remove dupicates

* fix: set version

* fix: versions

* fix: syntax

* fix: update version

* fix(update providers)

* fix(update providers)

* fix: update ecs module version

* fix: update batch module parameters

* fix: update batch module parameters

* fix: update batch module parameters

* fix: update batch module parameters

* fix: update batch module parameters

* fix: format fmt module

* fix: role issues

* fix: syntax

* fix: syntax

* fix: removing custom role

* fix: remove host port

* fix: readd hostport

---------

Co-authored-by: cmarstondvsa <chris.marston@dvsa.gov.uk>

Author: Wi11Shell

infra/terraform/environments/dev/main.tf

@@ -78,6 +78,66 @@ locals {
         "arn:aws:s3:::devapp-vol-content/*"
       ]
     },
+    {
+      effect = "Allow"
+      actions = [
+        "rds:CreateDBClusterSnapshot",
+        "rds:DescribeDBClusterSnapshots",
+        "rds:DeleteDBClusterSnapshot",
+      ]
+      resources = [
+        "arn:aws:rds:eu-west-1:054614622558:cluster-snapshot:olcs-anon-*"
+      ]
+    },
+    {
+      effect = "Allow"
+      actions = [
+        "rds:DescribeDBClusters",
+      ]
+      resources = [
+        "arn:aws:rds:eu-west-1:054614622558:cluster:olcs-*"
+      ]
+    },
+    {
+      effect = "Allow"
+      actions = [
+        "rds:RestoreDBClusterFromSnapshot",
+      ]
+      resources = [
+        "arn:aws:rds:eu-west-1:054614622558:cluster-snapshot:olcs-anon-*",
+        "arn:aws:rds:eu-west-1:054614622558:cluster:olcs-anon-*",
+      ]
+    },
+    {
+      effect = "Allow"
+      actions = [
+        "rds:CreateDBInstance",
+        "rds:DescribeDBInstances",
+      ]
+      resources = [
+        "arn:aws:rds:eu-west-1:054614622558:db:olcs-anon-*"
+      ]
+    },
+    {
+      effect = "Allow"
+      actions = [
+        "rds:DeleteDBInstance",
+        "rds:DeleteDBCluster",
+      ]
+      resources = [
+        "arn:aws:rds:eu-west-1:054614622558:db:olcs-anon-*",
+        "arn:aws:rds:eu-west-1:054614622558:cluster:olcs-anon-*",
+      ]
+    },
+    {
+      effect = "Allow"
+      actions = [
+        "rds:ModifyDBClusterSnapshotAttribute"
+      ]
+      resources = [
+        "arn:aws:rds:eu-west-1:054614622558:cluster-snapshot:olcs-anon-*"
+      ]
+    }
   ]
 }
 

infra/terraform/modules/service/README.md

@@ -18,8 +18,6 @@
 |------|--------|---------|
 | <a name="module_acm"></a> [acm](#module\_acm) | terraform-aws-modules/acm/aws | ~> 5.0 |
 | <a name="module_batch"></a> [batch](#module\_batch) | terraform-aws-modules/batch/aws | ~> 3.0 |
-| <a name="module_cli_iam_policy"></a> [cli\_iam\_policy](#module\_cli\_iam\_policy) | terraform-aws-modules/iam/aws//modules/iam-policy | ~> 5.6 |
-| <a name="module_cli_iam_role"></a> [cli\_iam\_role](#module\_cli\_iam\_role) | terraform-aws-modules/iam/aws//modules/iam-role | ~> 6.0 |
 | <a name="module_cloudfront"></a> [cloudfront](#module\_cloudfront) | terraform-aws-modules/cloudfront/aws | ~> 3.4 |
 | <a name="module_cloudwatch_log-metric-filter"></a> [cloudwatch\_log-metric-filter](#module\_cloudwatch\_log-metric-filter) | terraform-aws-modules/cloudwatch/aws//modules/log-metric-filter | 5.7.0 |
 | <a name="module_ecs_cluster"></a> [ecs\_cluster](#module\_ecs\_cluster) | terraform-aws-modules/ecs/aws//modules/cluster | ~> 5.10 |

infra/terraform/modules/service/batch.tf

@@ -165,7 +165,7 @@ locals {
         },
       ],
 
-      executionRoleArn = module.cli_iam_role.arn
+      executionRoleArn = module.ecs_service["api"].task_exec_iam_role_arn
       jobRoleArn       = module.ecs_service["api"].tasks_iam_role_arn
 
       logConfiguration = {
@@ -208,105 +208,6 @@ locals {
       })
     }
   }
-  cli_role_statements = concat(
-
-    [
-      {
-        effect = "Allow"
-        actions = [
-          "rds:CreateDBClusterSnapshot",
-          "rds:DescribeDBClusterSnapshots",
-          "rds:DeleteDBClusterSnapshot",
-        ]
-        resources = [
-          "arn:aws:rds:eu-west-1:${data.aws_caller_identity.current.account_id}:cluster-snapshot:olcs-anon-*"
-        ]
-      },
-      {
-        effect = "Allow"
-        actions = [
-          "rds:DescribeDBClusters",
-        ]
-        resources = [
-          "arn:aws:rds:eu-west-1:${data.aws_caller_identity.current.account_id}:cluster:olcs-*"
-        ]
-      },
-      {
-        effect = "Allow"
-        actions = [
-          "rds:RestoreDBClusterFromSnapshot",
-        ]
-        resources = [
-          "arn:aws:rds:eu-west-1:${data.aws_caller_identity.current.account_id}:cluster-snapshot:olcs-anon-*",
-          "arn:aws:rds:eu-west-1:${data.aws_caller_identity.current.account_id}:cluster:olcs-anon-*",
-        ]
-      },
-      {
-        effect = "Allow"
-        actions = [
-          "rds:CreateDBInstance",
-          "rds:DescribeDBInstances",
-        ]
-        resources = [
-          "arn:aws:rds:eu-west-1:${data.aws_caller_identity.current.account_id}:db:olcs-anon-*"
-        ]
-      },
-      {
-        effect = "Allow"
-        actions = [
-          "rds:DeleteDBInstance",
-          "rds:DeleteDBCluster",
-        ]
-        resources = [
-          "arn:aws:rds:eu-west-1:${data.aws_caller_identity.current.account_id}:db:olcs-anon-*",
-          "arn:aws:rds:eu-west-1:${data.aws_caller_identity.current.account_id}:cluster:olcs-anon-*",
-        ]
-      },
-      {
-        effect = "Allow"
-        actions = [
-          "rds:ModifyDBClusterSnapshotAttribute"
-        ]
-        resources = [
-          "arn:aws:rds:eu-west-1:${data.aws_caller_identity.current.account_id}:cluster-snapshot:olcs-anon-*"
-        ]
-      }
-    ],
-
-    var.batch.task_iam_role_statements
-  )
-}
-
-module "cli_iam_policy" {
-  version = "~> 5.6"
-  source  = "terraform-aws-modules/iam/aws//modules/iam-policy"
-
-  name        = "vol-app-${var.environment}-cli"
-  path        = "/"
-  description = "Policy for CLI batch jobs"
-
-  policy = jsonencode({
-    Version   = "2012-10-17"
-    Statement = local.cli_role_statements
-  })
-}
-module "cli_iam_role" {
-  version = "~> 6.0"
-  source  = "terraform-aws-modules/iam/aws//modules/iam-role"
-
-  name = "vol-app-${var.environment}-cli-role"
-
-  trust_policy_permissions = {
-    TrustRoleAndServiceToAssume = {
-      actions = [
-        "sts:AssumeRole",
-      ]
-    }
-  }
-
-  policies = {
-    CLIPolicy = module.cli_iam_policy.arn
-  }
 }
 
 module "batch" {