Clean up IAM roles and fix the ECS cluster name

Author: joerg

README.md

@@ -57,6 +57,12 @@ terraform apply tf.plan
 
 Once everything is running you can try to access the ApplicationLoadBalancer URL and it should show you a screen asking for an initial administrative password. To get this password create a temporary EC2 instance with the security group and IAM instance profile from the output of terraform and mount the EFS share. You will probalby first need to install the efs helper package via yum. Once you have the initial password you can destroy the instance.
 
+When you are done you can destroy everything simply via
+```bash
+terraform plan -destroy -target=module.serverless_jenkins -out=tf.plan
+terraform apply tf.plan
+```
+
 ## Inputs
 
 | Name | Description | Type | Default | Required |

ecs_cluster.tf

@@ -5,6 +5,6 @@
 #
 
 resource "aws_ecs_cluster" "jenkins" {
-  name = "Serverless Jenkins Cluster"
-  tags = var.tags  
+  name = "ServerlessJenkinsCluster"
+  tags = var.tags
 }

iam.tf

@@ -4,69 +4,31 @@
 # All rights reserved - Do Not Redistribute
 #
 
-data "aws_iam_policy_document" "container_instance_ec2_assume_role" {
+# Attach this role to any ECS container or EC2 instance to allow full access to the AWS APIs and mounting of the shared EFS
+data "aws_iam_policy_document" "ecs_task_jenkins" {
   statement {
     effect = "Allow"
 
     principals {
       type        = "Service"
-      identifiers = ["ec2.amazonaws.com"]
+      identifiers = ["ecs-tasks.amazonaws.com", "ec2.amazonaws.com"]
     }
 
     actions = ["sts:AssumeRole"]
   }
 }
 
-resource "aws_iam_role" "container_instance_ec2" {
-  name               = "ServerlessJenkinsEC2InstanceRole"
-  assume_role_policy = data.aws_iam_policy_document.container_instance_ec2_assume_role.json
+resource "aws_iam_role" "ecs_task_jenkins" {
+  name               = "ServerlessJenkinsECSTaskContainerRole"
+  assume_role_policy = data.aws_iam_policy_document.ecs_task_jenkins.json
 }
 
-resource "aws_iam_role_policy_attachment" "ec2_service_role" {
-  role       = aws_iam_role.container_instance_ec2.name
-  policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonEC2ContainerServiceforEC2Role"
+resource "aws_iam_role_policy_attachment" "ecs_task_jenkins" {
+  role       = aws_iam_role.ecs_task_jenkins.name
+  policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
 }
 
-resource "aws_iam_instance_profile" "container_instance" {
-  name = "ServerlessJenkinsEC2InstanceProfile"
-  role = aws_iam_role.container_instance_ec2.name
-}
-
-#
-# ECS Service IAM permissions
-#
-data "aws_iam_policy_document" "ecs_assume_role" {
-  statement {
-    effect = "Allow"
-
-    principals {
-      type        = "Service"
-      identifiers = ["ecs.amazonaws.com"]
-    }
-
-    actions = ["sts:AssumeRole"]
-  }
-}
-
-resource "aws_iam_role" "ecs_service_role" {
-  name               = "ServerlessJenkinsECSServiceRole"
-  assume_role_policy = data.aws_iam_policy_document.ecs_assume_role.json
-}
-
-resource "aws_iam_role_policy_attachment" "ecs_service_role" {
-  role       = aws_iam_role.ecs_service_role.name
-  policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonEC2ContainerServiceRole"
-}
-
-data "aws_iam_policy_document" "ecs_autoscale_assume_role" {
-  statement {
-    effect = "Allow"
-
-    principals {
-      type        = "Service"
-      identifiers = ["application-autoscaling.amazonaws.com"]
-    }
-
-    actions = ["sts:AssumeRole"]
-  }
+resource "aws_iam_instance_profile" "ec2_jenkins" {
+  name = "ServerlessJenkinsEC2AndEFS"
+  role = aws_iam_role.ecs_task_jenkins.name
 }