change

Author: marcoacierno

infrastructure/tools/github_runner_task.tf

@@ -48,6 +48,44 @@ resource "aws_iam_role_policy" "github_runner_execution_role_policy" {
   })
 }
 
+data "aws_iam_policy_document" "github_runner_task_assume_role" {
+  statement {
+    effect = "Allow"
+
+    principals {
+      type        = "Service"
+      identifiers = ["ecs.amazonaws.com", "ecs-tasks.amazonaws.com"]
+    }
+
+    actions = ["sts:AssumeRole"]
+  }
+}
+
+
+resource "aws_iam_role" "github_runner_task_role" {
+  name               = "github_runner_task_role"
+  assume_role_policy = data.aws_iam_policy_document.github_runner_task_assume_role.json
+}
+
+resource "aws_iam_role_policy" "github_runner_task_role_policy" {
+  name = "github_runner_task_role_policy"
+  role = aws_iam_role.github_runner_task_role.id
+
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Effect   = "Allow"
+        Action   = [
+          "ecs:ExecuteCommand",
+          "ssmmessages:*"
+        ]
+        Resource = "*"
+      }
+    ]
+  })
+}
+
 
 resource "aws_cloudwatch_log_group" "github_runner" {
   name              = "/github-runner/"
@@ -61,6 +99,7 @@ resource "aws_ecs_task_definition" "github_runner" {
   cpu = 1024
   memory = 2048
   execution_role_arn = aws_iam_role.github_runner_execution_role.arn
+  task_role_arn = aws_iam_role.github_runner_task_role.arn
 
   container_definitions = jsonencode([
     {