keep existing SES role in email-service

silinternational · Mar 26, 2024 · c875419 · c875419
1 parent c51ef9c
commit c875419
Show file tree

Hide file tree

Showing 4 changed files with 38 additions and 22 deletions.
diff --git a/terraform/031-email-service/main.tf b/terraform/031-email-service/main.tf
@@ -64,39 +64,48 @@ resource "random_id" "access_token_idsync" {
 module "ecs_role" {
   source = "../ecs-role"
 
-  name   = "ecs-${var.idp_name}-${var.app_name}-${var.app_env}-${local.aws_region}"
-  policy = local.ecs_role_policy
+  name = "ecs-${var.idp_name}-${var.app_name}-${var.app_env}-${local.aws_region}"
 }
 
-locals {
-  ecs_role_policy = jsonencode({
-    Version   = "2012-10-17"
-    Statement = concat(local.ses_policy_statement, local.appconfig_policy_statement)
-  })
-  ses_policy_statement = [{
-    Sid      = "SendEmail"
-    Effect   = "Allow"
-    Action   = "ses:SendEmail"
-    Resource = "*"
-    Condition = {
-      StringEquals = {
-        "ses:FromAddress" = var.from_email
+resource "aws_iam_role_policy" "ses" {
+  name = "ses"
+  role = module.ecs_role.role_name
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [{
+      Sid      = "SendEmail"
+      Effect   = "Allow"
+      Action   = "ses:SendEmail"
+      Resource = "*"
+      Condition = {
+        StringEquals = {
+          "ses:FromAddress" = var.from_email
+        }
       }
-    }
-  }]
-  appconfig_policy_statement = var.app_id == "" ? [] : [
-    {
+    }]
+  })
+}
+
+resource "aws_iam_role_policy" "appconfig" {
+  count = app_id == "" ? 0 : 1
+
+  name = "appconfig"
+  role = module.ecs_role.role_name
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [{
       Sid    = "AppConfig"
       Effect = "Allow"
       Action = [
         "appconfig:GetLatestConfiguration",
         "appconfig:StartConfigurationSession",
       ]
       Resource = "arn:aws:appconfig:${local.aws_region}:${local.aws_account}:application/${var.app_id}/environment/${var.env_id}/configuration/${local.config_id}"
-    },
-  ]
+    }]
+  })
 }
 
+
 /*
  * Create ECS services
  */

diff --git a/terraform/ecs-role/main.tf b/terraform/ecs-role/main.tf
@@ -35,8 +35,10 @@ resource "aws_iam_role" "this" {
 }
 
 resource "aws_iam_role_policy" "this" {
+  count = var.policy == "" ? 0 : 1
+
   name   = var.name
-  role   = one(aws_iam_role.this[*].id)
+  role   = aws_iam_role.this.id
   policy = var.policy
 }
 

diff --git a/terraform/ecs-role/outputs.tf b/terraform/ecs-role/outputs.tf
@@ -2,3 +2,7 @@
 output "role_arn" {
   value = aws_iam_role.this.arn
 }
+
+output "role_name" {
+  value = aws_iam_role.this.name
+}
diff --git a/terraform/ecs-role/variables.tf b/terraform/ecs-role/variables.tf
@@ -6,4 +6,5 @@ variable "name" {
 variable "policy" {
   description = "ECS role policy"
   type        = string
+  default     = ""
 }