diff --git a/terraform/ecs.tf b/terraform/ecs.tf index d032f0e..e63c4d2 100644 --- a/terraform/ecs.tf +++ b/terraform/ecs.tf @@ -92,11 +92,26 @@ resource "aws_ecs_task_definition" "ecs_task_definition" { awslogs-stream-prefix : "twiggy" } }, - - environment : [ + secrets : [ + { + "name" : "DISCORD_TOKEN", + "valueFrom" : aws_ssm_parameter.ssm_parameter_discord_token.arn + }, + { + "name" : "ITAD_TOKEN", + "valueFrom" : aws_ssm_parameter.ssm_parameter_itad_token.arn + }, + { + "name" : "TWITCH_SECRET", + "valueFrom" : aws_ssm_parameter.ssm_parameter_twitch_secret.arn + }, + { + "name" : "TWITCH_CLIENT_ID", + "valueFrom" : aws_ssm_parameter.ssm_parameter_twitch_client_id.arn + }, { - name : "PRODUCTION" - value : "1" + "name" : "OPEN_WEATHER_TOKEN", + "valueFrom" : aws_ssm_parameter.ssm_parameter_open_weather_token.arn } ] } diff --git a/terraform/iam.tf b/terraform/iam.tf index f604db4..312f586 100644 --- a/terraform/iam.tf +++ b/terraform/iam.tf @@ -19,6 +19,15 @@ resource "aws_iam_role" "ecs_task_role" { ] }) } +} + +resource "aws_iam_role" "ecs_task_execution_role" { + name = "twiggy-ecs_task_execution_role" + path = "/service-role/" + assume_role_policy = data.aws_iam_policy_document.assume_role_policy_ecs_tasks.json + managed_policy_arns = [ + "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy" + ] inline_policy { name = "systems-manager-parameter-store-access" policy = jsonencode({ @@ -26,22 +35,13 @@ resource "aws_iam_role" "ecs_task_role" { { Effect : "Allow", Action : "ssm:GetParameter", - Resource : "arn:aws:ssm:eu-west-1:866826529066:discord-token" + Resource : "arn:aws:ssm:eu-west-1:866826529066:/twiggy/*" } ] }) } } -resource "aws_iam_role" "ecs_task_execution_role" { - name = "twiggy-ecs_task_execution_role" - path = "/service-role/" - assume_role_policy = data.aws_iam_policy_document.assume_role_policy_ecs_tasks.json - managed_policy_arns = [ - "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy" - ] -} - resource "aws_iam_role" "lambda" { name = "twiggy-lambda" assume_role_policy = data.aws_iam_policy_document.assume_role_policy_lambda.json diff --git a/terraform/ssm.tf b/terraform/ssm.tf new file mode 100644 index 0000000..acf5895 --- /dev/null +++ b/terraform/ssm.tf @@ -0,0 +1,54 @@ +resource "aws_ssm_parameter" "ssm_parameter_discord_token" { + name = "/twiggy/discord_token" + type = "SecureString" + value = "TODO" + lifecycle { + ignore_changes = [ + value + ] + } +} + +resource "aws_ssm_parameter" "ssm_parameter_itad_token" { + name = "/twiggy/itad_token" + type = "SecureString" + value = "TODO" + lifecycle { + ignore_changes = [ + value + ] + } +} + +resource "aws_ssm_parameter" "ssm_parameter_twitch_secret" { + name = "/twiggy/twitch_secret" + type = "SecureString" + value = "TODO" + lifecycle { + ignore_changes = [ + value + ] + } +} + +resource "aws_ssm_parameter" "ssm_parameter_twitch_client_id" { + name = "/twiggy/twitch_client_id" + type = "SecureString" + value = "TODO" + lifecycle { + ignore_changes = [ + value + ] + } +} + +resource "aws_ssm_parameter" "ssm_parameter_open_weather_token" { + name = "/twiggy/open_weather_token" + type = "SecureString" + value = "TODO" + lifecycle { + ignore_changes = [ + value + ] + } +}