update oidc permissions

terraform/implementation/ecs/main.tf

@@ -48,6 +48,9 @@ module "ecs" {
   # If the intent is to disable authentication, set ecr_viewer_app_env to "test" (default is "prod")
   # ecr_viewer_app_env = "test"
 
+  # To disable autoscaling, set enable_autoscaling to false (default is true)
+  # enable_autoscaling = false
+
   # If intent is to use a metadata database for polutating the ecr-viewer library, setup the database data object to connect to the database (supported databases are postgres and sqlserver)
   # Postgresql database example
   # postgres_database_data = {

terraform/modules/oidc/_data.tf

@@ -54,6 +54,9 @@ data "aws_iam_policy_document" "wildcard" {
       "acm:DescribeCertificate",
       "acm:GetCertificate",
       "acm:ListTagsForCertificate",
+      "application-autoscaling:DescribeScalableTargets",
+      "application-autoscaling:DescribeScalingPolicies",
+      "application-autoscaling:ListTagsForResource",
       "ec2:DescribeAddresses",
       "ec2:DescribeVpcEndpoints",
       "ec2:DescribePrefixLists",
@@ -141,6 +144,8 @@ data "aws_iam_policy_document" "scoped_one" {
 data "aws_iam_policy_document" "scoped_two" {
   statement {
     actions = [
+      "application-autoscaling:DeleteScalingPolicy",
+      "application-autoscaling:DeregisterScalableTarget",
       "ec2:createVpcEndpoint",
       "ec2:CreateFlowLogs",
       "ec2:CreateNatGateway",
@@ -153,6 +158,7 @@ data "aws_iam_policy_document" "scoped_two" {
       "iam:PassRole",
     ]
     resources = [
+      "arn:aws:application-autoscaling:${var.region}:${data.aws_caller_identity.current.account_id}:scalable-target/*",
       "arn:aws:ec2:${var.region}:${data.aws_caller_identity.current.account_id}:vpc/${local.vpc_id}",
       "arn:aws:ec2:${var.region}:${data.aws_caller_identity.current.account_id}:vpc-flow-log/*",
       "arn:aws:ec2:${var.region}:${data.aws_caller_identity.current.account_id}:subnet/*",