openclaw/workers/clawdbot-aws/terraform/iam.tf
Shunsuke Hayashi f56c9d712a feat(aws): add ECS Fargate deployment for Clawdbot Discord bot
- Create VPC with public subnets for outbound internet access
- Create ECR repository for container images
- Create IAM roles (Task Role with DynamoDB/S3 access, Execution Role)
- Create ECS Task Definition (Fargate, 2048 MB memory, 256 CPU)
- Create ECS Service (1 desired count)
- Create CloudWatch Log Group
- Add Security Group (outbound only for Discord bot)
- Update Dockerfile with .buildstamp to prevent runtime rebuild
- Add .env.example with Discord webhook and channel configurations
- Update .gitignore to exclude Terraform state files

Co-Authored-By: Claude <noreply@anthropic.com>
2026-01-26 12:31:23 +09:00

84 lines
2.2 KiB
HCL

/**
* IAM Roles for ECS Fargate Task Execution
*/
# Assume role policy for ECS tasks
data "aws_iam_policy_document" "ecs_assume_role" {
statement {
actions = ["sts:AssumeRole"]
principals {
type = "Service"
identifiers = ["ecs-tasks.amazonaws.com"]
}
}
}
# ECS Task Execution Role (for ECR pull and CloudWatch logs)
resource "aws_iam_role" "ecs_execution_role" {
name = "${var.project_name}-ecs-execution-role"
assume_role_policy = data.aws_iam_policy_document.ecs_assume_role.json
}
# Attach AmazonECSTaskExecutionRolePolicy (required for Fargate)
resource "aws_iam_role_policy_attachment" "ecs_execution_role_policy" {
role = aws_iam_role.ecs_execution_role.name
policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy"
}
# ECS Task Role (for application access to DynamoDB and S3)
resource "aws_iam_role" "ecs_task_role" {
name = "${var.project_name}-ecs-task-role"
assume_role_policy = data.aws_iam_policy_document.ecs_assume_role.json
}
# Task Role Policy: DynamoDB access
resource "aws_iam_role_policy" "ecs_task_dynamodb" {
name = "${var.project_name}-dynamodb-access"
role = aws_iam_role.ecs_task_role.id
policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Effect = "Allow"
Action = [
"dynamodb:GetItem",
"dynamodb:PutItem",
"dynamodb:UpdateItem",
"dynamodb:DeleteItem",
"dynamodb:Query",
"dynamodb:Scan"
]
Resource = [
aws_dynamodb_table.sessions.arn,
"${aws_dynamodb_table.sessions.arn}/index/*",
aws_dynamodb_table.artifacts.arn,
"${aws_dynamodb_table.artifacts.arn}/index/*"
]
}
]
})
}
# Task Role Policy: S3 access
resource "aws_iam_role_policy" "ecs_task_s3" {
name = "${var.project_name}-s3-access"
role = aws_iam_role.ecs_task_role.id
policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Effect = "Allow"
Action = [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject"
]
Resource = "${aws_s3_bucket.artifacts.arn}/*"
}
]
})
}