Description
I was currently using the following code to attach an inline policy to my ECS role:
module "ssm-reader-policy" {
source = "github.com/chanzuckerberg/cztack//aws-params-reader-policy?ref=v0.43.3"
#TODO: how to do this in happy? there are no tags
project = "happy"
env = var.deployment_stage
service = local.service_name
region = data.aws_region.current.name
role_name = var.task_role.name
}
However, the role var.task_role.name was a role that was given to me by the integration secret, which means it is shared between all services in the same cluster. I notice that while two or more people are making changes to their stacks, the role's inline policy was changing over time. Sometimes, it would have the policy and sometimes it would not. I think this is because of how the stacks are sharing this ECS role and each stack can have a different branch of the terraform code that is being applied to their stack.
Is there a better way to handle this? I don't know how else I would provide permissions to my stack that wouldn't be altered by other stacks. I also wonder if we should detect these kinds of shared resources and guard against them.