From 9e1a35710a038955c76794e20d8fd7cb8fd5695f Mon Sep 17 00:00:00 2001
From: "mana\"/scriptalert('xss')/script" <thisismana@users.noreply.github.com>
Date: Tue, 23 Jul 2024 11:14:44 +0200
Subject: [PATCH] Respect the upcoming changes in ECS Tagging (#145)

Starting August 2024 you'll need the explicit `ecs:TagResource` permission in conjunction with certain ECS related API calls, on of them being `RegisterTaskDefinition`

the [documentation](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonelasticcontainerservice.html#amazonelasticcontainerservice-task-definition) states that we could allow to restrict this to a certain task-definition ARN/pattern, but we do not have access to this, I fear.

Co-authored-by: Moritz Zimmer <moritzzimmer@users.noreply.github.com>
---
 modules/deployment/iam_code_pipeline.tf | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/modules/deployment/iam_code_pipeline.tf b/modules/deployment/iam_code_pipeline.tf
index 79e4af4..d2971ae 100644
--- a/modules/deployment/iam_code_pipeline.tf
+++ b/modules/deployment/iam_code_pipeline.tf
@@ -73,7 +73,8 @@ data "aws_iam_policy_document" "code_pipepline_permissions" {
     actions = [
       # cloudtrail reports that codepipeline actually requires access to `*`
       "ecs:DescribeTaskDefinition",
-      "ecs:RegisterTaskDefinition"
+      "ecs:RegisterTaskDefinition",
+      "ecs:TagResource"
     ]
     resources = ["*"]
   }