From c6eaeb96fb600134699b100108c0e1c76a88e3c0 Mon Sep 17 00:00:00 2001 From: Daisuke Date: Fri, 2 Jan 2026 18:13:00 +0900 Subject: [PATCH] Subject: infra(roles): update CloudFormation write role permissions Body: Adjust IAM permissions in roles/cloudformation-write-role.yaml to ensure CloudFormation has the required write access for stack operations. --- roles/cloudformation-write-role.yaml | 26 +++++++++++++++++++++++++- 1 file changed, 25 insertions(+), 1 deletion(-) diff --git a/roles/cloudformation-write-role.yaml b/roles/cloudformation-write-role.yaml index 5458750..c2bcb07 100644 --- a/roles/cloudformation-write-role.yaml +++ b/roles/cloudformation-write-role.yaml @@ -107,7 +107,7 @@ Resources: - elasticloadbalancing:ModifyTargetGroup Resource: - !Sub "arn:aws:elasticloadbalancing:${AWS::Region}:${AWS::AccountId}:targetgroup/*" - - PolicyName: EcsPolicies + - PolicyName: EcsTaskPolicies PolicyDocument: Version: "2012-10-17" Statement: @@ -118,6 +118,30 @@ Resources: - ecs:TagResource Resource: - !Sub "arn:aws:ecs:${AWS::Region}:${AWS::AccountId}:task-definition/*" + - PolicyName: EcsServicePolicies + PolicyDocument: + Version: "2012-10-17" + Statement: + - Effect: Allow + Action: + - ecs:CreateService + - ecs:UpdateService + - ecs:DeleteService + - ecs:TagResource + Resource: + - !Sub "arn:aws:ecs:${AWS::Region}:${AWS::AccountId}:service/*" + - PolicyName: EcsClusterPolicies + PolicyDocument: + Version: "2012-10-17" + Statement: + - Effect: Allow + Action: + - ecs:CreateCluster + - ecs:UpdateCluster + - ecs:DeleteCluster + - ecs:TagResource + Resource: + - !Sub "arn:aws:ecs:${AWS::Region}:${AWS::AccountId}:cluster/*" ManagedPolicyArns: - arn:aws:iam::aws:policy/ReadOnlyAccess - !Sub arn:aws:iam::${AWS::AccountId}:policy/CloudFormationWrite