Adds api functionality

2026-02-04 13:29:15 -03:00
parent fd6756c507
commit 5717cdd254
6 changed files with 825 additions and 132 deletions
--- a/infra/ecs_alb/main.tf
+++ b/infra/ecs_alb/main.tf
@@ -178,7 +178,57 @@ resource "aws_iam_role_policy_attachment" "ecs_task_execution_role_policy" {
  role       = aws_iam_role.ecs_task_execution_role.name
  policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy"
 }
+resource "aws_iam_role_policy" "bedrock_policy" {
+  name = "${var.app_name}-bedrock-policy"
+  role = aws_iam_role.ecs_task_role.id

+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [{
+      Effect = "Allow"
+      Action = [
+        "bedrock:InvokeModel",
+        "bedrock:InvokeModelWithResponseStream",
+        "bedrock:GetInferenceProfile"
+      ]
+      Resource = "*"
+    }]
+  })
+}
+
+resource "aws_iam_role_policy" "s3_policy" {
+  name = "${var.app_name}-s3-policy"
+  role = aws_iam_role.ecs_task_role.id
+
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [{
+      Effect = "Allow"
+      Action = [
+        "s3:GetObject"
+      ]
+      Resource = "arn:aws:s3:::upflux-doc-analyzer/*"
+    }]
+  })
+}
+
+resource "aws_iam_role_policy" "textract_policy" {
+  name = "${var.app_name}-textract-policy"
+  role = aws_iam_role.ecs_task_role.id
+
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [{
+      Effect = "Allow"
+      Action = [
+        "textract:DetectDocumentText",
+        "textract:StartDocumentTextDetection",
+        "textract:GetDocumentTextDetection"
+      ]
+      Resource = "*"
+    }]
+  })
+}
 # ECS Task Definition
 resource "aws_ecs_task_definition" "app" {
  family                   = var.app_name
@@ -187,7 +237,7 @@ resource "aws_ecs_task_definition" "app" {
  cpu                      = var.fargate_cpu
  memory                   = var.fargate_memory
  execution_role_arn       = aws_iam_role.ecs_task_execution_role.arn
-
+  task_role_arn            = aws_iam_role.ecs_task_role.arn
  container_definitions = jsonencode([{
    name  = var.app_name
    image = "${data.aws_caller_identity.current.account_id}.dkr.ecr.${var.aws_region}.amazonaws.com/${var.ecr_repository_name}:${var.image_tag}"
@@ -246,4 +296,20 @@ resource "aws_ecs_service" "app" {
  tags = {
    Name = "${var.app_name}-service"
  }
-}
+}
+#ECS Task Role (for application to call AWS services)
+resource "aws_iam_role" "ecs_task_role" {
+  name = "${var.app_name}-ecs-task-role"
+
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [{
+      Action = "sts:AssumeRole"
+      Effect = "Allow"
+      Principal = {
+        Service = "ecs-tasks.amazonaws.com"
+      }
+    }]
+  })
+}
+