From 49b4fe5b1014430b3ed7a3a0413a4b7016df0923 Mon Sep 17 00:00:00 2001
From: Charles Mcgrady <rgb@gmail.com>
Date: Tue, 6 Aug 2024 17:40:13 -0700
Subject: [PATCH] Add permissions for batch to execute private ecr image

---
 .../lib/overture-tiles-cdk-stack.ts           | 22 ++++++++++++++++++-
 1 file changed, 21 insertions(+), 1 deletion(-)

diff --git a/overture-tiles-cdk/lib/overture-tiles-cdk-stack.ts b/overture-tiles-cdk/lib/overture-tiles-cdk-stack.ts
index 9deeb88..005f05d 100644
--- a/overture-tiles-cdk/lib/overture-tiles-cdk-stack.ts
+++ b/overture-tiles-cdk/lib/overture-tiles-cdk-stack.ts
@@ -82,6 +82,25 @@ export class OvertureTilesCdkStack extends cdk.Stack {
       }),
     );
 
+    const executionRole = new iam.Role(this, `${ID}ExecutionRole`, {
+      assumedBy: new iam.ServicePrincipal('ecs-tasks.amazonaws.com'),
+    });
+
+    executionRole.addToPolicy(
+      new iam.PolicyStatement({
+        actions: [
+          "logs:CreateLogStream",
+          "logs:PutLogEvents",
+          "sts:AssumeRole"
+        ],
+        resources: ["*"],
+      }),
+    );
+
+    executionRole.addManagedPolicy(
+      iam.ManagedPolicy.fromAwsManagedPolicyName('AmazonEC2ContainerRegistryReadOnly')
+    );
+
     for (let theme of [
       "addresses",
       "admins",
@@ -102,7 +121,8 @@ export class OvertureTilesCdkStack extends cdk.Stack {
             memory: cdk.Size.gibibytes(60),
             cpu: 30,
             command: [bucket.bucketName, theme],
-            jobRole: role
+            jobRole: role,
+            executionRole: executionRole
           },
         ),
       });