From e44522a6d67991c9df54e4b92e6c067b09953660 Mon Sep 17 00:00:00 2001
From: Dave May <davmayd@amazon.com>
Date: Thu, 2 May 2024 10:40:45 -0500
Subject: [PATCH] Adding ecs:TagResource permission to IAM roles

---
 cdk/examples/data_pipeline/python/lib/data_pipeline_roles.py   | 3 ++-
 .../data_pipeline/typescript/lib/data-pipeline-roles.ts        | 3 ++-
 terraform/fargate-examples/queue-processing/main.tf            | 3 ++-
 terraform/fargate-examples/sqs-dynamic-target-tracking/main.tf | 3 ++-
 4 files changed, 8 insertions(+), 4 deletions(-)

diff --git a/cdk/examples/data_pipeline/python/lib/data_pipeline_roles.py b/cdk/examples/data_pipeline/python/lib/data_pipeline_roles.py
index cdb12150..cd95056d 100644
--- a/cdk/examples/data_pipeline/python/lib/data_pipeline_roles.py
+++ b/cdk/examples/data_pipeline/python/lib/data_pipeline_roles.py
@@ -4,7 +4,8 @@
 
 def add_step_function_role_policies(stepfunctionExecutionRole:iam.Role, data_pipeline_stack_props: DataPipelineStackProps):
     stepfunctionExecutionRole.add_to_principal_policy(iam.PolicyStatement(
-        actions= ['ecs:RunTask'],
+        actions= ['ecs:RunTask',
+        "ecs:TagResource"],
         effect= iam.Effect.ALLOW,
         resources= ['arn:aws:ecs:'+data_pipeline_stack_props.aws_region+':'+data_pipeline_stack_props.account_number+':task-definition/*']
     ))
diff --git a/cdk/examples/data_pipeline/typescript/lib/data-pipeline-roles.ts b/cdk/examples/data_pipeline/typescript/lib/data-pipeline-roles.ts
index 83962fb2..14ff349a 100755
--- a/cdk/examples/data_pipeline/typescript/lib/data-pipeline-roles.ts
+++ b/cdk/examples/data_pipeline/typescript/lib/data-pipeline-roles.ts
@@ -2,7 +2,8 @@ import { Effect, ManagedPolicy, Policy, PolicyStatement, Role } from "aws-cdk-li
 
 export function addStepFunctionRolePolicies(account: String, region: String, stepFunctionExecutionRole: Role) {
     stepFunctionExecutionRole.addToPrincipalPolicy(new PolicyStatement({
-        actions:["ecs:RunTask"],
+        actions:["ecs:RunTask",
+        "ecs:TagResource"],
         effect: Effect.ALLOW,
         resources: [`arn:aws:ecs:${region}:${account}:task-definition/*`]
     }))
diff --git a/terraform/fargate-examples/queue-processing/main.tf b/terraform/fargate-examples/queue-processing/main.tf
index 67724291..fdd37450 100644
--- a/terraform/fargate-examples/queue-processing/main.tf
+++ b/terraform/fargate-examples/queue-processing/main.tf
@@ -360,7 +360,8 @@ data "aws_iam_policy_document" "lambda_role" {
       "ecs:DescribeTasks",
       "ecs:ListTasks",
       "ecs:StartTask",
-      "ecs:RunTask"
+      "ecs:RunTask",
+      "ecs:TagResource"
     ]
     resources = ["*"]
   }
diff --git a/terraform/fargate-examples/sqs-dynamic-target-tracking/main.tf b/terraform/fargate-examples/sqs-dynamic-target-tracking/main.tf
index 510c34e2..bb8866c4 100644
--- a/terraform/fargate-examples/sqs-dynamic-target-tracking/main.tf
+++ b/terraform/fargate-examples/sqs-dynamic-target-tracking/main.tf
@@ -597,7 +597,8 @@ data "aws_iam_policy_document" "lambda_role" {
       "ecs:DescribeTasks",
       "ecs:ListTasks",
       "ecs:StartTask",
-      "ecs:RunTask"
+      "ecs:RunTask",
+      "ecs:TagResource"
     ]
     resources = ["*"]
   }