Merge pull request #4 from langchain-ai/infra/few-more-additions

fix: add service linked role to account
langchain-ai · Aug 13, 2024 · a55f94d · a55f94d
2 parents 6b93ea2 + 211f527
commit a55f94d
Showing 1 changed file with 46 additions and 2 deletions.
diff --git a/modules/langgraph_cloud/main.tf b/modules/langgraph_cloud/main.tf
@@ -30,6 +30,11 @@ module "langgraph_cloud_vpc" {
   }
 }
 
+resource "aws_db_subnet_group" "langgraph_cloud_db_subnet_group" {
+  name       = "langgraph-cloud-db-subnet-group"
+  subnet_ids = module.langgraph_cloud_vpc.private_subnets
+}
+
 // Create a role with access to provision ECS and RDS resources in the account
 resource "aws_iam_role" "langgraph_cloud_role" {
   name               = "LangGraphCloudBYOCRole"
@@ -57,7 +62,7 @@ data "aws_iam_policy_document" "assume_role" {
 }
 
 resource "aws_cloudwatch_log_group" "langgraph_cloud_log_group" {
-  name = "/aws/ecs/langgraph-cloud"
+  name = "langgraph-cloud"
 }
 
 // Create an ECS cluster
@@ -67,7 +72,7 @@ resource "aws_ecs_cluster" "langgraph_cloud_cluster" {
 
 // Create ECS role with ECR access
 resource "aws_iam_role" "langgraph_cloud_ecs_role" {
-  name               = "LangGraphCloudECSTaskRole"
+  name               = "LangGraphCloudECSTaskExecutionRole"
   assume_role_policy = data.aws_iam_policy_document.ecs_assume_role.json
 }
 
@@ -82,7 +87,46 @@ data "aws_iam_policy_document" "ecs_assume_role" {
   }
 }
 
+// TODO: Scope the GetSecretValue to only langgraph-cloud secrets
 resource "aws_iam_role_policy_attachment" "ecs_role_policy" {
   role       = aws_iam_role.langgraph_cloud_ecs_role.name
   policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy"
 }
+
+resource "aws_iam_policy" "secrets_read" {
+  name        = "SecretsRead"
+  description = "Allows reading secrets from Secrets Manager"
+  policy = jsonencode(
+    {
+      "Version" : "2012-10-17",
+      "Statement" : [
+        {
+          "Effect" : "Allow",
+          "Action" : "secretsmanager:GetSecretValue",
+          "Resource" : "*",
+        }
+      ]
+    }
+  )
+}
+
+resource "aws_iam_role_policy_attachment" "secrets_read" {
+  role       = aws_iam_role.langgraph_cloud_ecs_role.name
+  policy_arn = aws_iam_policy.secrets_read.arn
+}
+
+// Create Load Balancer Role
+data "aws_iam_policy_document" "lb_assume_role" {
+  statement {
+    actions = ["sts:AssumeRole"]
+
+    principals {
+      type        = "Service"
+      identifiers = ["elasticloadbalancing.amazonaws.com"]
+    }
+  }
+}
+
+resource "aws_iam_service_linked_role" "elastic_load_balancing" {
+  aws_service_name = "elasticloadbalancing.amazonaws.com"
+}