Give API ECS role API Gateway permissions (#6416)

Nava-JoshLong · web-flow · commit 0465794e87b4 · 2025-09-18T08:52:57.000-07:00
## Summary Gives API ECS service permissions to hit API Gateway internal API ## Changes proposed - New IAM policy attached to API ECS role ## Context for reviewers This PR provides the API ECS service the required permissions to hit the [internal API for API gateway](https://docs.aws.amazon.com/apigateway/latest/api/API_Operations.html) ## Validation steps This will be tested manually once the API code side PR is merged. We'll use an inline policy so it won't require this to be merged for it to work
diff --git a/infra/modules/service/access_control.tf b/infra/modules/service/access_control.tf
@@ -138,6 +138,31 @@ data "aws_iam_policy_document" "email_access" {
   }
 }
 
+data "aws_iam_policy_document" "api_gateway_access" {
+  count = var.enable_api_gateway ? 1 : 0
+
+  # Only allows running the GET /apikeys request
+  statement {
+    sid     = "AllowGetApiKeys"
+    actions = ["apigateway:GET"]
+    resources = [
+      # Must be wildcarded for this to work. Someone using a dev key in prod would not work
+      # because the dev key's usage plan doesn't allow it to access other env's gateways
+      "arn:aws:apigateway:${data.aws_region.current.name}::/apikeys/*", # GetApiKey
+    ]
+  }
+
+  # Only allows running the POST /apikeys request
+  statement {
+    sid     = "AllowImportApiKeys"
+    actions = ["apigateway:POST"]
+    resources = [
+      # Must be wildcarded for this to work. Someone using a dev key in prod would not work
+      # because the dev key's usage plan doesn't allow it to access other env's gateways
+      "arn:aws:apigateway:${data.aws_region.current.name}::/apikeys", # ImportApiKeys
+    ]
+  }
+}
 
 resource "aws_iam_role_policy" "task_executor" {
   name   = "${var.service_name}-task-executor-role-policy"
@@ -150,6 +175,12 @@ resource "aws_iam_policy" "runtime_logs" {
   policy = data.aws_iam_policy_document.runtime_logs.json
 }
 
+resource "aws_iam_policy" "api_gateway_access" {
+  count  = var.enable_api_gateway ? 1 : 0
+  name   = "${var.service_name}-api-gateway-access-role-policy"
+  policy = data.aws_iam_policy_document.api_gateway_access[0].json
+}
+
 resource "aws_iam_policy" "email_access" {
   count  = length(var.pinpoint_app_id) > 0 ? 1 : 0
   name   = "${var.service_name}-email-access-role-policy"
@@ -174,3 +205,10 @@ resource "aws_iam_role_policy_attachment" "email_access" {
   role       = aws_iam_role.app_service.name
   policy_arn = aws_iam_policy.email_access[0].arn
 }
+
+resource "aws_iam_role_policy_attachment" "api_gateway_access" {
+  count = var.enable_api_gateway ? 1 : 0
+
+  role       = aws_iam_role.app_service.name
+  policy_arn = aws_iam_policy.api_gateway_access[0].arn
+}
