How to update permissions for the ECS Deploy Runner?

[gruntwork-support]

This message was extracted from a discussion that originally took place in Gruntwork Community Slack. Names and URLs have been removed where appropriate

From a customer

This morning we found that we needed to add an "allow" permission to one of our ECS deployers (we’re currently leveraging the CIS reference architecture). However, changes made within the "deployer" directories are skipped in the deploy-infra.sh script). What is the best process to update an ECS deployer?

[gruntwork-support]

From a grunt

By default, we recommend manually running the terraform code for updating the ECS deploy runner (that is, an operator with admin permissions runs terragrunt apply on the module), as certain changes can cause problems to the running deploy runner when it performs the updates. For example, updating IAM permissions could cause the ECS deploy runner to lose the permissions to write to the terraform state, which could cause your state file to become corrupt and unusable.

With that said, you can also proceed to remove the skip routine in the deploy-infra.sh script, as long as you are able to setup a review workflow where the reviewer makes sure that any changes to the ECS deploy runner will not affect the runtime if applied. The rule of thumb is to review the plan output for the run and make sure that it won't proceed to destroy the ECS cluster, or the IAM permissions associated with it.

Hope this helps!