From f717fdca9b8f2eb5e39f299c95803d122bddd31d Mon Sep 17 00:00:00 2001
From: Oleg Tsybizov <otsybizov@gmail.com>
Date: Thu, 29 Jan 2026 23:00:41 -0600
Subject: [PATCH] fix: added ECS task role for SSM access in mason-handler

---
 ops/mainnet/mason/main.tf        |  1 +
 ops/modules/iam/main.tf          | 88 ++++++++++++++++++++++++++++++++
 ops/modules/iam/outputs.tf       |  5 ++
 ops/modules/service/main.tf      |  1 +
 ops/modules/service/variables.tf |  6 +++
 5 files changed, 101 insertions(+)

diff --git a/ops/mainnet/mason/main.tf b/ops/mainnet/mason/main.tf
index 2b4337eb..17211e72 100644
--- a/ops/mainnet/mason/main.tf
+++ b/ops/mainnet/mason/main.tf
@@ -419,6 +419,7 @@ module "mark_invoice_handler" {
   dd_api_key             = local.mark_config.dd_api_key
   vpc_flow_logs_role_arn = module.iam.vpc_flow_logs_role_arn
   execution_role_arn     = data.aws_iam_role.ecr_admin_role.arn
+  task_role_arn          = module.iam.ecs_task_role_arn
   cluster_id             = module.ecs.ecs_cluster_id
   vpc_id                 = module.network.vpc_id
   lb_subnets             = module.network.public_subnets
diff --git a/ops/modules/iam/main.tf b/ops/modules/iam/main.tf
index 32c5b14d..04e41ede 100644
--- a/ops/modules/iam/main.tf
+++ b/ops/modules/iam/main.tf
@@ -33,6 +33,8 @@ data "aws_iam_role" "vpc_flow_logs" {
   name = "vpc_flow_logs_role"
 }
 
+data "aws_region" "current" {}
+
 resource "aws_iam_role_policy" "lambda_ssm_policy" {
   name = "mark-lambda-ssm-policy-${var.environment}-${var.stage}"
   role = aws_iam_role.lambda_role.id
@@ -79,3 +81,89 @@ resource "aws_iam_role_policy" "lambda_s3_policy" {
 }
 EOF
 }
+
+# ECS Task Role - for application-level AWS API calls (SSM, S3, etc.)
+resource "aws_iam_role" "ecs_task_role" {
+  name = "mark-ecs-task-role-${var.environment}-${var.stage}"
+
+  assume_role_policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Action": "sts:AssumeRole",
+      "Principal": {
+        "Service": "ecs-tasks.amazonaws.com"
+      },
+      "Effect": "Allow",
+      "Sid": ""
+    }
+  ]
+}
+EOF
+
+  tags = {
+    Environment = var.environment
+    Stage       = var.stage
+    Domain      = var.domain
+  }
+}
+
+resource "aws_iam_role_policy" "ecs_task_ssm_policy" {
+  name = "mark-ecs-task-ssm-policy-${var.environment}-${var.stage}"
+  role = aws_iam_role.ecs_task_role.id
+
+  policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Action": [
+        "ssm:DescribeParameters",
+        "ssm:GetParameter",
+        "ssm:GetParameters",
+        "ssm:GetParametersByPath"
+      ],
+      "Resource": "*"
+    },
+    {
+      "Effect": "Allow",
+      "Action": [
+        "kms:Decrypt"
+      ],
+      "Resource": "*",
+      "Condition": {
+        "StringEquals": {
+          "kms:ViaService": "ssm.${data.aws_region.current.name}.amazonaws.com"
+        }
+      }
+    }
+  ]
+}
+EOF
+}
+
+resource "aws_iam_role_policy" "ecs_task_s3_policy" {
+  name = "mark-ecs-task-s3-policy-${var.environment}-${var.stage}"
+  role = aws_iam_role.ecs_task_role.id
+
+  policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Action": [
+        "s3:GetObject",
+        "s3:ListBucket"
+      ],
+      "Resource": [
+        "arn:aws:s3:::*-rebalance-config",
+        "arn:aws:s3:::*-rebalance-config/*"
+      ]
+    }
+  ]
+}
+EOF
+}
diff --git a/ops/modules/iam/outputs.tf b/ops/modules/iam/outputs.tf
index 66885e80..2e40d1fb 100644
--- a/ops/modules/iam/outputs.tf
+++ b/ops/modules/iam/outputs.tf
@@ -3,6 +3,11 @@ output "lambda_role_arn" {
   value       = aws_iam_role.lambda_role.arn
 }
 
+output "ecs_task_role_arn" {
+  description = "The ARN of the ECS task IAM role"
+  value       = aws_iam_role.ecs_task_role.arn
+}
+
 output "vpc_flow_logs_role_arn" {
   description = "ARN of the VPC Flow Logs IAM role"
   value       = data.aws_iam_role.vpc_flow_logs.arn
diff --git a/ops/modules/service/main.tf b/ops/modules/service/main.tf
index 50483d8e..076db19d 100644
--- a/ops/modules/service/main.tf
+++ b/ops/modules/service/main.tf
@@ -16,6 +16,7 @@ resource "aws_ecs_task_definition" "service" {
   cpu                      = var.cpu
   memory                   = var.memory
   execution_role_arn       = var.execution_role_arn
+  task_role_arn            = var.task_role_arn
 
   container_definitions = jsonencode(concat(
     var.init_container_enabled ? [
diff --git a/ops/modules/service/variables.tf b/ops/modules/service/variables.tf
index 291ff8ce..f583d20b 100644
--- a/ops/modules/service/variables.tf
+++ b/ops/modules/service/variables.tf
@@ -23,6 +23,12 @@ variable "execution_role_arn" {
   type        = string
 }
 
+variable "task_role_arn" {
+  description = "ARN of the ECS task role (for application AWS API calls)"
+  type        = string
+  default     = null
+}
+
 variable "cluster_id" {
   description = "ID of the ECS cluster"
   type        = string