ECS Deploy Runner permissions errors for new modules
Hello! We are attempting to deploy SES on our ref arq, but we get the following error: ``` [ecs-deploy-runner][2022-02-09T14:12:57+0000] │ Error: Error requesting SES email identity verification: AccessDenied: User: arn:aws:sts::**********:assumed-role/ecs-deploy-runner-terraform-applier/***************** is not authorized to perform: ses:VerifyEmailIdentity because no identity-based policy allows the ses:VerifyEmailIdentity action ``` We assumed that the deploy runner had broad permissions (first time we get this error), but evidently this is not allowed to do. What would be the correct way of adding these permissions? Adding to this, we’re getting similar errors when trying to deploy API Gateway: ``` Error: Error creating API Gateway: AccessDeniedException: [ecs-deploy-runner][2022-02-09T16:04:27+0000] │ status code: 403, ```
As of now, SES and API Gateway are not part of the original Reference Architecture that Gruntwork deploys, so you must have created modules to hook into your existing Ref Arch. The ECS Deploy Runner can be fitted to handle these new services but doesn't come with those permissions. One of the big features of the ECS Deploy Runner is [guarding against security threats](https://gruntwork.io/guides/automations/how-to-configure-a-production-grade-ci-cd-setup-for-apps-and-infrastructure-code/#threat_model_of_cicd), and therefore we don't recommend deploying it with wider permissions than necessary. Here, you'll have to add permissions specific to SES and APIGateway to the `deploy` and `read only` permissions of the ecs-deploy-runner. In the latest revision of the Ref Arch, you can do this by modifying these files: [read_only_permissions.yml](https://github.com/gruntwork-io/terraform-aws-service-catalog/blob/master/examples/for-production/infrastructure-live/_envcommon/mgmt/read_only_permissions.yml) and [deploy_permissions.yml](https://github.com/gruntwork-io/terraform-aws-service-catalog/blob/master/examples/for-production/infrastructure-live/_envcommon/mgmt/deploy_permissions.yml). In older versions of the Reference Architecture you would modify the `ecs-deploy-runner/terragrunt.hcl` files directly, looking for where the `iam_policy` is defined.