feat: Adding IAM PassRole for ECS tasks as it is required for Fargate

[kalosisz]

Description

If one runs ECS tasks on Fargate, the task execution role mast be passed on. Otherwise one gets a ECS.AccessDeniedException error (more here and here).

Motivation and Context

This PR adds the possibility to reference the task execution role as any other resource in ECS tasks making it simpler for the user no to create erroneous aws_iam_policy_document documents.

Breaking Changes

No.

How Has This Been Tested?

• I have tested and validated these changes using one or more of the provided examples/* projects
  Deployed in my own project filling out the

ecs_Sync = {
      ecs = [
        data.aws_ecs_task_definition.xxxx.id
      ]
      ecs_Wildcard = [
        data.aws_ecs_task_definition.xxxx.id
      ]
      iam_PassRole = [
        data.aws_iam_role.ecs_task_execution_role.arn
      ]
    }

which would add the statement

                  + {
                      + Action    = "iam:PassRole"
                      + Condition = {
                          + StringEquals = {
                              + iam:PassedToService = [
                                  + "ecs-tasks.amazonaws.com",
                                ]
                            }
                        }
                      + Effect    = "Allow"
                      + Resource  = "arn:aws:iam::xxxxxx:role/xxxxxxx"
                      + Sid       = "ecsSyncIamPassRole"
                    },

as well as without which results in adding statement to the policy (in that case it would not add or remove)

                  - {
                      - Action    = "iam:PassRole"
                      - Condition = {
                          - StringEquals = {
                              - iam:PassedToService = [
                                  - "ecs-tasks.amazonaws.com",
                                ]
                            }
                        }
                      - Effect    = "Allow"
                      - Resource  = "arn:aws:iam::xxxxxx:role/xxxxxxx"
                      - Sid       = "ecsSyncIamPassRole"
                    },

The results for ecs_WaitForTaskToken is identical.

[antonbabenko]

I can't see this in the documentation for this integration here - https://docs.aws.amazon.com/step-functions/latest/dg/ecs-iam.html

For example, there is such service policy for EKS already in the documentation and in aws_service_policies (line 589).

It means that AWS documentation is wrong. Not the first time but good to know!

[antonbabenko]

Thanks for this addition, @kalosisz !

v2.5.0 has been just released.

[github-actions]

I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.