From 71b5e1a38a3fe1291a80fe192f9bfa42a195aefa Mon Sep 17 00:00:00 2001
From: loitragg <loi.tra@gravityglobal.com>
Date: Tue, 9 Sep 2025 23:08:49 +0700
Subject: [PATCH] feat(infra): implement dedicated ECS task execution role and
 update related configurations

---
 iac/ecs.tf       |  4 ++--
 iac/outputs.tf   |  5 +++++
 iac/secrets.tf   | 54 ++++++++++++++++++++++++++++++++++--------------
 iac/variables.tf |  4 ++--
 4 files changed, 47 insertions(+), 20 deletions(-)

diff --git a/iac/ecs.tf b/iac/ecs.tf
index d3227312c9..22fee29c89 100644
--- a/iac/ecs.tf
+++ b/iac/ecs.tf
@@ -77,8 +77,8 @@ resource "aws_ecs_task_definition" "webui_scaled" {
   requires_compatibilities = ["FARGATE"]
   cpu                      = var.cpu
   memory                   = var.memory
-  execution_role_arn       = var.existing_task_execution_role_arn
-  task_role_arn           = var.existing_task_execution_role_arn
+  execution_role_arn       = aws_iam_role.openwebui_execution_role.arn
+  task_role_arn           = aws_iam_role.openwebui_execution_role.arn
 
   container_definitions = jsonencode([
     {
diff --git a/iac/outputs.tf b/iac/outputs.tf
index 08bfdbe4f8..bdf86e39c7 100644
--- a/iac/outputs.tf
+++ b/iac/outputs.tf
@@ -46,6 +46,11 @@ output "redis_secret_arn" {
   sensitive   = true
 }
 
+output "execution_role_arn" {
+  description = "ARN of the dedicated ECS task execution role"
+  value       = aws_iam_role.openwebui_execution_role.arn
+}
+
 output "dashboard_url" {
   description = "CloudWatch dashboard URL"
   value       = "https://${var.aws_region}.console.aws.amazon.com/cloudwatch/home?region=${var.aws_region}#dashboards:name=${aws_cloudwatch_dashboard.webui_dashboard.dashboard_name}"
diff --git a/iac/secrets.tf b/iac/secrets.tf
index 9c3e5dcf95..7bd705fc21 100644
--- a/iac/secrets.tf
+++ b/iac/secrets.tf
@@ -21,36 +21,58 @@ resource "aws_secretsmanager_secret_version" "webui_shared_secret" {
   secret_string = random_password.webui_secret_key.result
 }
 
-# Update IAM role policy to access new secrets
-data "aws_iam_role" "task_execution_role" {
-  name = "ecsTaskExecutionRole"
+# Dedicated ECS task execution role for OpenWebUI scaled service
+resource "aws_iam_role" "openwebui_execution_role" {
+  name = "openwebui-scaled-execution-role"
+  
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Action = "sts:AssumeRole"
+        Effect = "Allow"
+        Principal = {
+          Service = "ecs-tasks.amazonaws.com"
+        }
+      }
+    ]
+  })
+  
+  tags = {
+    Name = "OpenWebUI Scaled Execution Role"
+  }
 }
 
-# IAM policy for accessing the new secrets
-resource "aws_iam_policy" "secrets_access_policy" {
-  name        = "openwebui-secrets-access-policy"
-  description = "Policy for accessing OpenWebUI secrets"
+# Attach AWS managed ECS execution policy
+resource "aws_iam_role_policy_attachment" "openwebui_execution_role_policy" {
+  role       = aws_iam_role.openwebui_execution_role.name
+  policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy"
+}
 
+# Service-specific secrets access via inline policy
+resource "aws_iam_role_policy" "openwebui_secrets_policy" {
+  name = "openwebui-scaled-secrets-access"
+  role = aws_iam_role.openwebui_execution_role.id
+  
   policy = jsonencode({
     Version = "2012-10-17"
     Statement = [
       {
         Effect = "Allow"
-        Action = [
-          "secretsmanager:GetSecretValue"
-        ]
+        Action = ["secretsmanager:GetSecretValue"]
         Resource = [
           aws_secretsmanager_secret.webui_shared_secret.arn,
           aws_secretsmanager_secret.redis_connection.arn,
           var.existing_database_secret_arn
         ]
+      },
+      {
+        Effect = "Allow"
+        Action = [
+          "kms:Decrypt"
+        ]
+        Resource = "*"
       }
     ]
   })
 }
-
-# Attach policy to existing task execution role
-resource "aws_iam_role_policy_attachment" "secrets_access_attachment" {
-  role       = data.aws_iam_role.task_execution_role.name
-  policy_arn = aws_iam_policy.secrets_access_policy.arn
-}
diff --git a/iac/variables.tf b/iac/variables.tf
index 6cc9fee760..be6b6e3c7b 100644
--- a/iac/variables.tf
+++ b/iac/variables.tf
@@ -55,7 +55,7 @@ variable "task_family_name" {
 variable "container_image" {
   description = "Container image URI"
   type        = string
-  default     = "908027381725.dkr.ecr.us-east-1.amazonaws.com/github/open-webui/open-webui:v0.6.18-hybrid-search-2"
+  default     = "908027381725.dkr.ecr.us-east-1.amazonaws.com/github/open-webui/open-webui:v0.6.26-debug"
 }
 
 variable "desired_count" {
@@ -157,7 +157,7 @@ variable "docling_serve_security_group_id" {
 variable "mcpo_security_group_id" {
   description = "Security group ID for the mcpo service"
   type        = string
-  default     = "sg-0cdc36e6d551602e4"
+  default     = "sg-0175ae75dd821810a"
 }
 
 variable "jupyter_notebook_security_group_id" {