feat(infra): implement dedicated ECS task execution role and update related configurations

iac/ecs.tf

@@ -77,8 +77,8 @@ resource "aws_ecs_task_definition" "webui_scaled" {
   requires_compatibilities = ["FARGATE"]
   cpu                      = var.cpu
   memory                   = var.memory
-  execution_role_arn       = var.existing_task_execution_role_arn
+  execution_role_arn       = aws_iam_role.openwebui_execution_role.arn
-  task_role_arn           = var.existing_task_execution_role_arn
+  task_role_arn           = aws_iam_role.openwebui_execution_role.arn
 
   container_definitions = jsonencode([
     {

iac/outputs.tf

@@ -46,6 +46,11 @@ output "redis_secret_arn" {
   sensitive   = true
 }
 
+output "execution_role_arn" {
+  description = "ARN of the dedicated ECS task execution role"
+  value       = aws_iam_role.openwebui_execution_role.arn
+}
+
 output "dashboard_url" {
   description = "CloudWatch dashboard URL"
   value       = "https://${var.aws_region}.console.aws.amazon.com/cloudwatch/home?region=${var.aws_region}#dashboards:name=${aws_cloudwatch_dashboard.webui_dashboard.dashboard_name}"

iac/secrets.tf

@@ -21,36 +21,58 @@ resource "aws_secretsmanager_secret_version" "webui_shared_secret" {
   secret_string = random_password.webui_secret_key.result
 }
 
-# Update IAM role policy to access new secrets
+# Dedicated ECS task execution role for OpenWebUI scaled service
-data "aws_iam_role" "task_execution_role" {
+resource "aws_iam_role" "openwebui_execution_role" {
-  name = "ecsTaskExecutionRole"
+  name = "openwebui-scaled-execution-role"
+  
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Action = "sts:AssumeRole"
+        Effect = "Allow"
+        Principal = {
+          Service = "ecs-tasks.amazonaws.com"
+        }
+      }
+    ]
+  })
+  
+  tags = {
+    Name = "OpenWebUI Scaled Execution Role"
+  }
 }
 
-# IAM policy for accessing the new secrets
+# Attach AWS managed ECS execution policy
-resource "aws_iam_policy" "secrets_access_policy" {
+resource "aws_iam_role_policy_attachment" "openwebui_execution_role_policy" {
-  name        = "openwebui-secrets-access-policy"
+  role       = aws_iam_role.openwebui_execution_role.name
-  description = "Policy for accessing OpenWebUI secrets"
+  policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy"
+}
+
+# Service-specific secrets access via inline policy
+resource "aws_iam_role_policy" "openwebui_secrets_policy" {
+  name = "openwebui-scaled-secrets-access"
+  role = aws_iam_role.openwebui_execution_role.id
   
   policy = jsonencode({
     Version = "2012-10-17"
     Statement = [
       {
         Effect = "Allow"
-        Action = [
+        Action = ["secretsmanager:GetSecretValue"]
-          "secretsmanager:GetSecretValue"
-        ]
         Resource = [
           aws_secretsmanager_secret.webui_shared_secret.arn,
           aws_secretsmanager_secret.redis_connection.arn,
           var.existing_database_secret_arn
         ]
+      },
+      {
+        Effect = "Allow"
+        Action = [
+          "kms:Decrypt"
+        ]
+        Resource = "*"
       }
     ]
   })
 }
-
-# Attach policy to existing task execution role
-resource "aws_iam_role_policy_attachment" "secrets_access_attachment" {
-  role       = data.aws_iam_role.task_execution_role.name
-  policy_arn = aws_iam_policy.secrets_access_policy.arn
-}

iac/variables.tf

@@ -55,7 +55,7 @@ variable "task_family_name" {
 variable "container_image" {
   description = "Container image URI"
   type        = string
-  default     = "908027381725.dkr.ecr.us-east-1.amazonaws.com/github/open-webui/open-webui:v0.6.18-hybrid-search-2"
+  default     = "908027381725.dkr.ecr.us-east-1.amazonaws.com/github/open-webui/open-webui:v0.6.26-debug"
 }
 
 variable "desired_count" {
@@ -157,7 +157,7 @@ variable "docling_serve_security_group_id" {
 variable "mcpo_security_group_id" {
   description = "Security group ID for the mcpo service"
   type        = string
-  default     = "sg-0cdc36e6d551602e4"
+  default     = "sg-0175ae75dd821810a"
 }
 
 variable "jupyter_notebook_security_group_id" {