-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathec2_iam.tf
More file actions
67 lines (58 loc) · 1.58 KB
/
Copy pathec2_iam.tf
File metadata and controls
67 lines (58 loc) · 1.58 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
# This file creates the IAM role and instance profile for the Red Instance.
# The role has a trust policy that allows EC2 instances to assume the role.
resource "aws_iam_instance_profile" "red_instance_profile" {
name = "${lower(var.instance_name)}-red-instance-profile"
role = aws_iam_role.red_role.name
tags = local.tags
}
# Create the IAM role for the Red Instance
resource "aws_iam_role" "red_role" {
name = "${lower(var.instance_name)}-role"
tags = local.tags
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
EOF
}
# AmazonSSMManagedInstanceCore enables Session Manager access. This is the
# primary access path for the instance — no SSH key pair is used.
resource "aws_iam_role_policy_attachment" "red_ssm_policy_attachment" {
role = aws_iam_role.red_role.name
policy_arn = "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"
}
# Role policy for S3 bucket access
resource "aws_iam_role_policy" "s3_bucket_policy" {
name = "${lower(var.instance_name)}-s3-bucket-policy"
role = aws_iam_role.red_role.name
count = var.enable_s3_bucket_policy ? 1 : 0
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::${var.s3_bucket_name}",
"arn:aws:s3:::${var.s3_bucket_name}/*"
]
}
]
}
EOF
}