|
|
@@ -17,7 +17,7 @@ resource "aws_iam_role" "default_instance_role" {
|
|
|
"Version": "2012-10-17",
|
|
|
"Statement": [
|
|
|
{
|
|
|
- "Sid": "",
|
|
|
+ "Sid": "AssumeRoleAnywhere",
|
|
|
"Effect": "Allow",
|
|
|
"Principal": {
|
|
|
"Service": [
|
|
|
@@ -45,7 +45,6 @@ data "aws_iam_policy_document" "default_instance_policy_doc" {
|
|
|
}
|
|
|
}
|
|
|
|
|
|
-
|
|
|
resource "aws_iam_policy" "default_instance_policy" {
|
|
|
name = "default_instance_tag_read"
|
|
|
path = "/launchroles/"
|
|
|
@@ -53,6 +52,49 @@ resource "aws_iam_policy" "default_instance_policy" {
|
|
|
policy = data.aws_iam_policy_document.default_instance_policy_doc.json
|
|
|
}
|
|
|
|
|
|
+data "aws_iam_policy_document" "default_instance_policy_s3_binaries_doc" {
|
|
|
+ statement {
|
|
|
+ sid = "AccessTheBucketItself"
|
|
|
+ effect = "Allow"
|
|
|
+ resources = ["arn:${var.aws_partition}:s3:::${var.binaries_bucket}"]
|
|
|
+
|
|
|
+ actions = [
|
|
|
+ "s3:ListBucket",
|
|
|
+ "s3:GetBucketLocation",
|
|
|
+ ]
|
|
|
+ }
|
|
|
+
|
|
|
+ statement {
|
|
|
+ sid = "GetFromTheBucket"
|
|
|
+ effect = "Allow"
|
|
|
+ resources = ["arn:${var.aws_partition}:s3:::${var.binaries_bucket}/*"]
|
|
|
+
|
|
|
+ actions = [
|
|
|
+ "s3:GetObject",
|
|
|
+ "s3:GetObjectAcl",
|
|
|
+ ]
|
|
|
+ }
|
|
|
+
|
|
|
+ statement {
|
|
|
+ sid = "UseTheKey"
|
|
|
+ effect = "Allow"
|
|
|
+ resources = [
|
|
|
+ "arn:${var.aws_partition}:kms:us-gov-east-1:${var.common_services_account}:${var.binaries_key}"
|
|
|
+ ]
|
|
|
+ actions = [
|
|
|
+ "kms:Decrypt",
|
|
|
+ "kms:DescribeKey"
|
|
|
+ ]
|
|
|
+ }
|
|
|
+}
|
|
|
+
|
|
|
+resource "aws_iam_policy" "default_instance_policy_s3_binaries" {
|
|
|
+ name = "default_instance_s3_binaries"
|
|
|
+ path = "/launchroles/"
|
|
|
+ description = "This policy allows a EC2 server to read from the s3 binaries bucket"
|
|
|
+ policy = data.aws_iam_policy_document.default_instance_policy_s3_binaries_doc.json
|
|
|
+}
|
|
|
+
|
|
|
resource "aws_iam_role_policy_attachment" "default_instance_AmazonEC2RoleforSSM" {
|
|
|
role = aws_iam_role.default_instance_role.name
|
|
|
policy_arn = "arn:${var.aws_partition}:iam::aws:policy/service-role/AmazonEC2RoleforSSM"
|
|
|
@@ -63,6 +105,11 @@ resource "aws_iam_role_policy_attachment" "default_instance_default_policy_attac
|
|
|
policy_arn = aws_iam_policy.default_instance_policy.arn
|
|
|
}
|
|
|
|
|
|
+resource "aws_iam_role_policy_attachment" "default_instance_s3_policy_attach" {
|
|
|
+ role = aws_iam_role.default_instance_role.name
|
|
|
+ policy_arn = aws_iam_policy.default_instance_policy_s3_binaries.arn
|
|
|
+}
|
|
|
+
|
|
|
resource "aws_iam_role_policy_attachment" "default_instance_cloudwatch_policy_attach" {
|
|
|
role = aws_iam_role.default_instance_role.name
|
|
|
policy_arn = aws_iam_policy.cloudwatch_events.arn
|
|
|
@@ -264,4 +311,3 @@ resource "aws_iam_role_policy" "splunk_addon_for_aws" {
|
|
|
}
|
|
|
EOF
|
|
|
}
|
|
|
-
|
Duane Waddle