|
|
@@ -1,6 +1,6 @@
|
|
|
resource "aws_iam_instance_profile" "teleport" {
|
|
|
- name = "${var.instance_name}-role"
|
|
|
- role = aws_iam_role.auth.name
|
|
|
+ name = "${var.instance_name}-role"
|
|
|
+ role = aws_iam_role.auth.name
|
|
|
#depends_on = [aws_iam_role_policy.auth_ssm]
|
|
|
}
|
|
|
|
|
|
@@ -60,6 +60,26 @@ EOF
|
|
|
#
|
|
|
#}
|
|
|
|
|
|
+resource "aws_iam_role_policy_attachment" "teleport_singleinstance_AmazonEC2RoleforSSM" {
|
|
|
+ role = aws_iam_role.auth.name
|
|
|
+ policy_arn = "arn:${var.aws_partition}:iam::aws:policy/service-role/AmazonEC2RoleforSSM"
|
|
|
+}
|
|
|
+
|
|
|
+resource "aws_iam_role_policy_attachment" "teleport_singleinstance_policy_attach_tag_read" {
|
|
|
+ role = aws_iam_role.auth.name
|
|
|
+ policy_arn = "arn:${var.aws_partition}:iam::${var.aws_account_id}:policy/launchroles/default_instance_tag_read"
|
|
|
+}
|
|
|
+
|
|
|
+resource "aws_iam_role_policy_attachment" "teleport_singleinstance_policy_attach_cloudwatch" {
|
|
|
+ role = aws_iam_role.auth.name
|
|
|
+ policy_arn = "arn:${var.aws_partition}:iam::${var.aws_account_id}:policy/cloudwatch_events"
|
|
|
+}
|
|
|
+
|
|
|
+resource "aws_iam_role_policy_attachment" "teleport_singleinstance_policy_attach_binaries" {
|
|
|
+ role = aws_iam_role.auth.name
|
|
|
+ policy_arn = "arn:${var.aws_partition}:iam::${var.aws_account_id}:policy/launchroles/default_instance_s3_binaries"
|
|
|
+}
|
|
|
+
|
|
|
// Auth server uses DynamoDB as a backend, and this is to allow read/write from the dynamo tables
|
|
|
data "aws_iam_policy_document" "policy_auth_dynamo" {
|
|
|
statement {
|
|
|
@@ -92,8 +112,8 @@ data "aws_iam_policy_document" "policy_auth_dynamo" {
|
|
|
}
|
|
|
|
|
|
resource "aws_iam_policy" "auth_dynamo" {
|
|
|
- name = "${var.instance_name}-auth-dynamo"
|
|
|
- policy = data.aws_iam_policy_document.policy_auth_dynamo.json
|
|
|
+ name = "${var.instance_name}-auth-dynamo"
|
|
|
+ policy = data.aws_iam_policy_document.policy_auth_dynamo.json
|
|
|
}
|
|
|
|
|
|
resource "aws_iam_role_policy_attachment" "attach_auth_dynamo" {
|
|
|
@@ -112,8 +132,8 @@ data "aws_iam_policy_document" "policy_auth_locks" {
|
|
|
}
|
|
|
|
|
|
resource "aws_iam_policy" "auth_locks" {
|
|
|
- name = "${var.instance_name}-auth-locks"
|
|
|
- policy = data.aws_iam_policy_document.policy_auth_locks.json
|
|
|
+ name = "${var.instance_name}-auth-locks"
|
|
|
+ policy = data.aws_iam_policy_document.policy_auth_locks.json
|
|
|
}
|
|
|
|
|
|
resource "aws_iam_role_policy_attachment" "attach_auth_locks" {
|
|
|
@@ -150,8 +170,8 @@ data "aws_iam_policy_document" "policy_auth_s3" {
|
|
|
}
|
|
|
|
|
|
resource "aws_iam_policy" "auth_s3" {
|
|
|
- name = "${var.instance_name}-auth-s3"
|
|
|
- policy = data.aws_iam_policy_document.policy_auth_s3.json
|
|
|
+ name = "${var.instance_name}-auth-s3"
|
|
|
+ policy = data.aws_iam_policy_document.policy_auth_s3.json
|
|
|
}
|
|
|
|
|
|
resource "aws_iam_role_policy_attachment" "attach_auth_s3" {
|
|
|
@@ -164,7 +184,7 @@ data "aws_iam_policy_document" "policy_kms" {
|
|
|
statement {
|
|
|
sid = "AllowKMSUse"
|
|
|
effect = "Allow"
|
|
|
- resources = [ aws_kms_key.s3.arn ]
|
|
|
+ resources = [aws_kms_key.s3.arn]
|
|
|
|
|
|
actions = [
|
|
|
"kms:Encrypt",
|
|
|
@@ -177,8 +197,8 @@ data "aws_iam_policy_document" "policy_kms" {
|
|
|
}
|
|
|
|
|
|
resource "aws_iam_policy" "auth_kms" {
|
|
|
- name = "${var.instance_name}-kms"
|
|
|
- policy = data.aws_iam_policy_document.policy_kms.json
|
|
|
+ name = "${var.instance_name}-kms"
|
|
|
+ policy = data.aws_iam_policy_document.policy_kms.json
|
|
|
}
|
|
|
|
|
|
resource "aws_iam_role_policy_attachment" "attach_kms" {
|
Colby Williams