| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145 |
- # IAM Roles in All Accounts
- #############################
- # Default instance profile
- #
- # Basic profile to allow basic things
- resource "aws_iam_instance_profile" "default_instance_profile" {
- name = "msoc-default-instance-profile"
- role = aws_iam_role.default_instance_role.name
- }
- resource "aws_iam_role" "default_instance_role" {
- name = "msoc-default-instance-role"
- assume_role_policy = <<EOF
- {
- "Version": "2012-10-17",
- "Statement": [
- {
- "Sid": "",
- "Effect": "Allow",
- "Principal": {
- "Service": [
- "ec2.amazonaws.com",
- "ssm.amazonaws.com"
- ]
- },
- "Action": "sts:AssumeRole"
- }
- ]
- }
- EOF
- }
- data "aws_iam_policy_document" "default_instance_policy_doc" {
- statement {
- effect = "Allow"
- actions = [
- "ec2:DescribeTags"
- ]
- resources = [
- "*"
- ]
- }
- }
- resource "aws_iam_policy" "default_instance_policy" {
- name = "default_instance_tag_read"
- path = "/launchroles/"
- description = "This policy allows a EC2 server to read tags"
- policy = data.aws_iam_policy_document.default_instance_policy_doc.json
- }
- resource "aws_iam_role_policy_attachment" "default_instance_AmazonEC2RoleforSSM" {
- role = aws_iam_role.default_instance_role.name
- policy_arn = "arn:${var.aws_partition}:iam::aws:policy/service-role/AmazonEC2RoleforSSM"
- }
- resource "aws_iam_role_policy_attachment" "default_instance_default_policy_attach" {
- role = aws_iam_role.default_instance_role.name
- policy_arn = aws_iam_policy.default_instance_policy.arn
- }
- resource "aws_iam_role_policy_attachment" "default_instance_cloudwatch_policy_attach" {
- role = aws_iam_role.default_instance_role.name
- policy_arn = aws_iam_policy.cloudwatch_events.arn
- }
- ##########################
- # cloudwatch events
- data "aws_iam_policy_document" "cloudwatch_events" {
- statement {
- sid = "1"
- actions = [
- "events:PutRule"
- ]
- resources = [ "*" ]
- }
- }
- resource "aws_iam_policy" "cloudwatch_events" {
- name = "cloudwatch_events"
- description = "Creation of cloudwatch events"
- policy = data.aws_iam_policy_document.cloudwatch_events.json
- }
- ##########################
- # dlm_lifecycle
- #
- # This is to setup the needed IAM role and premissions for the AWS feature Data Lifecycle Manager (DLM) lifecycle policy so we can have it do "backups" on our EBS
- # Docs can be found here https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/snapshot-lifecycle.html
- # Chris Lynch 1/25/2019
- resource "aws_iam_role" "dlm_lifecycle_role" {
- name = "dlm-lifecycle-role"
- assume_role_policy = <<EOF
- {
- "Version": "2012-10-17",
- "Statement": [
- {
- "Action": "sts:AssumeRole",
- "Principal": {
- "Service": "dlm.amazonaws.com"
- },
- "Effect": "Allow",
- "Sid": ""
- }
- ]
- }
- EOF
- }
- resource "aws_iam_role_policy" "dlm_lifecycle" {
- name = "dlm-lifecycle-policy"
- role = aws_iam_role.dlm_lifecycle_role.id
- policy = <<EOF
- {
- "Version": "2012-10-17",
- "Statement": [
- {
- "Effect": "Allow",
- "Action": [
- "ec2:CreateSnapshot",
- "ec2:DeleteSnapshot",
- "ec2:DescribeVolumes",
- "ec2:DescribeSnapshots"
- ],
- "Resource": "*"
- },
- {
- "Effect": "Allow",
- "Action": [
- "ec2:CreateTags"
- ],
- "Resource": "arn:${var.aws_partition}:ec2:*::snapshot/*"
- }
- ]
- }
- EOF
- }
|
