| 12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849 |
- resource "aws_iam_instance_profile" "instance_profile" {
- name = "${var.prefix}-instance-profile"
- path = "/instance/"
- role = aws_iam_role.instance_role.name
- }
- resource "aws_iam_role" "instance_role" {
- name = "${var.prefix}-instance-role"
- path = "/instance/"
- assume_role_policy = <<EOF
- {
- "Version": "2012-10-17",
- "Statement": [
- {
- "Sid": "",
- "Effect": "Allow",
- "Principal": {
- "Service": [
- "ec2.amazonaws.com",
- "ssm.amazonaws.com"
- ]
- },
- "Action": "sts:AssumeRole"
- }
- ]
- }
- EOF
- }
- # These 3 are the default profile attachments:
- resource "aws_iam_role_policy_attachment" "instance_AmazonEC2RoleforSSM" {
- role = aws_iam_role.instance_role.name
- policy_arn = "arn:${var.aws_partition}:iam::aws:policy/service-role/AmazonEC2RoleforSSM"
- }
- resource "aws_iam_role_policy_attachment" "instance_default_policy_attach" {
- role = aws_iam_role.instance_role.name
- policy_arn = "arn:${var.aws_partition}:iam::${var.aws_account_id}:policy/launchroles/default_instance_tag_read"
- }
- resource "aws_iam_role_policy_attachment" "instance_binaries_policy_attach" {
- role = aws_iam_role.instance_role.name
- policy_arn = "arn:${var.aws_partition}:iam::${var.aws_account_id}:policy/launchroles/default_instance_s3_binaries"
- }
- resource "aws_iam_role_policy_attachment" "instance_cloudwatch_policy_attach" {
- role = aws_iam_role.instance_role.name
- policy_arn = "arn:${var.aws_partition}:iam::${var.aws_account_id}:policy/cloudwatch_events"
- }
|
