mailman-2097 · August 18, 2020 07:03
diff --git a/Sample_iam_1.tf b/Sample_iam_1.tf
 # -----------------------
 # Inline Policy
 # -----------------------

 resource "aws_iam_role" "iam_ser" {
  name_prefix          = "svc-${var.workload_name}-bake"
  permissions_boundary = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:policy/WorkloadPermissionsBoundary"
  assume_role_policy = jsonencode({
    "Version" : "2012-10-17",
    "Statement" : [
      {
        "Action" : "sts:AssumeRole",
        "Principal" : {
          "Service" : "ec2.amazonaws.com"
        },
        "Effect" : "Allow",
        "Sid" : ""
      }
    ]
  })
 }

 resource "aws_iam_instance_profile" "core_services_bake" {
  name_prefix = "svc-${var.workload_name}-bake"
  role        = aws_iam_role.core_services_bake.name
 }

 resource "aws_iam_role_policy" "core_services_bake" {
  name   = "allow_packer_permissions"
  role   = aws_iam_role.core_services_bake.id
  policy = data.aws_iam_policy_document.sample_policy_document.json
 }

 data "aws_iam_policy_document" "sample_policy_document" {
  statement {
    sid    = "sid1"
    effect = "Allow"
    actions = [
      "ssm:ListInstance*",
      "ssm:UpdateInstance*",
    ]
    resources = [
      "*"
    ]
  }
  statement {
    sid    = "sid2"
    effect = "Allow"
    actions = [
      "logs:CreateLogStream",
      "logs:PutLogEvents",
      "logs:DescribeLogGroups",
      "logs:DescribeLogStreams",
    ]
    resources = [
      "*"
    ]
  }
  statement {
    sid    = "sid3"
    effect = "Allow"
    actions = [
      "ssmmessages:CreateControlChannel",
      "ssmmessages:CreateDataChannel",
      "ssmmessages:OpenControlChannel",
      "ssmmessages:OpenDataChannel",
    ]
    resources = [
      "*"
    ]
  }
  statement {
    sid    = "sid4"
    effect = "Allow"
    actions = [
      "ec2messages:AcknowledgeMessage",
      "ec2messages:DeleteMessage",
      "ec2messages:FailMessage",
      "ec2messages:GetEndpoint",
      "ec2messages:GetMessages",
      "ec2messages:SendReply",
      "ec2:Describe*",
    ]
    resources = [
      "*"
    ]
  }
 }
	# -----------------------
	# Inline Policy
	# -----------------------

	resource "aws_iam_role" "iam_ser" {
	name_prefix = "svc-${var.workload_name}-bake"
	permissions_boundary = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:policy/WorkloadPermissionsBoundary"
	assume_role_policy = jsonencode({
	"Version" : "2012-10-17",
	"Statement" : [
	{
	"Action" : "sts:AssumeRole",
	"Principal" : {
	"Service" : "ec2.amazonaws.com"
	},
	"Effect" : "Allow",
	"Sid" : ""
	}
	]
	})
	}

	resource "aws_iam_instance_profile" "core_services_bake" {
	name_prefix = "svc-${var.workload_name}-bake"
	role = aws_iam_role.core_services_bake.name
	}

	resource "aws_iam_role_policy" "core_services_bake" {
	name = "allow_packer_permissions"
	role = aws_iam_role.core_services_bake.id
	policy = data.aws_iam_policy_document.sample_policy_document.json
	}

	data "aws_iam_policy_document" "sample_policy_document" {
	statement {
	sid = "sid1"
	effect = "Allow"
	actions = [
	"ssm:ListInstance*",
	"ssm:UpdateInstance*",
	]
	resources = [
	"*"
	]
	}
	statement {
	sid = "sid2"
	effect = "Allow"
	actions = [
	"logs:CreateLogStream",
	"logs:PutLogEvents",
	"logs:DescribeLogGroups",
	"logs:DescribeLogStreams",
	]
	resources = [
	"*"
	]
	}
	statement {
	sid = "sid3"
	effect = "Allow"
	actions = [
	"ssmmessages:CreateControlChannel",
	"ssmmessages:CreateDataChannel",
	"ssmmessages:OpenControlChannel",
	"ssmmessages:OpenDataChannel",
	]
	resources = [
	"*"
	]
	}
	statement {
	sid = "sid4"
	effect = "Allow"
	actions = [
	"ec2messages:AcknowledgeMessage",
	"ec2messages:DeleteMessage",
	"ec2messages:FailMessage",
	"ec2messages:GetEndpoint",
	"ec2messages:GetMessages",
	"ec2messages:SendReply",
	"ec2:Describe*",
	]
	resources = [
	"*"
	]
	}
	}
No results found