61 lines
1.4 KiB
HCL
61 lines
1.4 KiB
HCL
resource "aws_iam_role" "ec2" {
|
|
name = "${local.name_prefix}-ec2-role"
|
|
|
|
assume_role_policy = jsonencode({
|
|
Version = "2012-10-17"
|
|
Statement = [
|
|
{
|
|
Action = "sts:AssumeRole"
|
|
Effect = "Allow"
|
|
Principal = {
|
|
Service = "ec2.amazonaws.com"
|
|
}
|
|
}
|
|
]
|
|
})
|
|
}
|
|
|
|
resource "aws_iam_role_policy_attachment" "ssm_core" {
|
|
role = aws_iam_role.ec2.name
|
|
policy_arn = "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"
|
|
}
|
|
|
|
resource "aws_iam_policy" "ec2_app" {
|
|
name = "${local.name_prefix}-ec2-app"
|
|
|
|
policy = jsonencode({
|
|
Version = "2012-10-17"
|
|
Statement = [
|
|
{
|
|
Effect = "Allow"
|
|
Action = [
|
|
"ssm:GetParameter",
|
|
"ssm:GetParameters"
|
|
]
|
|
Resource = [
|
|
aws_ssm_parameter.db_password.arn
|
|
]
|
|
},
|
|
{
|
|
Effect = "Allow"
|
|
Action = [
|
|
"logs:CreateLogStream",
|
|
"logs:PutLogEvents",
|
|
"logs:DescribeLogStreams"
|
|
]
|
|
Resource = "arn:aws:logs:${var.aws_region}:${data.aws_caller_identity.current.account_id}:log-group:/ec2/${local.name_prefix}*"
|
|
}
|
|
]
|
|
})
|
|
}
|
|
|
|
resource "aws_iam_role_policy_attachment" "ec2_app" {
|
|
role = aws_iam_role.ec2.name
|
|
policy_arn = aws_iam_policy.ec2_app.arn
|
|
}
|
|
|
|
resource "aws_iam_instance_profile" "ec2" {
|
|
name = "${local.name_prefix}-ec2-profile"
|
|
role = aws_iam_role.ec2.name
|
|
}
|