From 047c30a3ee1ee468605b0d39c466962b546f55c0 Mon Sep 17 00:00:00 2001 From: Paul Schoenfelder Date: Fri, 1 Jun 2018 10:41:01 -0400 Subject: [PATCH] [security] fix ec2 role permissions to support codedeploy agent --- modules/stack/security.tf | 79 +++++++++------------------------------ 1 file changed, 18 insertions(+), 61 deletions(-) diff --git a/modules/stack/security.tf b/modules/stack/security.tf index 4d8c9ba..202d62d 100644 --- a/modules/stack/security.tf +++ b/modules/stack/security.tf @@ -22,52 +22,6 @@ data "aws_iam_policy_document" "deployer-assume-role-policy" { } } -data "aws_iam_policy_document" "config-policy" { - statement { - effect = "Allow" - actions = ["ssm:DescribeParameters"] - - resources = ["*"] - } - - statement { - effect = "Allow" - actions = ["ssm:GetParameter", "ssm:GetParameters", "ssm:GetParametersByPath"] - - resources = [ - "arn:aws:ssm:*:*:parameter/${var.prefix}/*", - "arn:aws:ssm:*:*:parameter/${var.prefix}/*/*", - ] - } - - statement { - effect = "Allow" - actions = ["ec2:DescribeTags"] - - resources = ["*"] - } - - statement { - effect = "Allow" - actions = ["s3:*"] - - resources = [ - "arn:aws:s3:::aws-codedeploy-us-east-1/*", - "arn:aws:s3:::aws-codedeploy-us-east-2/*", - "arn:aws:s3:::aws-codedeploy-us-west-1/*", - "arn:aws:s3:::aws-codedeploy-us-west-2/*", - "arn:aws:s3:::aws-codedeploy-ap-northeast-1/*", - "arn:aws:s3:::aws-codedeploy-ap-northeast-2/*", - "arn:aws:s3:::aws-codedeploy-ap-south-1/*", - "arn:aws:s3:::aws-codedeploy-ap-southeast-1/*", - "arn:aws:s3:::aws-codedeploy-ap-southeast-2/*", - "arn:aws:s3:::aws-codedeploy-eu-central-1/*", - "arn:aws:s3:::aws-codedeploy-eu-west-1/*", - "arn:aws:s3:::aws-codedeploy-sa-east-1/*", - ] - } -} - data "aws_iam_policy_document" "codedeploy-policy" { statement { effect = "Allow" @@ -78,16 +32,7 @@ data "aws_iam_policy_document" "codedeploy-policy" { "tag:*", "ec2:DescribeInstances", "ec2:DescribeInstanceStatus", - "ec2messages:AcknowledgeMessage", - "ec2messages:DeleteMessage", - "ec2messages:FailMessage", - "ec2messages:GetEndpoint", - "ec2messages:GetMessages", - "ec2messages:SendReply", "sns:Publish", - "ssm:UpdateInstanceInformation", - "ssm:ListInstanceAssociations", - "ssm:ListAssociations" ] resources = ["*"] @@ -117,18 +62,30 @@ data "aws_iam_policy_document" "codedeploy-policy" { } } +data "aws_iam_policy" "AmazonEC2RoleForAWSCodeDeploy" { + arn = "arn:aws:iam::aws:policy/AmazonEC2RoleForAWSCodeDeploy" +} + +data "aws_iam_policy" "AmazonEC2RoleForSSM" { + arn = "arn:aws:iam::aws:policy/AmazonEC2RoleForSSM" +} + +resource "aws_iam_role_policy_attachment" "ec2-codedeploy-policy-attachment" { + role = "${aws_iam_role.role.name}" + policy_arn = "${data.aws_iam_policy.AmazonEC2RoleForAWSCodeDeploy.arn}" +} + +resource "aws_iam_role_policy_attachment" "ec2-ssm-policy-attachment" { + role = "${aws_iam_role.role.name}" + policy_arn = "${data.aws_iam_policy.AmazonEC2RoleForSSM.arn}" +} + resource "aws_iam_instance_profile" "explorer" { name = "${var.prefix}-explorer-profile" role = "${aws_iam_role.role.name}" path = "/${var.prefix}/" } -resource "aws_iam_role_policy" "config" { - name = "${var.prefix}-config-policy" - role = "${aws_iam_role.role.id}" - policy = "${data.aws_iam_policy_document.config-policy.json}" -} - resource "aws_iam_role" "role" { name = "${var.prefix}-explorer-role" description = "The IAM role given to each Explorer instance"