[security] give explorer role ec2:DescribeTags
This commit is contained in:
parent
a462f35e78
commit
15dbac751b
|
@ -22,6 +22,15 @@ data "aws_iam_policy_document" "deployer-assume-role-policy" {
|
|||
}
|
||||
}
|
||||
|
||||
data "aws_iam_policy_document" "config-policy" {
|
||||
statement {
|
||||
effect = "Allow"
|
||||
actions = ["ec2:DescribeTags"]
|
||||
|
||||
resources = ["*"]
|
||||
}
|
||||
}
|
||||
|
||||
data "aws_iam_policy_document" "codedeploy-policy" {
|
||||
statement {
|
||||
effect = "Allow"
|
||||
|
@ -86,6 +95,12 @@ resource "aws_iam_instance_profile" "explorer" {
|
|||
path = "/${var.prefix}/"
|
||||
}
|
||||
|
||||
resource "aws_iam_role_policy" "config" {
|
||||
name = "${var.prefix}-config-policy"
|
||||
role = "${aws_iam_role.role.id}"
|
||||
policy = "${data.aws_iam_policy_document.config-policy.json}"
|
||||
}
|
||||
|
||||
resource "aws_iam_role" "role" {
|
||||
name = "${var.prefix}-explorer-role"
|
||||
description = "The IAM role given to each Explorer instance"
|
||||
|
|
Loading…
Reference in New Issue