[security] give explorer role ec2:DescribeTags
This commit is contained in:
parent
a462f35e78
commit
15dbac751b
|
@ -22,6 +22,15 @@ data "aws_iam_policy_document" "deployer-assume-role-policy" {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
data "aws_iam_policy_document" "config-policy" {
|
||||||
|
statement {
|
||||||
|
effect = "Allow"
|
||||||
|
actions = ["ec2:DescribeTags"]
|
||||||
|
|
||||||
|
resources = ["*"]
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
data "aws_iam_policy_document" "codedeploy-policy" {
|
data "aws_iam_policy_document" "codedeploy-policy" {
|
||||||
statement {
|
statement {
|
||||||
effect = "Allow"
|
effect = "Allow"
|
||||||
|
@ -86,6 +95,12 @@ resource "aws_iam_instance_profile" "explorer" {
|
||||||
path = "/${var.prefix}/"
|
path = "/${var.prefix}/"
|
||||||
}
|
}
|
||||||
|
|
||||||
|
resource "aws_iam_role_policy" "config" {
|
||||||
|
name = "${var.prefix}-config-policy"
|
||||||
|
role = "${aws_iam_role.role.id}"
|
||||||
|
policy = "${data.aws_iam_policy_document.config-policy.json}"
|
||||||
|
}
|
||||||
|
|
||||||
resource "aws_iam_role" "role" {
|
resource "aws_iam_role" "role" {
|
||||||
name = "${var.prefix}-explorer-role"
|
name = "${var.prefix}-explorer-role"
|
||||||
description = "The IAM role given to each Explorer instance"
|
description = "The IAM role given to each Explorer instance"
|
||||||
|
|
Loading…
Reference in New Issue