[security] give explorer role ec2:DescribeTags

2018-06-01 12:05:53 -04:00 · 2018-06-01 12:05:53 -04:00 · 15dbac751b
parent a462f35e78
commit 15dbac751b
1 changed files with 15 additions and 0 deletions
--- a/modules/stack/security.tf
+++ b/modules/stack/security.tf
@ -22,6 +22,15 @@ data "aws_iam_policy_document" "deployer-assume-role-policy" {
  }
 }

+data "aws_iam_policy_document" "config-policy" {
+  statement {
+    effect  = "Allow"
+    actions = ["ec2:DescribeTags"]
+
+    resources = ["*"]
+  }
+}
+
 data "aws_iam_policy_document" "codedeploy-policy" {
  statement {
    effect = "Allow"
@ -86,6 +95,12 @@ resource "aws_iam_instance_profile" "explorer" {
  path = "/${var.prefix}/"
 }

+resource "aws_iam_role_policy" "config" {
+  name   = "${var.prefix}-config-policy"
+  role   = "${aws_iam_role.role.id}"
+  policy = "${data.aws_iam_policy_document.config-policy.json}"
+}
+
 resource "aws_iam_role" "role" {
  name               = "${var.prefix}-explorer-role"
  description        = "The IAM role given to each Explorer instance"