data "aws_iam_policy_document" "instance_trust" { statement { effect = "Allow" actions = [ "sts:AssumeRole" ] principals { type = "Service" identifiers = [ "ec2.amazonaws.com" ] } } } resource "aws_iam_role" "management" { name = "${var.management_service_name}-role" assume_role_policy = "${data.aws_iam_policy_document.instance_trust.json}" } data "aws_iam_policy_document" "management" { statement { sid = "AWSControl" actions = [ "autoscaling:*", "ec2:*", "elasticloadbalancing:*", "iam:PassRole", "iam:GetServerCertificate" ] resources = [ "*" ] } statement { sid = "EventQueue" actions = [ "sqs:*" ] resources = [ "${aws_sqs_queue.management-events-queue.arn}" ] } statement { sid = "AlertTopic" actions = [ "sns:*" ] resources = [ "${aws_sns_topic.management-events.arn}" ] } } resource "aws_iam_policy" "management" { name = "${var.management_service_name}" description = "${var.management_service_name}" path = "/" policy = "${data.aws_iam_policy_document.management.json}" } resource "aws_iam_role_policy_attachment" "management" { role = "${aws_iam_role.management.id}" policy_arn = "${aws_iam_policy.management.arn}" } resource "aws_iam_instance_profile" "management" { name = "${var.management_service_name}-instance-profile" role = "${aws_iam_role.management.name}" }