projects / awsible / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
add a basic cw alarm
[awsible] / infrastructure / modules / management-stack / iam.tf
1 data "aws_iam_policy_document" "instance_trust" {
2 statement {
3 effect = "Allow"
4 actions = [
5 "sts:AssumeRole"
6 ]
7 principals {
8 type = "Service"
9 identifiers = [
10 "ec2.amazonaws.com"
11 ]
12 }
13 }
14 }
15
16 resource "aws_iam_role" "management" {
17 name = "${var.management_service_name}-role"
18 assume_role_policy = "${data.aws_iam_policy_document.instance_trust.json}"
19 }
20
21 data "aws_iam_policy_document" "management" {
22 statement {
23 sid = "AWSControl"
24 actions = [
25 "autoscaling:*",
26 "cloudwatch:ListMetrics",
27 "cloudwatch:GetMetricStatistics",
28 "cloudwatch:Describe*",
29 "ec2:*",
30 "elasticloadbalancing:*",
31 "iam:PassRole",
32 "iam:GetServerCertificate",
33 "logs:DescribeLogStreams",
34 "logs:PutLogEvents",
35 ]
36 resources = [
37 "*"
38 ]
39 }
40 statement {
41 sid = "EventQueue"
42 actions = [
43 "sqs:*"
44 ]
45 resources = [ "${aws_sqs_queue.management-events-queue.arn}" ]
46 }
47 statement {
48 sid = "AlertTopic"
49 actions = [
50 "sns:*"
51 ]
52 resources = [ "${aws_sns_topic.management-events.arn}" ]
53 }
54 }
55
56 resource "aws_iam_policy" "management" {
57 name = "${var.management_service_name}"
58 description = "${var.management_service_name}"
59 path = "/"
60 policy = "${data.aws_iam_policy_document.management.json}"
61 }
62
63 resource "aws_iam_role_policy_attachment" "management" {
64 role = "${aws_iam_role.management.id}"
65 policy_arn = "${aws_iam_policy.management.arn}"
66 }
67
68 resource "aws_iam_instance_profile" "management" {
69 name = "${var.management_service_name}-instance-profile"
70 role = "${aws_iam_role.management.name}"
71 }
AWSible - Autonomous Ansible in AWS