git.squeep.com Git - awsible/blob - infrastructure/modules/tf_aws_asg_stack/iam.tf

   1 data "aws_iam_policy_document" "instance_trust" {
   2         statement {
   3                 effect = "Allow"
   4                 actions = [
   5                         "sts:AssumeRole"
   6                 ]
   7                 principals {
   8                         type = "Service"
   9                         identifiers = [
  10                                 "ec2.amazonaws.com"
  11                         ]
  12                 }
  13         }
  14 }
  15
  16 resource "aws_iam_role" "default" {
  17         name = "${var.module}${length(var.stack) > 0 ? "-" : ""}${var.stack}-role"
  18         assume_role_policy = "${data.aws_iam_policy_document.instance_trust.json}"
  19 }
  20
  21 data "aws_iam_policy_document" "default" {
  22         statement {
  23                 effect = "Allow"
  24                 actions = ["${var.iam_allow_actions}"]
  25                 resources = ["*"]
  26         }
  27 }
  28
  29 resource "aws_iam_policy" "default" {
  30         name = "${var.module}${length(var.stack) > 0 ? "-" : ""}${var.stack}"
  31         description = "specific policy for ${var.module}${length(var.stack) > 0 ? "-" : ""}${var.stack}"
  32         policy = "${data.aws_iam_policy_document.default.json}"
  33 }
  34
  35 resource "aws_iam_role_policy_attachment" "default" {
  36         role = "${aws_iam_role.default.id}"
  37         policy_arn = "${aws_iam_policy.default.arn}"
  38 }
  39
  40 resource "aws_iam_role_policy_attachment" "extra" {
  41         count = "${length(var.iam_policy_arns)}"
  42         role = "${aws_iam_role.default.id}"
  43         policy_arn = "${element(var.iam_policy_arns, count.index)}"
  44 }
  45
  46 resource "aws_iam_instance_profile" "default" {
  47         name = "${var.module}${length(var.stack) > 0 ? "-" : ""}${var.stack}-instance-profile"
  48         role = "${aws_iam_role.default.name}"
  49 }