initial commit of replacement infrastructure automation

[awsible] / infrastructure / modules / management-stack / iam.tf

diff --git a/infrastructure/modules/management-stack/iam.tf b/infrastructure/modules/management-stack/iam.tf
new file mode 100644 (file)
index 0000000..3f85134
--- /dev/null
+++ b/infrastructure/modules/management-stack/iam.tf
@@ -0,0 +1,66 @@
+data "aws_iam_policy_document" "instance_trust" {
+       statement {
+               effect = "Allow"
+               actions = [
+                       "sts:AssumeRole"
+               ]
+               principals {
+                       type = "Service"
+                       identifiers = [
+                               "ec2.amazonaws.com"
+                       ]
+               }
+       }
+}
+
+resource "aws_iam_role" "management" {
+       name = "${var.management_service_name}-role"
+       assume_role_policy = "${data.aws_iam_policy_document.instance_trust.json}"
+}
+
+data "aws_iam_policy_document" "management" {
+       statement {
+               sid = "AWSControl"
+               actions = [
+                       "autoscaling:*",
+                       "ec2:*",
+                       "elasticloadbalancing:*",
+                       "iam:PassRole",
+                       "iam:GetServerCertificate"
+               ]
+               resources = [
+                       "*"
+               ]
+       }
+       statement {
+               sid = "EventQueue"
+               actions = [
+                       "sqs:*"
+               ]
+               resources = [ "${aws_sqs_queue.management-events-queue.arn}" ]
+       }
+       statement {
+               sid = "AlertTopic"
+               actions = [
+                       "sns:*"
+               ]
+               resources = [ "${aws_sns_topic.management-events.arn}" ]
+       }
+}
+
+resource "aws_iam_policy" "management" {
+       name = "${var.management_service_name}"
+       description = "${var.management_service_name}"
+       path = "/"
+       policy = "${data.aws_iam_policy_document.management.json}"
+}
+
+resource "aws_iam_role_policy_attachment" "management" {
+       role = "${aws_iam_role.management.id}"
+       policy_arn = "${aws_iam_policy.management.arn}"
+}
+
+resource "aws_iam_instance_profile" "management" {
+       name = "${var.management_service_name}-instance-profile"
+       role = "${aws_iam_role.management.name}"
+}