--- /dev/null
+data "aws_iam_policy_document" "instance_trust" {
+ statement {
+ effect = "Allow"
+ actions = [
+ "sts:AssumeRole"
+ ]
+ principals {
+ type = "Service"
+ identifiers = [
+ "ec2.amazonaws.com"
+ ]
+ }
+ }
+}
+
+resource "aws_iam_role" "management" {
+ name = "${var.management_service_name}-role"
+ assume_role_policy = "${data.aws_iam_policy_document.instance_trust.json}"
+}
+
+data "aws_iam_policy_document" "management" {
+ statement {
+ sid = "AWSControl"
+ actions = [
+ "autoscaling:*",
+ "ec2:*",
+ "elasticloadbalancing:*",
+ "iam:PassRole",
+ "iam:GetServerCertificate"
+ ]
+ resources = [
+ "*"
+ ]
+ }
+ statement {
+ sid = "EventQueue"
+ actions = [
+ "sqs:*"
+ ]
+ resources = [ "${aws_sqs_queue.management-events-queue.arn}" ]
+ }
+ statement {
+ sid = "AlertTopic"
+ actions = [
+ "sns:*"
+ ]
+ resources = [ "${aws_sns_topic.management-events.arn}" ]
+ }
+}
+
+resource "aws_iam_policy" "management" {
+ name = "${var.management_service_name}"
+ description = "${var.management_service_name}"
+ path = "/"
+ policy = "${data.aws_iam_policy_document.management.json}"
+}
+
+resource "aws_iam_role_policy_attachment" "management" {
+ role = "${aws_iam_role.management.id}"
+ policy_arn = "${aws_iam_policy.management.arn}"
+}
+
+resource "aws_iam_instance_profile" "management" {
+ name = "${var.management_service_name}-instance-profile"
+ role = "${aws_iam_role.management.name}"
+}