initial commit of replacement infrastructure automation

[awsible] / infrastructure / modules / tf_aws_asg_stack / iam.tf

diff --git a/infrastructure/modules/tf_aws_asg_stack/iam.tf b/infrastructure/modules/tf_aws_asg_stack/iam.tf
new file mode 100644 (file)
index 0000000..1c257c4
--- /dev/null
+++ b/infrastructure/modules/tf_aws_asg_stack/iam.tf
@@ -0,0 +1,49 @@
+data "aws_iam_policy_document" "instance_trust" {
+       statement {
+               effect = "Allow"
+               actions = [
+                       "sts:AssumeRole"
+               ]
+               principals {
+                       type = "Service"
+                       identifiers = [
+                               "ec2.amazonaws.com"
+                       ]
+               }
+       }
+}
+
+resource "aws_iam_role" "default" {
+       name = "${var.module}${length(var.stack) > 0 ? "-" : ""}${var.stack}-role"
+       assume_role_policy = "${data.aws_iam_policy_document.instance_trust.json}"
+}
+
+data "aws_iam_policy_document" "default" {
+       statement {
+               effect = "Allow"
+               actions = ["${var.iam_allow_actions}"]
+               resources = ["*"]
+       }
+}
+
+resource "aws_iam_policy" "default" {
+       name = "${var.module}${length(var.stack) > 0 ? "-" : ""}${var.stack}"
+       description = "specific policy for ${var.module}${length(var.stack) > 0 ? "-" : ""}${var.stack}"
+       policy = "${data.aws_iam_policy_document.default.json}"
+}
+
+resource "aws_iam_role_policy_attachment" "default" {
+       role = "${aws_iam_role.default.id}"
+       policy_arn = "${aws_iam_policy.default.arn}"
+}
+
+resource "aws_iam_role_policy_attachment" "extra" {
+       count = "${length(var.iam_policy_arns)}"
+       role = "${aws_iam_role.default.id}"
+       policy_arn = "${element(var.iam_policy_arns, count.index)}"
+}
+
+resource "aws_iam_instance_profile" "default" {
+       name = "${var.module}${length(var.stack) > 0 ? "-" : ""}${var.stack}-instance-profile"
+       role = "${aws_iam_role.default.name}"
+}