X-Git-Url: http://git.squeep.com/?p=awsible;a=blobdiff_plain;f=infrastructure%2Fmodules%2Fmanagement-stack%2Fiam.tf;fp=infrastructure%2Fmodules%2Fmanagement-stack%2Fiam.tf;h=3f8513448eacfd1bd8e796f55d796b7023dfc803;hp=0000000000000000000000000000000000000000;hb=8576668075ca95e44481d9c9ed29d7e6af024bdc;hpb=933c48ff1e134168de3aaa2d20e4d43c13d04928

diff --git a/infrastructure/modules/management-stack/iam.tf b/infrastructure/modules/management-stack/iam.tf
new file mode 100644
index 0000000..3f85134
--- /dev/null
+++ b/infrastructure/modules/management-stack/iam.tf
@@ -0,0 +1,66 @@
+data "aws_iam_policy_document" "instance_trust" {
+	statement {
+		effect = "Allow"
+		actions = [
+			"sts:AssumeRole"
+		]
+		principals {
+			type = "Service"
+			identifiers = [
+				"ec2.amazonaws.com"
+			]
+		}
+	}
+}
+
+resource "aws_iam_role" "management" {
+	name = "${var.management_service_name}-role"
+	assume_role_policy = "${data.aws_iam_policy_document.instance_trust.json}"
+}
+
+data "aws_iam_policy_document" "management" {
+	statement {
+		sid = "AWSControl"
+		actions = [
+			"autoscaling:*",
+			"ec2:*",
+			"elasticloadbalancing:*",
+			"iam:PassRole",
+			"iam:GetServerCertificate"
+		]
+		resources = [
+			"*"
+		]
+	}
+	statement {
+		sid = "EventQueue"
+		actions = [
+			"sqs:*"
+		]
+		resources = [ "${aws_sqs_queue.management-events-queue.arn}" ]
+	}
+	statement {
+		sid = "AlertTopic"
+		actions = [
+			"sns:*"
+		]
+		resources = [ "${aws_sns_topic.management-events.arn}" ]
+	}
+}
+
+resource "aws_iam_policy" "management" {
+	name = "${var.management_service_name}"
+	description = "${var.management_service_name}"
+	path = "/"
+	policy = "${data.aws_iam_policy_document.management.json}"
+}
+
+resource "aws_iam_role_policy_attachment" "management" {
+	role = "${aws_iam_role.management.id}"
+	policy_arn = "${aws_iam_policy.management.arn}"
+}
+
+resource "aws_iam_instance_profile" "management" {
+	name = "${var.management_service_name}-instance-profile"
+	role = "${aws_iam_role.management.name}"
+}