X-Git-Url: http://git.squeep.com/?p=awsible;a=blobdiff_plain;f=infrastructure%2Fmodules%2Ftf_aws_asg_stack%2Fiam.tf;fp=infrastructure%2Fmodules%2Ftf_aws_asg_stack%2Fiam.tf;h=1c257c4eb206a564d841f4a86ef433b61b40a24f;hp=0000000000000000000000000000000000000000;hb=8576668075ca95e44481d9c9ed29d7e6af024bdc;hpb=933c48ff1e134168de3aaa2d20e4d43c13d04928

diff --git a/infrastructure/modules/tf_aws_asg_stack/iam.tf b/infrastructure/modules/tf_aws_asg_stack/iam.tf
new file mode 100644
index 0000000..1c257c4
--- /dev/null
+++ b/infrastructure/modules/tf_aws_asg_stack/iam.tf
@@ -0,0 +1,49 @@
+data "aws_iam_policy_document" "instance_trust" {
+	statement {
+		effect = "Allow"
+		actions = [
+			"sts:AssumeRole"
+		]
+		principals {
+			type = "Service"
+			identifiers = [
+				"ec2.amazonaws.com"
+			]
+		}
+	}
+}
+
+resource "aws_iam_role" "default" {
+	name = "${var.module}${length(var.stack) > 0 ? "-" : ""}${var.stack}-role"
+	assume_role_policy = "${data.aws_iam_policy_document.instance_trust.json}"
+}
+
+data "aws_iam_policy_document" "default" {
+	statement {
+		effect = "Allow"
+		actions = ["${var.iam_allow_actions}"]
+		resources = ["*"]
+	}
+}
+
+resource "aws_iam_policy" "default" {
+	name = "${var.module}${length(var.stack) > 0 ? "-" : ""}${var.stack}"
+	description = "specific policy for ${var.module}${length(var.stack) > 0 ? "-" : ""}${var.stack}"
+	policy = "${data.aws_iam_policy_document.default.json}"
+}
+
+resource "aws_iam_role_policy_attachment" "default" {
+	role = "${aws_iam_role.default.id}"
+	policy_arn = "${aws_iam_policy.default.arn}"
+}
+
+resource "aws_iam_role_policy_attachment" "extra" {
+	count = "${length(var.iam_policy_arns)}"
+	role = "${aws_iam_role.default.id}"
+	policy_arn = "${element(var.iam_policy_arns, count.index)}"
+}
+
+resource "aws_iam_instance_profile" "default" {
+	name = "${var.module}${length(var.stack) > 0 ? "-" : ""}${var.stack}-instance-profile"
+	role = "${aws_iam_role.default.name}"
+}