forked from ulamlabs/terraform-aws-rabbitmq
-
Notifications
You must be signed in to change notification settings - Fork 1
/
session_manager.tf
68 lines (66 loc) · 1.88 KB
/
session_manager.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
resource "aws_iam_role_policy_attachment" "ssm_managed_instance_core" {
count = var.aws_session_manager_enabled ? 1 : 0
policy_arn = aws_iam_policy.ssm_managed_instances[count.index].arn
role = aws_iam_role.iam_role.name
}
resource "aws_iam_policy" "ssm_managed_instances" {
count = var.aws_session_manager_enabled ? 1 : 0
name = "${var.name}-ssm-management-${data.aws_region.current.name}"
policy = data.aws_iam_policy_document.ssm_managed_instances[count.index].json
}
data "aws_iam_policy_document" "ssm_managed_instances" {
count = var.aws_session_manager_enabled ? 1 : 0
statement {
effect = "Allow"
actions = [
"ssm:DescribeAssociation",
"ssm:GetDeployablePatchSnapshotForInstance",
"ssm:GetDocument",
"ssm:DescribeDocument",
"ssm:GetManifest",
"ssm:ListAssociations",
"ssm:ListInstanceAssociations",
"ssm:PutInventory",
"ssm:PutComplianceItems",
"ssm:PutConfigurePackageResult",
"ssm:UpdateAssociationStatus",
"ssm:UpdateInstanceAssociationStatus",
"ssm:UpdateInstanceInformation"
]
resources = ["*"]
}
statement {
effect = "Allow"
actions = [
"ssmmessages:CreateControlChannel",
"ssmmessages:CreateDataChannel",
"ssmmessages:OpenControlChannel",
"ssmmessages:OpenDataChannel",
]
resources = ["*"]
}
statement {
effect = "Allow"
actions = [
"ec2messages:AcknowledgeMessage",
"ec2messages:DeleteMessage",
"ec2messages:FailMessage",
"ec2messages:GetEndpoint",
"ec2messages:GetMessages",
"ec2messages:SendReply"
]
resources = ["*"]
}
dynamic "statement" {
for_each = var.session_manager_kms_encryption_enabled ? [1] : []
content {
effect = "Allow"
actions = [
"kms:Decrypt"
]
resources = [
var.session_manager_kms_key_arn
]
}
}
}