Created
January 13, 2016 21:36
-
-
Save conorgil/455e0106d09613a7c3a6 to your computer and use it in GitHub Desktop.
Sharing IAM Role Policies between multiple IAM Roles
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# AWS Cloudwatch Logs install documentation: | |
# https://docs.aws.amazon.com/AmazonCloudWatch/latest/DeveloperGuide/QuickStartEC2Instance.html | |
# By defining this IAM Role Policy in a module, it can be referenced anywhere it is required | |
# for an IAM Role. This is preferrable to copy/pasting the IAM Policy statement because changes | |
# made to this role will automatically apply to all IAM Roles referencing this module. | |
### | |
# Variables | |
### | |
variable "iam_role_id" { | |
description = "The id of the iam_role to which this inline policy should be added." | |
} | |
### | |
# IAM Role Policy | |
# | |
# This adds an inline IAM Policy to an existing IAM Role. | |
### | |
resource "aws_iam_role_policy" "awslogs_iam_role_inline_policy" { | |
name = "awslogs_iam_role_policy" | |
role = "${var.iam_role_id}" | |
policy = <<EOF | |
{ | |
"Version": "2012-10-17", | |
"Statement": [ | |
{ | |
"Sid": "AllowPublishToCloudwatchLogs", | |
"Effect": "Allow", | |
"Action": [ | |
"logs:CreateLogGroup", | |
"logs:CreateLogStream", | |
"logs:PutLogEvents", | |
"logs:DescribeLogStreams" | |
], | |
"Resource": [ | |
"arn:aws:logs:*:*:*" | |
] | |
} | |
] | |
} | |
EOF | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# 1) Create the IAM Role for the specific application. This will be linked to the IAM Instance Profile for the application. | |
resource "aws_iam_role" "my_application_iam_role" { | |
name = "my_application_iam_role" | |
assume_role_policy = <<EOF | |
{ | |
"Version": "2012-10-17", | |
"Statement": [ | |
{ | |
"Action": "sts:AssumeRole", | |
"Principal": { | |
"Service": "ec2.amazonaws.com" | |
}, | |
"Effect": "Allow", | |
"Sid": "" | |
} | |
] | |
} | |
EOF | |
} | |
# 2) Create the IAM Instance Profile, which gets assigned to the EC2 instance when it is launched. | |
# Q: Why do we need to create an Instance Profile if it can only have a single IAM Role? | |
# A: Because the AWS API said so. Who knows... | |
resource "aws_iam_instance_profile" "elasticsearch_iam_instance_profile" { | |
name = "${var.service_name}_iam_instance_profile_${var.service_environment}" | |
roles = ["${aws_iam_role.elasticsearch_iam_role.name}"] | |
} | |
# 3) Attach any IAM Role Policies to the IAM Role which are specific to the application. | |
resource "aws_iam_role_policy" "my_application_iam_role_policy" { | |
name = "my_application_iam_role_policy" | |
role = "${aws_iam_role.my_application_iam_role.id}" | |
policy = <<EOF | |
{ | |
"Version": "2012-10-17", | |
"Statement": [ | |
{ | |
"Sid": "Some application specific permissions statement", | |
} | |
] | |
} | |
EOF | |
} | |
# 4) Attach any shared/global IAM Role Policies to the IAM Role | |
module "iam_role_policy_aws_cloudwatch_logs" { | |
# Gist does not allow subdirectories, but this source path | |
# would reference a directory with a main.tf file in it. | |
source = "module_publish_to_aws_cloudwatch_logs" | |
iam_role_id = "${aws_iam_role.elasticsearch_iam_role.id}" | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment