Skip to content

Instantly share code, notes, and snippets.

@conorgil
Created January 13, 2016 21:36
Show Gist options
  • Save conorgil/455e0106d09613a7c3a6 to your computer and use it in GitHub Desktop.
Save conorgil/455e0106d09613a7c3a6 to your computer and use it in GitHub Desktop.
Sharing IAM Role Policies between multiple IAM Roles
# AWS Cloudwatch Logs install documentation:
# https://docs.aws.amazon.com/AmazonCloudWatch/latest/DeveloperGuide/QuickStartEC2Instance.html
# By defining this IAM Role Policy in a module, it can be referenced anywhere it is required
# for an IAM Role. This is preferrable to copy/pasting the IAM Policy statement because changes
# made to this role will automatically apply to all IAM Roles referencing this module.
###
# Variables
###
variable "iam_role_id" {
description = "The id of the iam_role to which this inline policy should be added."
}
###
# IAM Role Policy
#
# This adds an inline IAM Policy to an existing IAM Role.
###
resource "aws_iam_role_policy" "awslogs_iam_role_inline_policy" {
name = "awslogs_iam_role_policy"
role = "${var.iam_role_id}"
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowPublishToCloudwatchLogs",
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents",
"logs:DescribeLogStreams"
],
"Resource": [
"arn:aws:logs:*:*:*"
]
}
]
}
EOF
}
# 1) Create the IAM Role for the specific application. This will be linked to the IAM Instance Profile for the application.
resource "aws_iam_role" "my_application_iam_role" {
name = "my_application_iam_role"
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Effect": "Allow",
"Sid": ""
}
]
}
EOF
}
# 2) Create the IAM Instance Profile, which gets assigned to the EC2 instance when it is launched.
# Q: Why do we need to create an Instance Profile if it can only have a single IAM Role?
# A: Because the AWS API said so. Who knows...
resource "aws_iam_instance_profile" "elasticsearch_iam_instance_profile" {
name = "${var.service_name}_iam_instance_profile_${var.service_environment}"
roles = ["${aws_iam_role.elasticsearch_iam_role.name}"]
}
# 3) Attach any IAM Role Policies to the IAM Role which are specific to the application.
resource "aws_iam_role_policy" "my_application_iam_role_policy" {
name = "my_application_iam_role_policy"
role = "${aws_iam_role.my_application_iam_role.id}"
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Some application specific permissions statement",
}
]
}
EOF
}
# 4) Attach any shared/global IAM Role Policies to the IAM Role
module "iam_role_policy_aws_cloudwatch_logs" {
# Gist does not allow subdirectories, but this source path
# would reference a directory with a main.tf file in it.
source = "module_publish_to_aws_cloudwatch_logs"
iam_role_id = "${aws_iam_role.elasticsearch_iam_role.id}"
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment