kritro · May 20, 2021 07:17
diff --git a/iam.ts b/iam.ts
 //Create the IAM Role
 const role = new iam.Role(this, 'app-mysql-server-role', { 
  assumedBy: new iam.ServicePrincipal('ec2.amazonaws.com') 
 })

 //Add some AWS managed policies to that role
 role.addManagedPolicy(iam.ManagedPolicy.fromManagedPolicyArn(this, "AmazonSSMAutomationRole", "arn:aws:iam::aws:policy/service-role/AmazonSSMAutomationRole"));
 role.addManagedPolicy(iam.ManagedPolicy.fromManagedPolicyArn(this, "AmazonSSMManagedInstanceCore", "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"));
    
 //Create the underlying json for the custom policy
 const appPolicy = {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "appIamInstancePolicy", 
      "Effect": "Allow",
      "Action":  [
        "ec2:DescribeInstances",
        "ssm:ListTagsForResource",
        "ds:CreateComputer"
    ],
      "Resource": "*"
    },
    {
      "Sid": "AttachVolume",
      "Effect": "Allow",
      "Action":  [
        "ec2:AttachVolume"
    ],
      "Resource": "*"
    },
    {
      "Sid": "AssumeKMSRole",
      "Effect": "Allow",
      "Action":  [
        "sts:AssumeRole"
    ],
      "Resource": "arn:aws:iam::2222222222222:role/*"
    },
    {
      "Sid": "GetKMSKey",
      "Effect": "Allow",
      "Action":  [
        "kms:Encrypt",
        "kms:Decrypt",
        "kms:ReEncrypt*",
        "kms:GenerateDataKey*",
        "kms:DescribeKey",
        "kms:*"
    ],
      "Resource": "*"
    },
    {
      "Sid": "DomainJoinComputer",
      "Effect": "Allow",
      "Action": [
        "ds:CreateComputer"
    ],
      "Resource": [
        "arn:aws:ds:eu-west-1:"+process.env.account+":directory/"+directoryID
      ],

    }
  ]
 };

 //Create the policydocument
 const appPolicyDocument = iam.PolicyDocument.fromJson(appPolicy);

 //Create the actuall policy based on above document
 var appInstancePolicy = new iam.Policy(this, 'app-instance-policy', {
    policyName: "appIamInstancePolicy",
    document: appPolicyDocument
 });

 //Add the policy to the role
 appInstancePolicy.attachToRole(role);
	//Create the IAM Role
	const role = new iam.Role(this, 'app-mysql-server-role', {
	assumedBy: new iam.ServicePrincipal('ec2.amazonaws.com')
	})

	//Add some AWS managed policies to that role
	role.addManagedPolicy(iam.ManagedPolicy.fromManagedPolicyArn(this, "AmazonSSMAutomationRole", "arn:aws:iam::aws:policy/service-role/AmazonSSMAutomationRole"));
	role.addManagedPolicy(iam.ManagedPolicy.fromManagedPolicyArn(this, "AmazonSSMManagedInstanceCore", "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"));

	//Create the underlying json for the custom policy
	const appPolicy = {
	"Version": "2012-10-17",
	"Statement": [
	{
	"Sid": "appIamInstancePolicy",
	"Effect": "Allow",
	"Action": [
	"ec2:DescribeInstances",
	"ssm:ListTagsForResource",
	"ds:CreateComputer"
	],
	"Resource": "*"
	},
	{
	"Sid": "AttachVolume",
	"Effect": "Allow",
	"Action": [
	"ec2:AttachVolume"
	],
	"Resource": "*"
	},
	{
	"Sid": "AssumeKMSRole",
	"Effect": "Allow",
	"Action": [
	"sts:AssumeRole"
	],
	"Resource": "arn:aws:iam::2222222222222:role/*"
	},
	{
	"Sid": "GetKMSKey",
	"Effect": "Allow",
	"Action": [
	"kms:Encrypt",
	"kms:Decrypt",
	"kms:ReEncrypt*",
	"kms:GenerateDataKey*",
	"kms:DescribeKey",
	"kms:*"
	],
	"Resource": "*"
	},
	{
	"Sid": "DomainJoinComputer",
	"Effect": "Allow",
	"Action": [
	"ds:CreateComputer"
	],
	"Resource": [
	"arn:aws:ds:eu-west-1:"+process.env.account+":directory/"+directoryID
	],

	}
	]
	};

	//Create the policydocument
	const appPolicyDocument = iam.PolicyDocument.fromJson(appPolicy);

	//Create the actuall policy based on above document
	var appInstancePolicy = new iam.Policy(this, 'app-instance-policy', {
	policyName: "appIamInstancePolicy",
	document: appPolicyDocument
	});

	//Add the policy to the role
	appInstancePolicy.attachToRole(role);
No results found