kszarek · April 30, 2020 17:07
diff --git a/condition_iam_policy.tf b/condition_iam_policy.tf
 data "aws_iam_policy_document" "manager" {
  statement {
    sid = "Cache"
    actions = [
      "s3:ListObjects*",
      "s3:GetObject*",
      "s3:DeleteObject*",
      "s3:PutObject*"
    ]
    resources = ["${module.s3_cache.arn}/*"]
  }

  statement {
    actions   = ["s3:ListBucket"]
    resources = [module.s3_cache.arn]
  }

  statement {
    actions   = ["iam:CreateServiceLinkedRole"]
    resources = ["*"]
  }

  statement {
    actions = [
      "ec2:AuthorizeSecurityGroupIngress",
      "ec2:CreateKeyPair",
      "ec2:DeleteKeyPair",
      "ec2:ImportKeyPair",
      "ec2:Describe*",
      "ec2messages:GetMessages",
      "ec2:CreateTags",
      "ssm:UpdateInstanceInformation",
      "ssm:ListAssociations",
      "ssm:ListInstanceAssociations"
    ]
    resources = ["*"]
  }

  statement {
    sid = "StartRunners"
    actions = [
      "ec2:RunInstances",
      "ec2:RequestSpotInstances"
    ]
    resources = ["*"]

    condition {
      test     = "StringEqualsIfExists"
      variable = "ec2:Tenancy"
      values   = ["default"]
    }

    condition {
      test     = "StringEqualsIfExists"
      variable = "ec2:Region"
      values   = [data.aws_region.current.name]
    }

    condition {
      test     = "ArnEqualsIfExists"
      variable = "ec2:Vpc"
      values   = [data.aws_vpc.current.arn]
    }

    condition {
      test     = "ArnEqualsIfExists"
      variable = "ec2:InstanceProfile"
      values   = [aws_iam_instance_profile.runner.arn]
    }
  }

  statement {
    sid = "StopRunners"
    actions = [
      "ec2:TerminateInstances",
      "ec2:StopInstances",
      "ec2:StartInstances",
      "ec2:RebootInstances"
    ]
    resources = ["*"]

    condition {
      test     = "StringLike"
      variable = "ec2:ResourceTag/Name"
      values   = ["*gitlab-docker-machine-*"]
    }

    condition {
      test     = "ArnEquals"
      variable = "ec2:InstanceProfile"
      values   = [aws_iam_instance_profile.runner.arn]
    }
  }

  statement {
    actions   = ["iam:PassRole"]
    resources = [aws_iam_role.runner.arn]
  }
 }
	data "aws_iam_policy_document" "manager" {
	statement {
	sid = "Cache"
	actions = [
	"s3:ListObjects*",
	"s3:GetObject*",
	"s3:DeleteObject*",
	"s3:PutObject*"
	]
	resources = ["${module.s3_cache.arn}/*"]
	}

	statement {
	actions = ["s3:ListBucket"]
	resources = [module.s3_cache.arn]
	}

	statement {
	actions = ["iam:CreateServiceLinkedRole"]
	resources = ["*"]
	}

	statement {
	actions = [
	"ec2:AuthorizeSecurityGroupIngress",
	"ec2:CreateKeyPair",
	"ec2:DeleteKeyPair",
	"ec2:ImportKeyPair",
	"ec2:Describe*",
	"ec2messages:GetMessages",
	"ec2:CreateTags",
	"ssm:UpdateInstanceInformation",
	"ssm:ListAssociations",
	"ssm:ListInstanceAssociations"
	]
	resources = ["*"]
	}

	statement {
	sid = "StartRunners"
	actions = [
	"ec2:RunInstances",
	"ec2:RequestSpotInstances"
	]
	resources = ["*"]

	condition {
	test = "StringEqualsIfExists"
	variable = "ec2:Tenancy"
	values = ["default"]
	}

	condition {
	test = "StringEqualsIfExists"
	variable = "ec2:Region"
	values = [data.aws_region.current.name]
	}

	condition {
	test = "ArnEqualsIfExists"
	variable = "ec2:Vpc"
	values = [data.aws_vpc.current.arn]
	}

	condition {
	test = "ArnEqualsIfExists"
	variable = "ec2:InstanceProfile"
	values = [aws_iam_instance_profile.runner.arn]
	}
	}

	statement {
	sid = "StopRunners"
	actions = [
	"ec2:TerminateInstances",
	"ec2:StopInstances",
	"ec2:StartInstances",
	"ec2:RebootInstances"
	]
	resources = ["*"]

	condition {
	test = "StringLike"
	variable = "ec2:ResourceTag/Name"
	values = ["gitlab-docker-machine-"]
	}

	condition {
	test = "ArnEquals"
	variable = "ec2:InstanceProfile"
	values = [aws_iam_instance_profile.runner.arn]
	}
	}

	statement {
	actions = ["iam:PassRole"]
	resources = [aws_iam_role.runner.arn]
	}
	}