Created
September 10, 2020 04:29
-
-
Save tedivm/d9881723ee43e41b1603b42df57f6adf to your computer and use it in GitHub Desktop.
Packer IAM Role in Terraform
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| data "aws_caller_identity" "current" {} | |
| data "aws_region" "current" {} | |
| locals { | |
| rolename = "${local.identifier}-${data.aws_region.current.name}" | |
| } | |
| data "aws_iam_policy_document" "packer" { | |
| # Global ECS Permissions Statement | |
| statement { | |
| actions = [ | |
| "ec2:Describe*", | |
| "ec2:CreateKeyPair", | |
| "ec2:DeleteKeyPair", | |
| "ec2:CreateImage", | |
| "ec2:DescribeKeyPairs", | |
| "ec2:CreateSecurityGroup", | |
| "iam:GetInstanceProfiles", | |
| "iam:ListInstanceProfiles", | |
| "ec2:CreateTags" | |
| ] | |
| resources = ["*"] | |
| } | |
| # Be able to pass role to instance | |
| statement { | |
| actions = [ | |
| "iam:PassRole" | |
| ] | |
| resources = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/${local.rolename}"] | |
| } | |
| # Manage instances but only if they have this profile | |
| statement { | |
| actions = [ | |
| "ec2:RunInstances", | |
| "ec2:StartInstances", | |
| "ec2:StopInstances", | |
| "ec2:RebootInstances", | |
| "ec2:TerminateInstances", | |
| "ec2:ModifyInstanceAttribute", | |
| "ec2:GetPasswordData", | |
| "ec2:AttachVolume", | |
| "ec2:DetachVolume", | |
| "ec2:CreateSnapshot", | |
| "ec2:DeleteSnaphot", | |
| "ec2:AuthorizeSecurityGroup*", | |
| "ec2:RevokeSecurityGroup*" | |
| ] | |
| condition { | |
| test = "StringEquals" | |
| variable = "ec2:InstanceProfile" | |
| values = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:instance-profile/${local.rolename}"] | |
| } | |
| resources = ["arn:aws:ec2:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:instance/*"] | |
| } | |
| # Running instances requires access to a lot of resources | |
| statement { | |
| actions = [ | |
| "ec2:RunInstances" | |
| ] | |
| resources = [ | |
| "arn:aws:ec2:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:subnet/*", | |
| "arn:aws:ec2:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:volume/*", | |
| "arn:aws:ec2:${data.aws_region.current.name}::image/*", | |
| "arn:aws:ec2:${data.aws_region.current.name}::snapshot/*", | |
| "arn:aws:ec2:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:network-interface/*", | |
| "arn:aws:ec2:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:key-pair/*", | |
| "arn:aws:ec2:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:security-group/*" | |
| ] | |
| } | |
| } | |
| resource "aws_iam_policy" "packer" { | |
| name = "${local.rolename}-policy" | |
| path = "/" | |
| description = "Packer Policy" | |
| policy = data.aws_iam_policy_document.packer.json | |
| } | |
| # | |
| # Create role for IAM Instance | |
| # | |
| resource "aws_iam_role" "packer" { | |
| name = local.rolename | |
| # Allow EC2 instances to use this role. | |
| assume_role_policy = <<EOF | |
| { | |
| "Version": "2012-10-17", | |
| "Statement": [ | |
| { | |
| "Action": "sts:AssumeRole", | |
| "Principal": { | |
| "Service": "ec2.amazonaws.com" | |
| }, | |
| "Effect": "Allow", | |
| "Sid": "" | |
| } | |
| ] | |
| } | |
| EOF | |
| } | |
| resource "aws_iam_role_policy_attachment" "packer-policy" { | |
| role = aws_iam_role.packer.name | |
| policy_arn = aws_iam_policy.packer.arn | |
| } | |
| # Add an instance profile. These are created automatically in the console but not in terraform. | |
| resource "aws_iam_instance_profile" "test_profile" { | |
| name = aws_iam_role.packer.name | |
| role = aws_iam_role.packer.name | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment