feat: add SSM write permissions

masterpointio · Nov 20, 2024 · a497d78 · a497d78
1 parent 09b372c
commit a497d78
Show file tree

Hide file tree

Showing 2 changed files with 40 additions and 6 deletions.
diff --git a/README.md b/README.md
@@ -71,23 +71,26 @@ Here is an example of using this module:
 
 ## Providers
 
-| Name                                                               | Version   |
-| ------------------------------------------------------------------ | --------- |
-| <a name="provider_tailscale"></a> [tailscale](#provider_tailscale) | >= 0.13.7 |
+| Name                                                               | Version |
+| ------------------------------------------------------------------ | ------- |
+| <a name="provider_aws"></a> [aws](#provider_aws)                   | 5.76.0  |
+| <a name="provider_tailscale"></a> [tailscale](#provider_tailscale) | 0.17.2  |
 
 ## Modules
 
 | Name                                                                                                     | Source                             | Version |
 | -------------------------------------------------------------------------------------------------------- | ---------------------------------- | ------- |
+| <a name="module_ssm_policy"></a> [ssm_policy](#module_ssm_policy)                                        | cloudposse/iam-policy/aws          | 2.0.1   |
 | <a name="module_ssm_state"></a> [ssm_state](#module_ssm_state)                                           | cloudposse/ssm-parameter-store/aws | 0.13.0  |
 | <a name="module_tailscale_subnet_router"></a> [tailscale_subnet_router](#module_tailscale_subnet_router) | masterpointio/ssm-agent/aws        | 1.2.0   |
 | <a name="module_this"></a> [this](#module_this)                                                          | cloudposse/label/null              | 0.25.0  |
 
 ## Resources
 
-| Name                                                                                                                           | Type     |
-| ------------------------------------------------------------------------------------------------------------------------------ | -------- |
-| [tailscale_tailnet_key.default](https://registry.terraform.io/providers/tailscale/tailscale/latest/docs/resources/tailnet_key) | resource |
+| Name                                                                                                                                             | Type     |
+| ------------------------------------------------------------------------------------------------------------------------------------------------ | -------- |
+| [aws_iam_role_policy_attachment.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
+| [tailscale_tailnet_key.default](https://registry.terraform.io/providers/tailscale/tailscale/latest/docs/resources/tailnet_key)                   | resource |
 
 ## Inputs
 

diff --git a/main.tf b/main.tf
@@ -90,3 +90,34 @@ module "ssm_state" {
   context = module.this.context
   tags    = module.this.tags
 }
+
+module "ssm_policy" {
+  count   = var.ssm_state_enabled ? 1 : 0
+  source  = "cloudposse/iam-policy/aws"
+  version = "2.0.1"
+
+  name        = "ssm"
+  description = "Additional SSM access for SSM Agent"
+
+  iam_policy_enabled = true
+  iam_policy = [{
+    statements = [
+      {
+        sid     = "SSMAgentPutParameter"
+        effect  = "Allow"
+        actions = ["ssm:PutParameter"]
+        resources = [
+          module.ssm_state[0].arn_map[local.ssm_state_param_name],
+        ]
+      },
+    ]
+  }]
+  context = module.this.context
+  tags    = module.this.tags
+}
+
+resource "aws_iam_role_policy_attachment" "default" {
+  count      = var.ssm_state_enabled ? 1 : 0
+  role       = module.tailscale_subnet_router.role_id
+  policy_arn = module.ssm_policy[0].policy_arn
+}