From a497d789e85b4abfe844475b555b70a57de264e8 Mon Sep 17 00:00:00 2001 From: Veronika Gnilitska Date: Wed, 20 Nov 2024 11:20:08 -0500 Subject: [PATCH] feat: add SSM write permissions --- README.md | 15 +++++++++------ main.tf | 31 +++++++++++++++++++++++++++++++ 2 files changed, 40 insertions(+), 6 deletions(-) diff --git a/README.md b/README.md index b7857c2..1cdbc0d 100644 --- a/README.md +++ b/README.md @@ -71,23 +71,26 @@ Here is an example of using this module: ## Providers -| Name | Version | -| ------------------------------------------------------------------ | --------- | -| [tailscale](#provider_tailscale) | >= 0.13.7 | +| Name | Version | +| ------------------------------------------------------------------ | ------- | +| [aws](#provider_aws) | 5.76.0 | +| [tailscale](#provider_tailscale) | 0.17.2 | ## Modules | Name | Source | Version | | -------------------------------------------------------------------------------------------------------- | ---------------------------------- | ------- | +| [ssm_policy](#module_ssm_policy) | cloudposse/iam-policy/aws | 2.0.1 | | [ssm_state](#module_ssm_state) | cloudposse/ssm-parameter-store/aws | 0.13.0 | | [tailscale_subnet_router](#module_tailscale_subnet_router) | masterpointio/ssm-agent/aws | 1.2.0 | | [this](#module_this) | cloudposse/label/null | 0.25.0 | ## Resources -| Name | Type | -| ------------------------------------------------------------------------------------------------------------------------------ | -------- | -| [tailscale_tailnet_key.default](https://registry.terraform.io/providers/tailscale/tailscale/latest/docs/resources/tailnet_key) | resource | +| Name | Type | +| ------------------------------------------------------------------------------------------------------------------------------------------------ | -------- | +| [aws_iam_role_policy_attachment.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | +| [tailscale_tailnet_key.default](https://registry.terraform.io/providers/tailscale/tailscale/latest/docs/resources/tailnet_key) | resource | ## Inputs diff --git a/main.tf b/main.tf index d380934..c6e0235 100644 --- a/main.tf +++ b/main.tf @@ -90,3 +90,34 @@ module "ssm_state" { context = module.this.context tags = module.this.tags } + +module "ssm_policy" { + count = var.ssm_state_enabled ? 1 : 0 + source = "cloudposse/iam-policy/aws" + version = "2.0.1" + + name = "ssm" + description = "Additional SSM access for SSM Agent" + + iam_policy_enabled = true + iam_policy = [{ + statements = [ + { + sid = "SSMAgentPutParameter" + effect = "Allow" + actions = ["ssm:PutParameter"] + resources = [ + module.ssm_state[0].arn_map[local.ssm_state_param_name], + ] + }, + ] + }] + context = module.this.context + tags = module.this.tags +} + +resource "aws_iam_role_policy_attachment" "default" { + count = var.ssm_state_enabled ? 1 : 0 + role = module.tailscale_subnet_router.role_id + policy_arn = module.ssm_policy[0].policy_arn +}