# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. # SPDX-License-Identifier: MIT-0 # --- modules/iam/main.tf --- # DATA SOURCE: AWS CALLER IDENTITY - Used to get the Account ID data "aws_caller_identity" "current" {} # VPC FLOW LOGS - ROLE AND POLICY # IAM Role data "aws_iam_policy_document" "policy_role_document" { statement { sid = "1" actions = ["sts:AssumeRole"] principals { type = "Service" identifiers = ["vpc-flow-logs.amazonaws.com"] } } } resource "aws_iam_role" "vpc_flowlogs_role" { name = "vpc-flowlog-role-${var.project_name}" assume_role_policy = data.aws_iam_policy_document.policy_role_document.json } # IAM Role Policy data "aws_iam_policy_document" "policy_rolepolicy_document" { statement { sid = "2" actions = [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents", "logs:DescribeLogGroup", "logs:DescribeLogStreams" ] resources = ["arn:aws:logs:*:${data.aws_caller_identity.current.account_id}:*"] } } resource "aws_iam_role_policy" "vpc_flowlogs_role_policy" { name = "vpc-flowlog-role-policy-${var.project_name}" role = aws_iam_role.vpc_flowlogs_role.id policy = data.aws_iam_policy_document.policy_rolepolicy_document.json } # EC2 IAM ROLE - SSM access # IAM instance profile resource "aws_iam_instance_profile" "ec2_instance_profile" { name = "ec2_instance_profile_${var.project_name}" role = aws_iam_role.role_ec2.id } # IAM role data "aws_iam_policy_document" "policy_document" { statement { sid = "1" actions = ["sts:AssumeRole"] principals { type = "Service" identifiers = ["ec2.amazonaws.com"] } } } resource "aws_iam_role" "role_ec2" { name = "ec2_ssm_role_${var.project_name}" path = "/" assume_role_policy = data.aws_iam_policy_document.policy_document.json } # Policies Attachment to Role resource "aws_iam_policy_attachment" "ssm_iam_role_policy_attachment" { name = "ssm_iam_role_policy_attachment_${var.project_name}" roles = [aws_iam_role.role_ec2.id] policy_arn = "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore" }