# --------------------------------------------------------------------------------------------------------------------- # IAM ROLE # --------------------------------------------------------------------------------------------------------------------- resource "aws_iam_role" "app-role" { name = "${var.stack}-${var.aws_region}-app-role" path = "/" assume_role_policy = data.aws_iam_policy_document.ec2-assume-policy.json managed_policy_arns = [aws_iam_policy.dynamodb_rw_policy.arn, "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore","arn:aws:iam::aws:policy/service-role/AmazonEC2RoleforAWSCodeDeploy"] } data "aws_iam_policy_document" "ec2-assume-policy" { statement { actions = ["sts:AssumeRole"] principals { type = "Service" identifiers = ["ec2.amazonaws.com"] } } } resource "aws_iam_policy" "dynamodb_rw_policy" { name = "${var.stack}-${var.aws_region}-dynamodb_rw_policy" policy = jsonencode({ Version = "2012-10-17" Statement = [ { Action = ["dynamodb:*"] Effect = "Allow" Resource = ["*"] // Resource = ["${var.DynamoDBTable}"] }, ] }) }