-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathmain.tf
111 lines (93 loc) · 2.54 KB
/
main.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
#########################
# EC2
#########################
resource "aws_instance" "web" {
ami = "${ var.ami_id }"
instance_type = "${ var.instance_type }"
vpc_security_group_ids = ["${ aws_security_group.sesm.id }"]
subnet_id = "${ var.subnet_id }"
iam_instance_profile = "${ aws_iam_instance_profile.sesm_profile.name }"
tags = {
Name = "${ var.name }-session-manager"
}
}
#########################
# Security Group
#########################
resource "aws_security_group" "sesm" {
vpc_id = "${ var.vpc_id }"
name = "${ var.name }-sesm-sg"
tags {
Name = "${ var.name }-sesm-sg"
}
}
resource "aws_security_group_rule" "sesm_egress" {
type = "egress"
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
security_group_id = "${ aws_security_group.sesm.id }"
}
#########################
# IAM Role
#########################
resource "aws_iam_instance_profile" "sesm_profile" {
name = "${ var.name }-sesm-profile"
role = "${ aws_iam_role.sesm.name }"
}
resource "aws_iam_role" "sesm" {
name = "${ var.name }-sesm"
assume_role_policy = "${ data.aws_iam_policy_document.ec2_assume.json }"
}
data "aws_iam_policy_document" "ec2_assume" {
statement {
effect = "Allow"
actions = ["sts:AssumeRole"]
principals {
type = "Service"
identifiers = ["ec2.amazonaws.com"]
}
}
}
resource "aws_iam_role_policy_attachment" "ec2_ssm" {
role = "${ aws_iam_role.sesm.name }"
policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonEC2RoleforSSM"
}
#########################
# Logs
#########################
resource "aws_ssm_document" "session_manager_settings" {
name = "SSM-SessionManagerRunShell"
document_type = "Session"
document_format = "JSON"
content = <<EOF
{
"schemaVersion": "1.0",
"description": "Document to hold regional settings for Session Manager",
"sessionType": "Standard_Stream",
"inputs": {
"s3BucketName": "${ aws_s3_bucket.session_manager_log.id }",
"s3EncryptionEnabled": true
}
}
EOF
}
resource "aws_s3_bucket" "session_manager_log" {
bucket = "${ var.name }-sesm-logs"
lifecycle_rule {
id = "logs"
enabled = true
abort_incomplete_multipart_upload_days = 1
expiration {
days = 30
}
}
server_side_encryption_configuration {
rule {
apply_server_side_encryption_by_default {
sse_algorithm = "AES256"
}
}
}
}