Add ec-connect-role module

qrilka · qrilka · commit 31bcc52d4d0a · 2020-04-30T10:24:34.000+03:00
diff --git a/modules/ec2-connect-role/README.md b/modules/ec2-connect-role/README.md
@@ -0,0 +1,4 @@
+## EC2 Instance Connect Role
+
+Creates an IAM role that can be used to connect to EC2 instances using
+EC2 Instance Connect e.g. created using the `ec2-connect-tunnel` module.
diff --git a/modules/ec2-connect-role/main.tf b/modules/ec2-connect-role/main.tf
@@ -0,0 +1,47 @@
+data "aws_caller_identity" "current" {
+}
+
+data "aws_iam_policy_document" "ec2-instance-connect" {
+  statement {
+    actions = [
+      "ec2:DescribeInstances",
+    ]
+
+    resources = ["*"]
+  }
+
+  statement {
+    actions = [
+      "ec2-instance-connect:SendSSHPublicKey",
+    ]
+
+    resources = [for i in var.instance_ids : "arn:aws:ec2:${var.region}:${var.account_id}:instance/${i}"]
+
+    condition {
+      test     = "StringEquals"
+      variable = "ec2:osuser"
+
+      values = [
+        "ubuntu",
+      ]
+    }
+  }
+}
+
+resource "aws_iam_policy" "ec2-instance-connect" {
+  name        = "ec2-instance-connect"
+  description = "grants permissions to connect to an instance using EC2 Instance Connect"
+  policy      = data.aws_iam_policy_document.ec2-instance-connect.json
+}
+
+module "role" {
+  source            = "../cross-account-role"
+  name              = var.name
+  trust_account_ids = concat([data.aws_caller_identity.current.account_id],
+    var.trust_account_ids)
+}
+
+resource "aws_iam_role_policy_attachment" "role_ec2-instance-connect" {
+  role       = module.role.name
+  policy_arn = aws_iam_policy.ec2-instance-connect.arn
+}
diff --git a/modules/ec2-connect-role/outputs.tf b/modules/ec2-connect-role/outputs.tf
@@ -0,0 +1,7 @@
+output "arn" {
+  value = module.role.arn
+}
+
+output "name" {
+  value = module.role.name
+}
diff --git a/modules/ec2-connect-role/variables.tf b/modules/ec2-connect-role/variables.tf
@@ -0,0 +1,26 @@
+variable "name" {
+  description = "Name to give the role"
+  type        = string
+}
+
+variable "trust_account_ids" {
+  description = "List of other accounts to trust to assume the role"
+  default     = []
+  type        = list(string)
+}
+
+variable "region" {
+  description = "The AWS region to deploy to"
+  type        = string
+}
+
+variable "account_id" {
+  description = "ID of the account which instances to connect to"
+  type        = string
+}
+
+variable "instance_ids" {
+  description = "IDs of instances to connect to"
+  type        = list(string)
+  default     = ["*"]
+}
