From ad711a7ab2fc04a76f3a7e0410bd57c91d7f3535 Mon Sep 17 00:00:00 2001 From: Kevin Date: Tue, 23 Nov 2021 17:02:58 -0500 Subject: [PATCH] Optional SSM policy and SG --- main.tf | 23 ++++++++++++++++------- outputs.tf | 2 +- variables.tf | 16 ++++++++++++++-- 3 files changed, 31 insertions(+), 10 deletions(-) diff --git a/main.tf b/main.tf index f2b0d1f..89b9b1f 100644 --- a/main.tf +++ b/main.tf @@ -1,7 +1,9 @@ locals { - allow_ssm = var.create && var.use_ssm - create_key = var.create && var.create_keypair - keypair = local.create_key ? aws_key_pair.instance_root[0].key_name : var.external_keypair + create_ssm = var.create && var.create_ssm + create_key = var.create && var.create_keypair + create_sg = var.create && var.create_sg + instance_sg = try(aws_security_group.instance[0].id, "") + keypair = local.create_key ? aws_key_pair.instance_root[0].key_name : var.external_keypair } ########################################## @@ -9,7 +11,7 @@ locals { ########################################## resource "aws_security_group" "instance" { - count = var.create ? 1 : 0 + count = local.create_sg ? 1 : 0 name_prefix = "${var.env}-${var.name}-" description = "Security group attached to the ${var.env}-${var.name} instance." vpc_id = var.vpc @@ -113,17 +115,23 @@ data "aws_iam_policy_document" "ssm_access" { } resource "aws_iam_policy" "ssm_access" { - count = local.allow_ssm ? 1 : 0 + count = local.create_ssm ? 1 : 0 name_prefix = "${var.name}-ssm-access-" policy = data.aws_iam_policy_document.ssm_access.json } resource "aws_iam_role_policy_attachment" "ssm_access" { - count = local.allow_ssm ? 1 : 0 + count = local.create_ssm ? 1 : 0 role = aws_iam_role.instance[0].name policy_arn = aws_iam_policy.ssm_access[0].arn } +resource "aws_iam_role_policy_attachment" "ssm_access_arn" { + count = var.ssm_access_arn != "" ? 1 : 0 + role = aws_iam_role.instance[0].name + policy_arn = var.ssm_access_arn +} + data "aws_iam_policy_document" "instance_tags" { statement { actions = [ @@ -195,10 +203,11 @@ resource "aws_instance" "instance" { private_ip = var.instance_ip != null ? var.instance_ip : null subnet_id = var.subnet_id user_data = var.userdata_script - vpc_security_group_ids = concat([aws_security_group.instance[0].id], var.security_groups) + vpc_security_group_ids = compact(concat([local.instance_sg], var.security_groups)) root_block_device { delete_on_termination = true + encrypted = true volume_size = var.volume_size volume_type = var.volume_type } diff --git a/outputs.tf b/outputs.tf index 872d6ee..8085d63 100644 --- a/outputs.tf +++ b/outputs.tf @@ -5,7 +5,7 @@ output "instance_id" { output "instance_sg_id" { description = "ID of the instance created" - value = aws_security_group.instance[0].id + value = join("", aws_security_group.instance[*].id) } output "private_ip" { diff --git a/variables.tf b/variables.tf index be44120..e1ea42c 100644 --- a/variables.tf +++ b/variables.tf @@ -61,12 +61,24 @@ variable "create_keypair" { type = bool } -variable "use_ssm" { +variable "create_sg" { default = true - description = "Whether or not to associate an IAM managed policy to allow SSM access to the instance." + description = "Whether or not to create and associate a security group for the instance. " type = bool } +variable "create_ssm" { + default = true + description = "Whether or not to create and associate an IAM managed policy to allow SSM access to the instance." + type = bool +} + +variable "ssm_access_arn" { + default = "" + description = "Whether or not to associate a pre-created IAM managed policy to allow SSM access to the instance." + type = string +} + variable "userdata_script" { description = "Userdata script to execute when provisioning the instance." type = string