Skip to content

Commit

Permalink
Merge pull request #159 from dxw/fix-ssm-dhmc
Browse files Browse the repository at this point in the history
Fix ssm dhmc
  • Loading branch information
Stretch96 authored Sep 10, 2024
2 parents ae5091b + bc31787 commit 1a29ef4
Show file tree
Hide file tree
Showing 4 changed files with 0 additions and 58 deletions.
5 changes: 0 additions & 5 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -150,7 +150,6 @@ This project creates and manages resources within an AWS account for infrastruct
| [aws_iam_policy.infrastructure_ecs_cluster_logspout_image_codebuild_allow_builds](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
| [aws_iam_policy.infrastructure_ecs_cluster_logspout_image_codebuild_cloudwatch_rw](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
| [aws_iam_policy.infrastructure_ecs_cluster_logspout_image_codebuild_ecr_push](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
| [aws_iam_policy.infrastructure_ecs_cluster_pass_role_ssm_dhmc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
| [aws_iam_policy.infrastructure_ecs_cluster_s3_transfer_bucket_rw](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
| [aws_iam_policy.infrastructure_ecs_cluster_service_blue_green_codedeploy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
| [aws_iam_policy.infrastructure_ecs_cluster_service_blue_green_codedeploy_kms_encrypt](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
Expand All @@ -173,7 +172,6 @@ This project creates and manages resources within an AWS account for infrastruct
| [aws_iam_policy.infrastructure_ecs_cluster_service_task_execution_kms_decrypt](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
| [aws_iam_policy.infrastructure_ecs_cluster_service_task_execution_s3_read_envfiles](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
| [aws_iam_policy.infrastructure_ecs_cluster_service_task_ssm_create_channels](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
| [aws_iam_policy.infrastructure_ecs_cluster_ssm_service_setting_rw](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
| [aws_iam_policy.infrastructure_rds_monitoring](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
| [aws_iam_policy.infrastructure_rds_s3_backups_cloudwatch_schedule_ecs_run_task](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
| [aws_iam_policy.infrastructure_rds_s3_backups_cloudwatch_schedule_pass_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
Expand Down Expand Up @@ -225,7 +223,6 @@ This project creates and manages resources within an AWS account for infrastruct
| [aws_iam_role_policy_attachment.infrastructure_ecs_cluster_logspout_image_codebuild_allow_builds](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
| [aws_iam_role_policy_attachment.infrastructure_ecs_cluster_logspout_image_codebuild_cloudwatch_rw](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
| [aws_iam_role_policy_attachment.infrastructure_ecs_cluster_logspout_image_codebuild_ecr_push](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
| [aws_iam_role_policy_attachment.infrastructure_ecs_cluster_pass_role_ssm_dhmc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
| [aws_iam_role_policy_attachment.infrastructure_ecs_cluster_s3_transfer_bucket_rw](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
| [aws_iam_role_policy_attachment.infrastructure_ecs_cluster_service_blue_green_codedeploy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
| [aws_iam_role_policy_attachment.infrastructure_ecs_cluster_service_blue_green_codedeploy_kms_encrypt](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
Expand All @@ -248,7 +245,6 @@ This project creates and manages resources within an AWS account for infrastruct
| [aws_iam_role_policy_attachment.infrastructure_ecs_cluster_service_task_execution_kms_decrypt](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
| [aws_iam_role_policy_attachment.infrastructure_ecs_cluster_service_task_execution_s3_read_envfiles](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
| [aws_iam_role_policy_attachment.infrastructure_ecs_cluster_service_task_ssm_create_channels](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
| [aws_iam_role_policy_attachment.infrastructure_ecs_cluster_ssm_service_setting_rw](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
| [aws_iam_role_policy_attachment.infrastructure_rds_monitoring](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
| [aws_iam_role_policy_attachment.infrastructure_rds_s3_backups_cloudwatch_schedule_ecs_run_task](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
| [aws_iam_role_policy_attachment.infrastructure_rds_s3_backups_cloudwatch_schedule_pass_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
Expand Down Expand Up @@ -436,7 +432,6 @@ This project creates and manages resources within an AWS account for infrastruct
| [aws_sns_topic.infrastructure_opsgenie_sns_topic](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/sns_topic) | data source |
| [aws_sns_topic.infrastructure_slack_sns_topic](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/sns_topic) | data source |
| [external_external.s3_presigned_url](https://registry.terraform.io/providers/hashicorp/external/latest/docs/data-sources/external) | data source |
| [external_external.ssm_dhmc_setting](https://registry.terraform.io/providers/hashicorp/external/latest/docs/data-sources/external) | data source |

## Inputs

Expand Down
13 changes: 0 additions & 13 deletions data.tf
Original file line number Diff line number Diff line change
Expand Up @@ -80,19 +80,6 @@ data "aws_cloudfront_response_headers_policy" "managed_policy" {
name = "Managed-${each.value}"
}

# aws_ssm_service_setting doesn't yet have a data source, so we need to use
# a script to retrieve SSM service settings
# https://github.com/hashicorp/terraform-provider-aws/issues/25170
data "external" "ssm_dhmc_setting" {
count = local.enable_infrastructure_ecs_cluster ? 1 : 0

program = ["/bin/bash", "external-data-scripts/get-ssm-service-setting.sh"]

query = {
setting_id = "arn:aws:ssm:${local.aws_region}:${local.aws_account_id}:servicesetting/ssm/managed-instance/default-ec2-instance-management-role"
}
}

data "external" "s3_presigned_url" {
for_each = local.enable_cloudformatian_s3_template_store ? local.s3_object_presign : []

Expand Down
39 changes: 0 additions & 39 deletions ecs-cluster-infrastructure.tf
Original file line number Diff line number Diff line change
Expand Up @@ -50,43 +50,6 @@ resource "aws_iam_role_policy_attachment" "infrastructure_ecs_cluster_ec2_ecs" {
policy_arn = aws_iam_policy.infrastructure_ecs_cluster_ec2_ecs[0].arn
}

resource "aws_iam_policy" "infrastructure_ecs_cluster_ssm_service_setting_rw" {
count = local.infrastructure_ecs_cluster_enable_ssm_dhmc ? 1 : 0

name = "${local.resource_prefix}-ssm-service-setting-rw"
policy = templatefile(
"${path.root}/policies/ssm-service-setting-rw.json.tpl",
{ ssm_service_setting_arn = data.external.ssm_dhmc_setting[0].result.arn }
)
}

resource "aws_iam_role_policy_attachment" "infrastructure_ecs_cluster_ssm_service_setting_rw" {
count = local.infrastructure_ecs_cluster_enable_ssm_dhmc ? 1 : 0

role = aws_iam_role.infrastructure_ecs_cluster[0].name
policy_arn = aws_iam_policy.infrastructure_ecs_cluster_ssm_service_setting_rw[0].arn
}

resource "aws_iam_policy" "infrastructure_ecs_cluster_pass_role_ssm_dhmc" {
count = local.infrastructure_ecs_cluster_enable_ssm_dhmc ? 1 : 0

name = "${local.resource_prefix}-pass-role-ssm-dhmc"
policy = templatefile(
"${path.root}/policies/pass-role.json.tpl",
{
role_arns = jsonencode(["arn:aws:iam::${local.aws_account_id}:role/${data.external.ssm_dhmc_setting[0].result.setting_value}"])
services = jsonencode(["ssm.amazonaws.com"])
}
)
}

resource "aws_iam_role_policy_attachment" "infrastructure_ecs_cluster_pass_role_ssm_dhmc" {
count = local.infrastructure_ecs_cluster_enable_ssm_dhmc ? 1 : 0

role = aws_iam_role.infrastructure_ecs_cluster[0].name
policy_arn = aws_iam_policy.infrastructure_ecs_cluster_pass_role_ssm_dhmc[0].arn
}

resource "aws_iam_policy" "infrastructure_ecs_cluster_s3_transfer_bucket_rw" {
count = local.enable_infrastructure_vpc_transfer_s3_bucket ? 1 : 0

Expand Down Expand Up @@ -284,8 +247,6 @@ resource "aws_autoscaling_group" "infrastructure_ecs_cluster" {

depends_on = [
aws_iam_role_policy_attachment.infrastructure_ecs_cluster_ec2_ecs,
aws_iam_role_policy_attachment.infrastructure_ecs_cluster_ssm_service_setting_rw,
aws_iam_role_policy_attachment.infrastructure_ecs_cluster_pass_role_ssm_dhmc,
aws_iam_role_policy_attachment.infrastructure_ecs_cluster_s3_transfer_bucket_rw,
aws_iam_role_policy_attachment.infrastructure_ecs_cluster_kms_encrypt,
]
Expand Down
1 change: 0 additions & 1 deletion locals.tf
Original file line number Diff line number Diff line change
Expand Up @@ -147,7 +147,6 @@ locals {
infrastructure_ecs_cluster_enable_debug_mode = var.infrastructure_ecs_cluster_enable_debug_mode
infrastructure_ecs_cluster_enable_execute_command_logging = var.infrastructure_ecs_cluster_enable_execute_command_logging
infrastructure_ecs_cluster_wafs = var.infrastructure_ecs_cluster_wafs
infrastructure_ecs_cluster_enable_ssm_dhmc = local.enable_infrastructure_ecs_cluster ? data.external.ssm_dhmc_setting[0].result.setting_value != "$None" : false
infrastructure_ecs_cluster_syslog_endpoint = var.infrastructure_ecs_cluster_syslog_endpoint
infrastructure_ecs_cluster_syslog_port = local.infrastructure_ecs_cluster_syslog_endpoint != "" ? split(":", local.infrastructure_ecs_cluster_syslog_endpoint)[2] : null
infrastructure_ecs_cluster_syslog_permitted_peer = var.infrastructure_ecs_cluster_syslog_permitted_peer
Expand Down

0 comments on commit 1a29ef4

Please sign in to comment.