add IAM role for secret manager EC2 access

autonomys · Jan 24, 2025 · 17ae68e · 17ae68e
1 parent 5c5e0d6
commit 17ae68e
Show file tree

Hide file tree

Showing 4 changed files with 59 additions and 0 deletions.
diff --git a/auto-drive/main.tf b/auto-drive/main.tf
@@ -128,6 +128,7 @@ module "ec2_auto_drive" {
   availability_zone           = element(module.vpc.azs, 0)
   subnet_id                   = element(module.vpc.public_subnets, 0)
   vpc_security_group_ids      = [aws_security_group.auto_drive_sg.id]
+  iam_instance_profile        = aws_iam_instance_profile.secrets_instance_profile.name
   associate_public_ip_address = false # Gateway instances use EIPs
   create_eip                  = true
   disable_api_stop            = false

diff --git a/auto-drive/secret.tf b/auto-drive/secret.tf
@@ -0,0 +1,50 @@
+# IAM Role for Secrets Manager
+resource "aws_iam_role" "auto_secret_role" {
+  name = "AutoDriveSecretsManagerAppRole"
+
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Effect = "Allow"
+        Principal = {
+          Service = [
+            "ec2.amazonaws.com",
+            "lambda.amazonaws.com"
+          ]
+        }
+        Action = "sts:AssumeRole"
+      }
+    ]
+  })
+}
+
+
+# Policy to Access Secrets Manager
+resource "aws_iam_policy" "secrets_manager_policy" {
+  name        = "SecretsManagerReadPolicy"
+  description = "Policy to allow reading a specific secret from AWS Secrets Manager"
+
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Effect   = "Allow"
+        Action   = "secretsmanager:GetSecretValue"
+        Resource = "arn:aws:secretsmanager:${var.region}:${data.aws_caller_identity.current.account_id}:secret:my-app-secret"
+      }
+    ]
+  })
+}
+
+
+# Attach Policy to IAM Role
+resource "aws_iam_role_policy_attachment" "attach_policy" {
+  role       = aws_iam_role.auto_secret_role.name
+  policy_arn = aws_iam_policy.secrets_manager_policy.arn
+}
+
+resource "aws_iam_instance_profile" "secrets_instance_profile" {
+  name = "SecretsInstanceProfile"
+  role = aws_iam_role.auto_secret_role.name
+}
diff --git a/templates/terraform/aws/ec2/main.tf b/templates/terraform/aws/ec2/main.tf
@@ -196,6 +196,7 @@ resource "aws_instance" "this" {
       ami,
       private_ip,
       associate_public_ip_address,
+      vpc_security_group_ids,
     ]
   }
 }
@@ -382,6 +383,7 @@ resource "aws_instance" "ignore_ami" {
       ami,
       private_ip,
       associate_public_ip_address,
+      vpc_security_group_ids,
     ]
   }
 }

diff --git a/templates/terraform/aws/rds/modules/db_instance/main.tf b/templates/terraform/aws/rds/modules/db_instance/main.tf
@@ -77,6 +77,12 @@ resource "aws_db_instance" "this" {
   apply_immediately           = var.apply_immediately
   maintenance_window          = var.maintenance_window
 
+  lifecycle {
+    ignore_changes = [
+      vpc_security_group_ids,
+    ]
+  }
+
   # https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/blue-green-deployments.html
   dynamic "blue_green_update" {
     for_each = length(var.blue_green_update) > 0 ? [var.blue_green_update] : []