Skip to content

Commit ee7579d

Browse files
sgtojsgtoj
authored
Merge pull request #24 from cruxstack/dev
feat: update how role polices to remove dep warnings
2 parents 844f220 + 6db10bc commit ee7579d

File tree

1 file changed

+45
-39
lines changed

1 file changed

+45
-39
lines changed

modules/teleport-node/main.tf

Lines changed: 45 additions & 39 deletions
Original file line numberDiff line numberDiff line change
@@ -32,6 +32,38 @@ locals {
3232
vpc_security_group_ids = var.vpc_security_group_ids
3333
vpc_private_subnet_ids = var.vpc_private_subnet_ids
3434
vpc_public_subnet_ids = var.vpc_public_subnet_ids
35+
36+
iam_role_attached_policy_arns = ["arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"]
37+
iam_role_attached_policies = flatten([
38+
module.this.enabled ? [
39+
{
40+
name = "ec2-management-access"
41+
policy = one(data.aws_iam_policy_document.ec2_management[0].json)
42+
},
43+
{
44+
name = "teleport-base-access"
45+
policy = one(data.aws_iam_policy_document.base_access[0].json)
46+
}
47+
] : [],
48+
contains(["auth"], local.teleport_node_type) ? [
49+
{
50+
name = "teleport-auth-access"
51+
policy = one(data.aws_iam_policy_document.auth_access[0].json)
52+
}
53+
] : [],
54+
contains(["node"], local.teleport_node_type) ? [
55+
{
56+
name = "teleport-node-access"
57+
policy = one(data.aws_iam_policy_document.node_access[0].json)
58+
}
59+
] : [],
60+
contains(["proxy"], local.teleport_node_type) ? [
61+
{
62+
name = "teleport-proxy-access"
63+
policy = one(data.aws_iam_policy_document.proxy_access[0].json)
64+
}
65+
] : [],
66+
])
3567
}
3668

3769
module "dns_label" {
@@ -209,7 +241,7 @@ locals {
209241
}
210242
}
211243

212-
# ---------------------------------------------------------------------- iam ---
244+
# ---------------------------------------------------------------- cloudinit ---
213245

214246
data "cloudinit_config" "this" {
215247
count = module.this.enabled ? 1 : 0
@@ -538,48 +570,22 @@ resource "aws_iam_role" "this" {
538570
}]
539571
})
540572

541-
managed_policy_arns = [
542-
"arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore",
543-
]
544-
545-
inline_policy {
546-
name = "ec2-management-access"
547-
policy = data.aws_iam_policy_document.ec2_management[0].json
548-
}
549-
550-
inline_policy {
551-
name = "teleport-base-access"
552-
policy = data.aws_iam_policy_document.base_access[0].json
553-
}
554-
555-
dynamic "inline_policy" {
556-
for_each = contains(["auth"], local.teleport_node_type) ? [true] : []
557-
558-
content {
559-
name = "teleport-auth-access"
560-
policy = data.aws_iam_policy_document.auth_access[0].json
561-
}
562-
}
573+
tags = module.node_type_label.tags
574+
}
563575

564-
dynamic "inline_policy" {
565-
for_each = contains(["node"], local.teleport_node_type) ? [true] : []
576+
resource "aws_iam_role_policy_attachment" "this" {
577+
for_each = toset(local.iam_role_attached_policy_arns)
566578

567-
content {
568-
name = "teleport-node-access"
569-
policy = data.aws_iam_policy_document.node_access[0].json
570-
}
571-
}
572-
573-
dynamic "inline_policy" {
574-
for_each = contains(["proxy"], local.teleport_node_type) ? [true] : []
579+
role = aws_iam_role.this[0].name
580+
policy_arn = each.key
581+
}
575582

576-
content {
577-
name = "teleport-proxy-access"
578-
policy = data.aws_iam_policy_document.proxy_access[0].json
579-
}
580-
}
583+
resource "aws_iam_role_policy" "this" {
584+
for_each = { for x in local.iam_role_attached_policies : x.name => x }
581585

582-
tags = module.node_type_label.tags
586+
role = aws_iam_role.this[0].name
587+
name = each.key
588+
policy = each.value.policy
583589
}
584590

585591
data "aws_iam_policy_document" "ec2_management" {

0 commit comments

Comments
 (0)