You cannot select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
80 lines
1.6 KiB
HCL
80 lines
1.6 KiB
HCL
data "aws_iam_policy_document" "vpn_assume_role" {
|
|
statement {
|
|
actions = ["sts:AssumeRole"]
|
|
|
|
principals {
|
|
type = "Service"
|
|
identifiers = [
|
|
"ec2.amazonaws.com"
|
|
]
|
|
}
|
|
}
|
|
}
|
|
|
|
data "aws_iam_policy_document" "vpn" {
|
|
statement {
|
|
actions = [
|
|
"route53:ListHostedZones",
|
|
"route53:GetChange"
|
|
]
|
|
resources = [
|
|
"*"
|
|
]
|
|
}
|
|
statement {
|
|
actions = [
|
|
"route53:ChangeResourceRecordSets"
|
|
]
|
|
resources = [
|
|
"arn:aws:route53:::hostedzone/${data.aws_route53_zone.domain.zone_id}"
|
|
]
|
|
}
|
|
statement {
|
|
actions = [
|
|
"ec2:AssociateAddress",
|
|
"ec2:DescribeInstances",
|
|
"ec2:DescribeNetworkInterfaces"
|
|
]
|
|
resources = [
|
|
"*"
|
|
]
|
|
}
|
|
statement {
|
|
actions = [
|
|
"s3:Put*",
|
|
"s3:Get*",
|
|
"s3:List*"
|
|
]
|
|
resources = [
|
|
"${aws_s3_bucket.configs.arn}/*",
|
|
aws_s3_bucket.configs.arn
|
|
]
|
|
}
|
|
}
|
|
|
|
resource "aws_iam_policy" "vpn" {
|
|
name_prefix = aws_iam_role.vpn.name
|
|
description = "WireGuard VPN server policy for managing resources on AWS"
|
|
policy = data.aws_iam_policy_document.vpn.json
|
|
}
|
|
|
|
resource "aws_iam_role" "vpn" {
|
|
name_prefix = "${var.prefix}-vpn-"
|
|
assume_role_policy = data.aws_iam_policy_document.vpn_assume_role.json
|
|
}
|
|
|
|
resource "aws_iam_role_policy_attachment" "vpn" {
|
|
role = aws_iam_role.vpn.name
|
|
policy_arn = aws_iam_policy.vpn.arn
|
|
}
|
|
|
|
resource "aws_iam_role_policy_attachment" "ssm" {
|
|
role = aws_iam_role.vpn.name
|
|
policy_arn = "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"
|
|
}
|
|
|
|
resource "aws_iam_instance_profile" "vpn" {
|
|
name = aws_iam_role.vpn.name
|
|
role = aws_iam_role.vpn.name
|
|
}
|