feat: Default to not attching AmazonSSMManagedInstanceCore to instances (#143)

* Default to not attching AmazonSSMManagedInstanceCore to instances

* Remove instance_runner_session_manager_policy

Author: HenryNguyen5

README.md

@@ -317,7 +317,7 @@ No requirements.
 | vpc\_id | The VPC for security groups of the action runners. | `string` | n/a | yes |
 | webhook\_lambda\_timeout | Time out of the webhook lambda in seconds. | `number` | `10` | no |
 | webhook\_lambda\_zip | File location of the webhook lambda zip file. | `string` | `null` | no |
-
+| enable\_ssm\_on\_runners | Enable to allow access the runner instances for debugging purposes via SSM. Note that this adds additional permissions to the runner instances. | `bool` | `false` | no |
 ## Outputs
 
 | Name | Description |

main.tf

@@ -76,6 +76,7 @@ module "runners" {
   runner_as_root                  = var.runner_as_root
   runners_maximum_count           = var.runners_maximum_count
   idle_config                     = var.idle_config
+  enable_ssm_on_runners           = var.enable_ssm_on_runners
 
   lambda_zip                = var.runners_lambda_zip
   lambda_timeout_scale_up   = var.runners_scale_up_lambda_timeout

modules/runners/policies-runner.tf

@@ -14,13 +14,8 @@ resource "aws_iam_instance_profile" "runner" {
   path = local.instance_profile_path
 }
 
-resource "aws_iam_role_policy" "runner_session_manager_policy" {
-  name   = "session-manager"
-  role   = aws_iam_role.runner.name
-  policy = templatefile("${path.module}/policies/instance-session-manager-policy.json", {})
-}
-
 resource "aws_iam_role_policy_attachment" "runner_session_manager_aws_managed" {
+  count      = var.enable_ssm_on_runners ? 1 : 0
   role       = aws_iam_role.runner.name
   policy_arn = "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"
 }

modules/runners/policies/instance-session-manager-policy.json

@@ -206,3 +206,8 @@ variable "logging_retention_in_days" {
   type        = number
   default     = 7
 }
+
+variable "enable_ssm_on_runners" {
+  description = "Enable to allow access the runner instances for debugging purposes via SSM. Note that this adds additional permissions to the runner instances."
+  type        = bool
+}

modules/runners/variables.tf

@@ -175,6 +175,12 @@ variable "idle_config" {
   default = []
 }
 
+variable "enable_ssm_on_runners" {
+  description = "Enable to allow access the runner instances for debugging purposes via SSM. Note that this adds additional permissions to the runner instances."
+  type        = bool
+  default     = false
+}
+
 variable "logging_retention_in_days" {
   description = "Specifies the number of days you want to retain log events for the lambda log group. Possible values are: 0, 1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, and 3653."
   type        = number