fix: reduce permission required for session manager (#1018)

npalm · npalm · commit 09476eb60969 · 2021-08-05T11:46:24.000+02:00
diff --git a/modules/runners/policies-runner.tf b/modules/runners/policies-runner.tf
@@ -14,10 +14,11 @@ resource "aws_iam_instance_profile" "runner" {
   path = local.instance_profile_path
 }
 
-resource "aws_iam_role_policy_attachment" "runner_session_manager_aws_managed" {
-  count      = var.enable_ssm_on_runners ? 1 : 0
-  role       = aws_iam_role.runner.name
-  policy_arn = "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"
+resource "aws_iam_role_policy" "runner_session_manager_aws_managed" {
+  name   = "runner-ssm-session"
+  count  = var.enable_ssm_on_runners ? 1 : 0
+  role   = aws_iam_role.runner.name
+  policy = templatefile("${path.module}/policies/instance-ssm-policy.json", {})
 }
 
 resource "aws_iam_role_policy" "ssm_parameters" {
diff --git a/modules/runners/policies/instance-ssm-policy.json b/modules/runners/policies/instance-ssm-policy.json
@@ -0,0 +1,46 @@
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Effect": "Allow",
+            "Action": [
+                "ssm:DescribeAssociation",
+                "ssm:GetDeployablePatchSnapshotForInstance",
+                "ssm:GetDocument",
+                "ssm:DescribeDocument",
+                "ssm:GetManifest",
+                "ssm:ListAssociations",
+                "ssm:ListInstanceAssociations",
+                "ssm:PutInventory",
+                "ssm:PutComplianceItems",
+                "ssm:PutConfigurePackageResult",
+                "ssm:UpdateAssociationStatus",
+                "ssm:UpdateInstanceAssociationStatus",
+                "ssm:UpdateInstanceInformation"
+            ],
+            "Resource": "*"
+        },
+        {
+            "Effect": "Allow",
+            "Action": [
+                "ssmmessages:CreateControlChannel",
+                "ssmmessages:CreateDataChannel",
+                "ssmmessages:OpenControlChannel",
+                "ssmmessages:OpenDataChannel"
+            ],
+            "Resource": "*"
+        },
+        {
+            "Effect": "Allow",
+            "Action": [
+                "ec2messages:AcknowledgeMessage",
+                "ec2messages:DeleteMessage",
+                "ec2messages:FailMessage",
+                "ec2messages:GetEndpoint",
+                "ec2messages:GetMessages",
+                "ec2messages:SendReply"
+            ],
+            "Resource": "*"
+        }
+    ]
+}

Original file line number	Diff line number	Diff line change
`@@ -14,10 +14,11 @@ resource "aws_iam_instance_profile" "runner" {`
`14`	`14`	`path = local.instance_profile_path`
`15`	`15`	`}`
`16`	`16`
`17`		`-resource "aws_iam_role_policy_attachment" "runner_session_manager_aws_managed" {`
`18`		`- count = var.enable_ssm_on_runners ? 1 : 0`
`19`		`- role = aws_iam_role.runner.name`
`20`		`- policy_arn = "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"`
	`17`	`+resource "aws_iam_role_policy" "runner_session_manager_aws_managed" {`
	`18`	`+ name = "runner-ssm-session"`
	`19`	`+ count = var.enable_ssm_on_runners ? 1 : 0`
	`20`	`+ role = aws_iam_role.runner.name`
	`21`	`+ policy = templatefile("${path.module}/policies/instance-ssm-policy.json", {})`
`21`	`22`	`}`
`22`	`23`
`23`	`24`	`resource "aws_iam_role_policy" "ssm_parameters" {`