Skip to content

Commit

Permalink
Merge pull request #13 from joe-niland/feat/data-resources-dependent-…
Browse files Browse the repository at this point in the history 
…on-session-logging-enabled
  • Loading branch information
@Gowiem
Gowiem committed Sep 14, 2022
2 parents b942a1b + 1633b7d commit 7d5f78c
Show file tree
Hide file tree
Showing 2 changed files with 6 additions and 4 deletions.
6 changes: 4 additions & 2 deletions main.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -56,19 +56,21 @@ data "aws_iam_policy_document" "default" {
}

data "aws_s3_bucket" "logs_bucket" {
count = var.session_logging_enabled ? 1 : 0
bucket = try(coalesce(var.session_logging_bucket_name, module.logs_bucket.bucket_id), "")
}

# https://docs.aws.amazon.com/systems-manager/latest/userguide/getting-started-create-iam-instance-profile.html#create-iam-instance-profile-ssn-logging
data "aws_iam_policy_document" "session_logging" {
count = var.session_logging_enabled ? 1 : 0

statement {
sid = "SSMAgentSessionAllowS3Logging"
effect = "Allow"
actions = [
"s3:PutObject"
]
resources = ["${data.aws_s3_bucket.logs_bucket.arn}/*"]
resources = ["${join("", data.aws_s3_bucket.logs_bucket.*.arn)}/*"]
}

statement {
Expand Down Expand Up @@ -119,7 +121,7 @@ resource "aws_iam_role_policy" "session_logging" {

name = "${module.role_label.id}-session-logging"
role = aws_iam_role.default.name
policy = data.aws_iam_policy_document.session_logging.json
policy = join("", data.aws_iam_policy_document.session_logging.*.json)
}

resource "aws_iam_instance_profile" "default" {
Expand Down
4 changes: 2 additions & 2 deletions outputs.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -24,11 +24,11 @@ output "role_id" {
}

output "session_logging_bucket_id" {
value = var.session_logging_enabled && var.session_logging_bucket_name == "" ? data.aws_s3_bucket.logs_bucket.id : ""
value = var.session_logging_enabled && var.session_logging_bucket_name == "" ? join("", data.aws_s3_bucket.logs_bucket.*.id) : ""
description = "The ID of the SSM Agent Session Logging S3 Bucket."
}

output "session_logging_bucket_arn" {
value = var.session_logging_enabled && var.session_logging_bucket_name == "" ? data.aws_s3_bucket.logs_bucket.arn : ""
value = var.session_logging_enabled && var.session_logging_bucket_name == "" ? join("", data.aws_s3_bucket.logs_bucket.*.arn) : ""
description = "The ARN of the SSM Agent Session Logging S3 Bucket."
}

0 comments on commit 7d5f78c

Please sign in to comment.