Merge pull request #2366 from AlexsLemonade/wvauclain/fix-terraform-c…

…onfig Actually fix terraform this time
AlexsLemonade · Jul 1, 2020 · 72f1350 · 72f1350
2 parents 1bb4fe3 + 96639e0
commit 72f1350
Showing 1 changed file with 33 additions and 66 deletions.
diff --git a/infrastructure/permissions.tf b/infrastructure/permissions.tf
@@ -104,72 +104,39 @@ resource "aws_iam_role_policy_attachment" "s3" {
   policy_arn = "${aws_iam_policy.s3_access_policy.arn}"
 }
 
-# resource "aws_iam_policy" "ec2_access_policy" {
-#   name = "data-refinery-ec2-access-policy-${var.user}-${var.stage}"
-#   description = "Allows EC2 Permissions."
-#   count = "${var.max_clients == 0 ? 0 : 1}"
-#
-#   # We can't iterate instances from the fleet, so allow attaching to any instance,
-#   # but restrict which volumes can be attached.
-#   policy = <<EOF
-# {
-#    "Version":"2012-10-17",
-#    "Statement":[
-#       {
-#          "Effect":"Allow",
-#          "Action": [
-#             "ec2:DescribeVolumes"
-#           ],
-#           "Resource": [
-#             "*"
-#           ]
-#       },
-#       {
-#          "Effect":"Allow",
-#          "Action": [
-#             "ec2:AttachVolume",
-#             "ec2:CreateTags"
-#           ],
-#           "Resource": [
-#             "arn:aws:ec2:${var.region}:${data.aws_caller_identity.current.account_id}:volume/${element(aws_ebs_volume.data_refinery_ebs.*.id, 0)}",
-#             "arn:aws:ec2:${var.region}:${data.aws_caller_identity.current.account_id}:volume/${element(aws_ebs_volume.data_refinery_ebs.*.id, 1)}",
-#             "arn:aws:ec2:${var.region}:${data.aws_caller_identity.current.account_id}:volume/${element(aws_ebs_volume.data_refinery_ebs.*.id, 2)}",
-#             "arn:aws:ec2:${var.region}:${data.aws_caller_identity.current.account_id}:volume/${element(aws_ebs_volume.data_refinery_ebs.*.id, 3)}",
-#             "arn:aws:ec2:${var.region}:${data.aws_caller_identity.current.account_id}:volume/${element(aws_ebs_volume.data_refinery_ebs.*.id, 4)}",
-#             "arn:aws:ec2:${var.region}:${data.aws_caller_identity.current.account_id}:volume/${element(aws_ebs_volume.data_refinery_ebs.*.id, 5)}",
-#             "arn:aws:ec2:${var.region}:${data.aws_caller_identity.current.account_id}:volume/${element(aws_ebs_volume.data_refinery_ebs.*.id, 6)}",
-#             "arn:aws:ec2:${var.region}:${data.aws_caller_identity.current.account_id}:volume/${element(aws_ebs_volume.data_refinery_ebs.*.id, 7)}",
-#             "arn:aws:ec2:${var.region}:${data.aws_caller_identity.current.account_id}:volume/${element(aws_ebs_volume.data_refinery_ebs.*.id, 8)}",
-#             "arn:aws:ec2:${var.region}:${data.aws_caller_identity.current.account_id}:volume/${element(aws_ebs_volume.data_refinery_ebs.*.id, 9)}",
-#             "arn:aws:ec2:${var.region}:${data.aws_caller_identity.current.account_id}:volume/${element(aws_ebs_volume.data_refinery_ebs.*.id, 10)}",
-#             "arn:aws:ec2:${var.region}:${data.aws_caller_identity.current.account_id}:volume/${element(aws_ebs_volume.data_refinery_ebs.*.id, 11)}",
-#             "arn:aws:ec2:${var.region}:${data.aws_caller_identity.current.account_id}:volume/${element(aws_ebs_volume.data_refinery_ebs.*.id, 12)}",
-#             "arn:aws:ec2:${var.region}:${data.aws_caller_identity.current.account_id}:volume/${element(aws_ebs_volume.data_refinery_ebs.*.id, 13)}",
-#             "arn:aws:ec2:${var.region}:${data.aws_caller_identity.current.account_id}:volume/${element(aws_ebs_volume.data_refinery_ebs.*.id, 14)}",
-#             "arn:aws:ec2:${var.region}:${data.aws_caller_identity.current.account_id}:volume/${element(aws_ebs_volume.data_refinery_ebs.*.id, 15)}",
-#             "arn:aws:ec2:${var.region}:${data.aws_caller_identity.current.account_id}:volume/${element(aws_ebs_volume.data_refinery_ebs.*.id, 16)}",
-#             "arn:aws:ec2:${var.region}:${data.aws_caller_identity.current.account_id}:volume/${element(aws_ebs_volume.data_refinery_ebs.*.id, 17)}",
-#             "arn:aws:ec2:${var.region}:${data.aws_caller_identity.current.account_id}:volume/${element(aws_ebs_volume.data_refinery_ebs.*.id, 18)}",
-#             "arn:aws:ec2:${var.region}:${data.aws_caller_identity.current.account_id}:volume/${element(aws_ebs_volume.data_refinery_ebs.*.id, 19)}",
-#             "arn:aws:ec2:${var.region}:${data.aws_caller_identity.current.account_id}:volume/${element(aws_ebs_volume.data_refinery_ebs.*.id, 20)}",
-#             "arn:aws:ec2:${var.region}:${data.aws_caller_identity.current.account_id}:volume/${element(aws_ebs_volume.data_refinery_ebs.*.id, 21)}",
-#             "arn:aws:ec2:${var.region}:${data.aws_caller_identity.current.account_id}:volume/${element(aws_ebs_volume.data_refinery_ebs.*.id, 22)}",
-#             "arn:aws:ec2:${var.region}:${data.aws_caller_identity.current.account_id}:instance/*"
-#           ]
-#       },
-#       {
-#         "Effect": "Allow",
-#         "Action": [
-#           "sts:DecodeAuthorizationMessage"
-#         ],
-#         "Resource": [
-#           "*"
-#         ]
-#       }
-#    ]
-# }
-# EOF
-# }
+resource "aws_iam_policy" "ec2_access_policy" {
+  name = "data-refinery-ec2-access-policy-${var.user}-${var.stage}"
+  description = "Allows EC2 Permissions."
+  count = "${var.max_clients == 0 ? 0 : 1}"
+
+  # We can't iterate instances from the fleet, so allow attaching to any instance,
+  # but restrict which volumes can be attached.
+  policy = <<EOF
+{
+   "Version":"2012-10-17",
+   "Statement":[
+      {
+         "Effect":"Allow",
+         "Action": [
+            "ec2:DescribeVolumes"
+          ],
+          "Resource": [
+            "*"
+          ]
+      },
+      {
+        "Effect": "Allow",
+        "Action": [
+          "sts:DecodeAuthorizationMessage"
+        ],
+        "Resource": [
+          "*"
+        ]
+      }
+   ]
+}
+EOF
+}
 
 resource "aws_iam_role_policy_attachment" "ec2" {
   role = "${aws_iam_role.data_refinery_instance.name}"