fix: use a valid policy for ssm access (#1124)

## Description This resolves an issue where the previous policy template did not specify a valid resource argument for the second policy statement. The modified template should now apply without error. Closes #1123 ## Verification I applied this module to my runner setup and it resolved the issue. --------- Co-authored-by: Matthias Kay <matthias.kay@hlag.com>
cattle-ops · May 10, 2024 · fec8c8a · fec8c8a
1 parent 2d9b5da
commit fec8c8a
Show file tree

Hide file tree

Showing 2 changed files with 28 additions and 21 deletions.
diff --git a/main.tf b/main.tf
@@ -594,11 +594,38 @@ resource "aws_eip" "gitlab_runner" {
 ################################################################################
 ### AWS Systems Manager access to store runner token once registered
 ################################################################################
+data "aws_iam_policy_document" "ssm" {
+  statement {
+    actions = [
+      "ssm:GetParameter",
+      "ssm:GetParameters",
+    ]
+    resources = [
+      for name in compact(
+        [
+          aws_ssm_parameter.runner_sentry_dsn.name,
+          var.runner_gitlab_registration_token_secure_parameter_store_name,
+          var.runner_gitlab.access_token_secure_parameter_store_name,
+          var.runner_gitlab.preregistered_runner_token_ssm_parameter_name,
+          aws_ssm_parameter.runner_registration_token.name
+        ]
+      ) : "arn:${data.aws_partition.current.partition}:ssm:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:parameter/${name}"
+    ]
+  }
+
+  statement {
+    actions = ["ssm:PutParameter"]
+    resources = [
+      "arn:${data.aws_partition.current.partition}:ssm:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:parameter/${aws_ssm_parameter.runner_registration_token.name}"
+    ]
+  }
+}
+
 resource "aws_iam_policy" "ssm" {
   name        = "${local.name_iam_objects}-ssm"
   path        = "/"
   description = "Policy for runner token param access via SSM"
-  policy      = templatefile("${path.module}/policies/instance-secure-parameter-role-policy.json", { partition = data.aws_partition.current.partition })
+  policy      = data.aws_iam_policy_document.ssm.json
 
   tags = local.tags
 }

diff --git a/policies/instance-secure-parameter-role-policy.json b/policies/instance-secure-parameter-role-policy.json