From fec8c8a8d729f8d6076a38d8b063f1e14f4aa518 Mon Sep 17 00:00:00 2001
From: Ryan Causey <ryan.causey@munipal.io>
Date: Fri, 10 May 2024 02:02:08 -0700
Subject: [PATCH] fix: use a valid policy for ssm access (#1124)

## Description

This resolves an issue where the previous policy template did not
specify a valid resource argument for the second policy statement. The
modified template should now apply without error.

Closes #1123

## Verification

I applied this module to my runner setup and it resolved the issue.

---------

Co-authored-by: Matthias Kay <matthias.kay@hlag.com>
---
 main.tf                                       | 29 ++++++++++++++++++-
 ...instance-secure-parameter-role-policy.json | 20 -------------
 2 files changed, 28 insertions(+), 21 deletions(-)
 delete mode 100644 policies/instance-secure-parameter-role-policy.json

diff --git a/main.tf b/main.tf
index 809b6d0b..69c0f67f 100644
--- a/main.tf
+++ b/main.tf
@@ -594,11 +594,38 @@ resource "aws_eip" "gitlab_runner" {
 ################################################################################
 ### AWS Systems Manager access to store runner token once registered
 ################################################################################
+data "aws_iam_policy_document" "ssm" {
+  statement {
+    actions = [
+      "ssm:GetParameter",
+      "ssm:GetParameters",
+    ]
+    resources = [
+      for name in compact(
+        [
+          aws_ssm_parameter.runner_sentry_dsn.name,
+          var.runner_gitlab_registration_token_secure_parameter_store_name,
+          var.runner_gitlab.access_token_secure_parameter_store_name,
+          var.runner_gitlab.preregistered_runner_token_ssm_parameter_name,
+          aws_ssm_parameter.runner_registration_token.name
+        ]
+      ) : "arn:${data.aws_partition.current.partition}:ssm:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:parameter/${name}"
+    ]
+  }
+
+  statement {
+    actions = ["ssm:PutParameter"]
+    resources = [
+      "arn:${data.aws_partition.current.partition}:ssm:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:parameter/${aws_ssm_parameter.runner_registration_token.name}"
+    ]
+  }
+}
+
 resource "aws_iam_policy" "ssm" {
   name        = "${local.name_iam_objects}-ssm"
   path        = "/"
   description = "Policy for runner token param access via SSM"
-  policy      = templatefile("${path.module}/policies/instance-secure-parameter-role-policy.json", { partition = data.aws_partition.current.partition })
+  policy      = data.aws_iam_policy_document.ssm.json
 
   tags = local.tags
 }
diff --git a/policies/instance-secure-parameter-role-policy.json b/policies/instance-secure-parameter-role-policy.json
deleted file mode 100644
index f7dd120a..00000000
--- a/policies/instance-secure-parameter-role-policy.json
+++ /dev/null
@@ -1,20 +0,0 @@
-{
-    "Version": "2012-10-17",
-    "Statement": [
-        {
-            "Effect": "Allow",
-            "Action": [
-                "ssm:PutParameter"
-            ],
-            "Resource": "*"
-        },
-        {
-            "Effect": "Allow",
-            "Action": [
-                "ssm:GetParameter",
-                "ssm:GetParameters"
-            ],
-            "Resource": "arn:${partition}:ssm:*"
-        }
-    ]
-}