feat: Default to not attching AmazonSSMManagedInstanceCore to instanc…

…es (#143) * Default to not attching AmazonSSMManagedInstanceCore to instances * Remove instance_runner_session_manager_policy
philips-labs · Aug 25, 2020 · f7792d1 · f7792d1
1 parent 05b3d2b
commit f7792d1
Show file tree

Hide file tree

Showing 6 changed files with 14 additions and 22 deletions.
diff --git a/README.md b/README.md
@@ -317,7 +317,7 @@ No requirements.
 | vpc\_id | The VPC for security groups of the action runners. | `string` | n/a | yes |
 | webhook\_lambda\_timeout | Time out of the webhook lambda in seconds. | `number` | `10` | no |
 | webhook\_lambda\_zip | File location of the webhook lambda zip file. | `string` | `null` | no |
-
+| enable\_ssm\_on\_runners | Enable to allow access the runner instances for debugging purposes via SSM. Note that this adds additional permissions to the runner instances. | `bool` | `false` | no |
 ## Outputs
 
 | Name | Description |

diff --git a/main.tf b/main.tf
@@ -76,6 +76,7 @@ module "runners" {
   runner_as_root                  = var.runner_as_root
   runners_maximum_count           = var.runners_maximum_count
   idle_config                     = var.idle_config
+  enable_ssm_on_runners           = var.enable_ssm_on_runners
 
   lambda_zip                = var.runners_lambda_zip
   lambda_timeout_scale_up   = var.runners_scale_up_lambda_timeout

diff --git a/modules/runners/policies-runner.tf b/modules/runners/policies-runner.tf
@@ -14,13 +14,8 @@ resource "aws_iam_instance_profile" "runner" {
   path = local.instance_profile_path
 }
 
-resource "aws_iam_role_policy" "runner_session_manager_policy" {
-  name   = "session-manager"
-  role   = aws_iam_role.runner.name
-  policy = templatefile("${path.module}/policies/instance-session-manager-policy.json", {})
-}
-
 resource "aws_iam_role_policy_attachment" "runner_session_manager_aws_managed" {
+  count      = var.enable_ssm_on_runners ? 1 : 0
   role       = aws_iam_role.runner.name
   policy_arn = "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"
 }

diff --git a/modules/runners/policies/instance-session-manager-policy.json b/modules/runners/policies/instance-session-manager-policy.json
diff --git a/modules/runners/variables.tf b/modules/runners/variables.tf
@@ -206,3 +206,8 @@ variable "logging_retention_in_days" {
   type        = number
   default     = 7
 }
+
+variable "enable_ssm_on_runners" {
+  description = "Enable to allow access the runner instances for debugging purposes via SSM. Note that this adds additional permissions to the runner instances."
+  type        = bool
+}
diff --git a/variables.tf b/variables.tf
@@ -175,6 +175,12 @@ variable "idle_config" {
   default = []
 }
 
+variable "enable_ssm_on_runners" {
+  description = "Enable to allow access the runner instances for debugging purposes via SSM. Note that this adds additional permissions to the runner instances."
+  type        = bool
+  default     = false
+}
+
 variable "logging_retention_in_days" {
   description = "Specifies the number of days you want to retain log events for the lambda log group. Possible values are: 0, 1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, and 3653."
   type        = number