From 2bf5e1afc47409cc1d9909acae8bcedadb560442 Mon Sep 17 00:00:00 2001
From: HenryNguyen5 <6404866+HenryNguyen5@users.noreply.github.com>
Date: Mon, 17 Aug 2020 15:38:33 -0400
Subject: [PATCH 1/2] Default to not attching AmazonSSMManagedInstanceCore to
 instances

---
 README.md                          | 2 +-
 main.tf                            | 1 +
 modules/runners/policies-runner.tf | 1 +
 modules/runners/variables.tf       | 5 +++++
 variables.tf                       | 6 ++++++
 5 files changed, 14 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index c378ba0beb..6c177f9ebc 100644
--- a/README.md
+++ b/README.md
@@ -317,7 +317,7 @@ No requirements.
 | vpc\_id | The VPC for security groups of the action runners. | `string` | n/a | yes |
 | webhook\_lambda\_timeout | Time out of the webhook lambda in seconds. | `number` | `10` | no |
 | webhook\_lambda\_zip | File location of the webhook lambda zip file. | `string` | `null` | no |
-
+| enable\_ssm\_on\_runners | Enable to allow access the runner instances for debugging purposes via SSM. Note that this adds additional permissions to the runner instances. | `bool` | `false` | no |
 ## Outputs
 
 | Name | Description |
diff --git a/main.tf b/main.tf
index 89bd2b997c..f16e4733db 100644
--- a/main.tf
+++ b/main.tf
@@ -76,6 +76,7 @@ module "runners" {
   runner_as_root                  = var.runner_as_root
   runners_maximum_count           = var.runners_maximum_count
   idle_config                     = var.idle_config
+  enable_ssm_on_runners           = var.enable_ssm_on_runners
 
   lambda_zip                = var.runners_lambda_zip
   lambda_timeout_scale_up   = var.runners_scale_up_lambda_timeout
diff --git a/modules/runners/policies-runner.tf b/modules/runners/policies-runner.tf
index 8c69d6555d..74f8654686 100644
--- a/modules/runners/policies-runner.tf
+++ b/modules/runners/policies-runner.tf
@@ -21,6 +21,7 @@ resource "aws_iam_role_policy" "runner_session_manager_policy" {
 }
 
 resource "aws_iam_role_policy_attachment" "runner_session_manager_aws_managed" {
+  count      = var.enable_ssm_on_runners ? 1 : 0
   role       = aws_iam_role.runner.name
   policy_arn = "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"
 }
diff --git a/modules/runners/variables.tf b/modules/runners/variables.tf
index 435cdb26c5..7efd34a5ba 100644
--- a/modules/runners/variables.tf
+++ b/modules/runners/variables.tf
@@ -206,3 +206,8 @@ variable "logging_retention_in_days" {
   type        = number
   default     = 7
 }
+
+variable "enable_ssm_on_runners" {
+  description = "Enable to allow access the runner instances for debugging purposes via SSM. Note that this adds additional permissions to the runner instances."
+  type        = bool
+}
diff --git a/variables.tf b/variables.tf
index 8a04f94761..80217edb0e 100644
--- a/variables.tf
+++ b/variables.tf
@@ -175,6 +175,12 @@ variable "idle_config" {
   default = []
 }
 
+variable "enable_ssm_on_runners" {
+  description = "Enable to allow access the runner instances for debugging purposes via SSM. Note that this adds additional permissions to the runner instances."
+  type        = bool
+  default     = false
+}
+
 variable "logging_retention_in_days" {
   description = "Specifies the number of days you want to retain log events for the lambda log group. Possible values are: 0, 1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, and 3653."
   type        = number

From 53f89004cfa2d2f5dd270e483552054ee092818e Mon Sep 17 00:00:00 2001
From: HenryNguyen5 <6404866+HenryNguyen5@users.noreply.github.com>
Date: Fri, 21 Aug 2020 15:22:04 -0400
Subject: [PATCH 2/2] Remove instance_runner_session_manager_policy

---
 modules/runners/policies-runner.tf                |  6 ------
 .../policies/instance-session-manager-policy.json | 15 ---------------
 2 files changed, 21 deletions(-)
 delete mode 100644 modules/runners/policies/instance-session-manager-policy.json

diff --git a/modules/runners/policies-runner.tf b/modules/runners/policies-runner.tf
index 74f8654686..78bb845134 100644
--- a/modules/runners/policies-runner.tf
+++ b/modules/runners/policies-runner.tf
@@ -14,12 +14,6 @@ resource "aws_iam_instance_profile" "runner" {
   path = local.instance_profile_path
 }
 
-resource "aws_iam_role_policy" "runner_session_manager_policy" {
-  name   = "session-manager"
-  role   = aws_iam_role.runner.name
-  policy = templatefile("${path.module}/policies/instance-session-manager-policy.json", {})
-}
-
 resource "aws_iam_role_policy_attachment" "runner_session_manager_aws_managed" {
   count      = var.enable_ssm_on_runners ? 1 : 0
   role       = aws_iam_role.runner.name
diff --git a/modules/runners/policies/instance-session-manager-policy.json b/modules/runners/policies/instance-session-manager-policy.json
deleted file mode 100644
index 63ac8ca941..0000000000
--- a/modules/runners/policies/instance-session-manager-policy.json
+++ /dev/null
@@ -1,15 +0,0 @@
-{
-    "Version": "2012-10-17",
-    "Statement": [
-        {
-            "Effect": "Allow",
-            "Action": [
-                "ssmmessages:CreateControlChannel",
-                "ssmmessages:CreateDataChannel",
-                "ssmmessages:OpenControlChannel",
-                "ssmmessages:OpenDataChannel"
-            ],
-            "Resource": "*"
-        }
-    ]
-}
\ No newline at end of file