Skip to content

Commit fec8c8a

Browse files
ryancauseykayman-mk
ryancausey
and
kayman-mk
authored
fix: use a valid policy for ssm access (#1124)
## Description This resolves an issue where the previous policy template did not specify a valid resource argument for the second policy statement. The modified template should now apply without error. Closes #1123 ## Verification I applied this module to my runner setup and it resolved the issue. --------- Co-authored-by: Matthias Kay <matthias.kay@hlag.com>
1 parent 2d9b5da commit fec8c8a

File tree

2 files changed

+28
-21
lines changed

2 files changed

+28
-21
lines changed

main.tf

+28-1
Original file line numberDiff line numberDiff line change
@@ -594,11 +594,38 @@ resource "aws_eip" "gitlab_runner" {
594594
################################################################################
595595
### AWS Systems Manager access to store runner token once registered
596596
################################################################################
597+
data "aws_iam_policy_document" "ssm" {
598+
statement {
599+
actions = [
600+
"ssm:GetParameter",
601+
"ssm:GetParameters",
602+
]
603+
resources = [
604+
for name in compact(
605+
[
606+
aws_ssm_parameter.runner_sentry_dsn.name,
607+
var.runner_gitlab_registration_token_secure_parameter_store_name,
608+
var.runner_gitlab.access_token_secure_parameter_store_name,
609+
var.runner_gitlab.preregistered_runner_token_ssm_parameter_name,
610+
aws_ssm_parameter.runner_registration_token.name
611+
]
612+
) : "arn:${data.aws_partition.current.partition}:ssm:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:parameter/${name}"
613+
]
614+
}
615+
616+
statement {
617+
actions = ["ssm:PutParameter"]
618+
resources = [
619+
"arn:${data.aws_partition.current.partition}:ssm:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:parameter/${aws_ssm_parameter.runner_registration_token.name}"
620+
]
621+
}
622+
}
623+
597624
resource "aws_iam_policy" "ssm" {
598625
name = "${local.name_iam_objects}-ssm"
599626
path = "/"
600627
description = "Policy for runner token param access via SSM"
601-
policy = templatefile("${path.module}/policies/instance-secure-parameter-role-policy.json", { partition = data.aws_partition.current.partition })
628+
policy = data.aws_iam_policy_document.ssm.json
602629

603630
tags = local.tags
604631
}

policies/instance-secure-parameter-role-policy.json

-20
This file was deleted.

0 commit comments

Comments
 (0)