Skip to content
This repository has been archived by the owner on Sep 27, 2024. It is now read-only.

add cloudwatch policy for ec2 metrics #12

Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

add cloudwatch policy for ec2 metrics #12

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
fdc3761
add cloudwatch policy for ec2 metrics
markhv-code Dec 7, 2023
f9f0d34
enable cloudwatch ec2 metrics by default
markhv-code Dec 11, 2023
3f7b701
move 1.0.1 before 1.0.0 in changelog
markhv-code Dec 13, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,10 @@ All notable changes to this project will be documented in this file.
The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).

# 1.0.1

* Adding Cloudwatch metrics policy for ec2

# 1.0.0

* Striking 1.0.0 release
Expand Down
50 changes: 50 additions & 0 deletions policies.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -179,6 +179,56 @@ resource "aws_iam_role_policy_attachment" "secrets-manager" {
policy_arn = aws_iam_policy.secrets-manager[0].arn
}

################################################################################
# CloudWatch Policy for EC2 metrics
################################################################################
data "aws_iam_policy_document" "ec2_metrics" {
count = var.create_role && var.attach_ec2_metrics_policy ? 1 : 0

statement {
sid = "AllowReadingMetricsFromCloudWatch"
actions = [
"cloudwatch:DescribeAlarmsForMetric",
"cloudwatch:DescribeAlarmHistory",
"cloudwatch:DescribeAlarms",
"cloudwatch:ListMetrics",
"cloudwatch:GetMetricData",
"cloudwatch:GetInsightRuleReport"
]
resources = ["*"]
}

statement {
sid = "AllowReadingTagsInstancesRegionsFromEC2"
actions = ["ec2:DescribeTags", "ec2:DescribeInstances", "ec2:DescribeRegions"]
resources = ["*"]
}

statement {
sid = "AllowReadingResourcesForTags"
actions = "tag:GetResources"
resources = ["*"]
}
}

resource "aws_iam_policy" "ec2_metrics" {
count = var.create_role && var.attach_ec2_metrics_policy ? 1 : 0

name_prefix = "${var.policy_name_prefix}${var.app_name}_Policy-"
path = var.role_path
description = "View EC2 metrics"
policy = data.aws_iam_policy_document.ec2_metrics[0].json

tags = var.tags
}

resource "aws_iam_role_policy_attachment" "ec2_metrics" {
count = var.create_role && var.attach_ec2_metrics_policy ? 1 : 0

role = aws_iam_role.this[0].name
policy_arn = aws_iam_policy.ec2_metrics[0].arn
}

################################################################################
# CloudWatch Policy for container insights
################################################################################
Expand Down
7 changes: 7 additions & 0 deletions variables.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -168,3 +168,10 @@ variable "sqs_read_write_arns" {
type = list(string)
default = []
}

# Cloudwatch
variable "attach_ec2_metrics_policy" {
description = "Determines whether to attach the Cloudwatch policy for ec2 metrics to the role"
type = bool
default = true
}