CMS-Enterprise · markhv-code · Dec 7, 2023 · Dec 11, 2023 · Dec 13, 2023
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -8,3 +8,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 * Striking 1.0.0 release
 * Adding sqs flag
+
+# 1.0.1
+
+* Adding Cloudwatch metrics policy for ec2
diff --git a/policies.tf b/policies.tf
@@ -179,6 +179,56 @@ resource "aws_iam_role_policy_attachment" "secrets-manager" {
   policy_arn = aws_iam_policy.secrets-manager[0].arn
 }
 
+################################################################################
+# CloudWatch Policy for EC2 metrics
+################################################################################
+data "aws_iam_policy_document" "ec2_metrics" {
+  count = var.create_role && var.attach_ec2_metrics_policy ? 1 : 0
+
+  statement {
+    sid = "AllowReadingMetricsFromCloudWatch"
+    actions = [
+      "cloudwatch:DescribeAlarmsForMetric",
+      "cloudwatch:DescribeAlarmHistory",
+      "cloudwatch:DescribeAlarms",
+      "cloudwatch:ListMetrics",
+      "cloudwatch:GetMetricData",
+      "cloudwatch:GetInsightRuleReport"
+    ]
+    resources = ["*"]
+  }
+
+  statement {
+    sid = "AllowReadingTagsInstancesRegionsFromEC2"
+    actions = ["ec2:DescribeTags", "ec2:DescribeInstances", "ec2:DescribeRegions"]
+    resources = ["*"]
+  }
+
+  statement {
+    sid = "AllowReadingResourcesForTags"
+    actions = "tag:GetResources"
+    resources = ["*"]
+  }
+}
+
+resource "aws_iam_policy" "ec2_metrics" {
+  count = var.create_role && var.attach_ec2_metrics_policy ? 1 : 0
+
+  name_prefix = "${var.policy_name_prefix}${var.app_name}_Policy-"
+  path        = var.role_path
+  description = "View EC2 metrics"
+  policy      = data.aws_iam_policy_document.ec2_metrics[0].json
+
+  tags = var.tags
+}
+
+resource "aws_iam_role_policy_attachment" "ec2_metrics" {
+  count = var.create_role && var.attach_ec2_metrics_policy ? 1 : 0
+
+  role       = aws_iam_role.this[0].name
+  policy_arn = aws_iam_policy.ec2_metrics[0].arn
+}
+
 ################################################################################
 # CloudWatch Policy for container insights
 ################################################################################

diff --git a/variables.tf b/variables.tf
@@ -168,3 +168,10 @@ variable "sqs_read_write_arns" {
   type        = list(string)
   default     = []
 }
+
+# Cloudwatch
+variable "attach_ec2_metrics_policy" {
+  description = "Determines whether to attach the Cloudwatch policy for ec2 metrics to the role"
+  type = bool
+  default = false
+}