Add ssm patch support (#104)

* Adding SSM patch support

* Auto Format

* remove uneeded change

* remove uneeded change

* Auto Format

* Update main.tf

Co-authored-by: Andriy Knysh <[email protected]>

* Update main.tf

Co-authored-by: Andriy Knysh <[email protected]>

* Update variables.tf

Co-authored-by: Andriy Knysh <[email protected]>

* Auto Format

* Update main.tf

Co-authored-by: Andriy Knysh <[email protected]>

* Update main.tf

Co-authored-by: Andriy Knysh <[email protected]>

* Adding SSM patch support

* Update main.tf

Co-authored-by: Andriy Knysh <[email protected]>

* Auto Format

* Fixinf var name

* Fixinf var name

* Fixing variable name for count

* Fixing variable name for count and adding label module + attribute

* Auto Format

* Update main.tf

Co-authored-by: Andriy Knysh <[email protected]>

* Update main.tf

Co-authored-by: Andriy Knysh <[email protected]>

* Minor fixes

* Fixing broken resource reference

* Fixing broken resource reference

* Adding ssm_enabled variable

* Auto Format

* removing ssm locals

* Fixing count logic

* Auto Format

* Fixing count logic

* Fixing count logic

* Fixing count logic

* Fixing count logic

* Update ssm_patch.tf

Co-authored-by: Andriy Knysh <[email protected]>

* Update main.tf

Co-authored-by: Andriy Knysh <[email protected]>

* Update variables.tf

Co-authored-by: Andriy Knysh <[email protected]>

* Update variables.tf

Co-authored-by: Andriy Knysh <[email protected]>

* Auto Format

* more feedback fixes

* Removing duplicated resources

* Update ssm_patch.tf

Co-authored-by: Andriy Knysh <[email protected]>

* Auto Format

* Addressing Feedback

* Auto Format

* fixing local name

* reverting logic from master

Co-authored-by: cloudpossebot <[email protected]>
Co-authored-by: Andriy Knysh <[email protected]>

Author: 3 people

README.md

@@ -312,7 +312,7 @@ Available targets:
 | <a name="input_source_dest_check"></a> [source\_dest\_check](#input\_source\_dest\_check) | Controls if traffic is routed to the instance when the destination address does not match the instance. Used for NAT or VPNs | `bool` | `true` | no |
 | <a name="input_ssh_key_pair"></a> [ssh\_key\_pair](#input\_ssh\_key\_pair) | SSH key pair to be provisioned on the instance | `string` | n/a | yes |
 | <a name="input_ssm_patch_manager_enabled"></a> [ssm\_patch\_manager\_enabled](#input\_ssm\_patch\_manager\_enabled) | Whether to enable SSM Patch manager | `bool` | `false` | no |
-| <a name="input_ssm_patch_manager_iam_policy"></a> [ssm\_patch\_manager\_iam\_policy](#input\_ssm\_patch\_manager\_iam\_policy) | IAM policy to allow Patch manager to manage the instance | `string` | `null` | no |
+| <a name="input_ssm_patch_manager_iam_policy_arn"></a> [ssm\_patch\_manager\_iam\_policy\_arn](#input\_ssm\_patch\_manager\_iam\_policy\_arn) | IAM policy ARN to allow Patch Manager to manage the instance. If not provided, `arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore` will be used | `string` | `null` | no |
 | <a name="input_ssm_patch_manager_s3_log_bucket"></a> [ssm\_patch\_manager\_s3\_log\_bucket](#input\_ssm\_patch\_manager\_s3\_log\_bucket) | The name of the s3 bucket to export the patch log to | `string` | `null` | no |
 | <a name="input_stage"></a> [stage](#input\_stage) | Stage, e.g. 'prod', 'staging', 'dev', OR 'source', 'build', 'test', 'deploy', 'release' | `string` | `null` | no |
 | <a name="input_statistic_level"></a> [statistic\_level](#input\_statistic\_level) | The statistic to apply to the alarm's associated metric. Allowed values are: SampleCount, Average, Sum, Minimum, Maximum | `string` | `"Maximum"` | no |

docs/terraform.md

@@ -115,7 +115,7 @@
 | <a name="input_source_dest_check"></a> [source\_dest\_check](#input\_source\_dest\_check) | Controls if traffic is routed to the instance when the destination address does not match the instance. Used for NAT or VPNs | `bool` | `true` | no |
 | <a name="input_ssh_key_pair"></a> [ssh\_key\_pair](#input\_ssh\_key\_pair) | SSH key pair to be provisioned on the instance | `string` | n/a | yes |
 | <a name="input_ssm_patch_manager_enabled"></a> [ssm\_patch\_manager\_enabled](#input\_ssm\_patch\_manager\_enabled) | Whether to enable SSM Patch manager | `bool` | `false` | no |
-| <a name="input_ssm_patch_manager_iam_policy"></a> [ssm\_patch\_manager\_iam\_policy](#input\_ssm\_patch\_manager\_iam\_policy) | IAM policy to allow Patch manager to manage the instance | `string` | `null` | no |
+| <a name="input_ssm_patch_manager_iam_policy_arn"></a> [ssm\_patch\_manager\_iam\_policy\_arn](#input\_ssm\_patch\_manager\_iam\_policy\_arn) | IAM policy ARN to allow Patch Manager to manage the instance. If not provided, `arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore` will be used | `string` | `null` | no |
 | <a name="input_ssm_patch_manager_s3_log_bucket"></a> [ssm\_patch\_manager\_s3\_log\_bucket](#input\_ssm\_patch\_manager\_s3\_log\_bucket) | The name of the s3 bucket to export the patch log to | `string` | `null` | no |
 | <a name="input_stage"></a> [stage](#input\_stage) | Stage, e.g. 'prod', 'staging', 'dev', OR 'source', 'build', 'test', 'deploy', 'release' | `string` | `null` | no |
 | <a name="input_statistic_level"></a> [statistic\_level](#input\_statistic\_level) | The statistic to apply to the alarm's associated metric. Allowed values are: SampleCount, Average, Sum, Minimum, Maximum | `string` | `"Maximum"` | no |

main.tf

@@ -20,8 +20,6 @@ locals {
     var.associate_public_ip_address && var.assign_eip_address && module.this.enabled ?
     local.eip_public_dns : join("", aws_instance.default.*.public_dns)
   )
-  ssm_path_log_bucket_enabled = local.enabled && var.ssm_patch_manager_enabled && var.ssm_patch_manager_s3_log_bucket != "" && var.ssm_patch_manager_s3_log_bucket != null
-  ssm_policy                  = var.ssm_patch_manager_iam_policy == null || var.ssm_patch_manager_iam_policy == "" ? "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore" : var.ssm_patch_manager_iam_policy
 }
 
 data "aws_caller_identity" "default" {
@@ -53,40 +51,6 @@ data "aws_iam_policy_document" "default" {
     effect = "Allow"
   }
 }
-
-module "label_ssm_patch_s3_log_policy" {
-  source  = "cloudposse/label/null"
-  version = "0.24.1"
-
-  attributes = ["ssm-patch-s3-logs"]
-  context    = module.this.context
-}
-
-data "aws_iam_policy_document" "ssm_patch_s3_log_policy" {
-  count = local.ssm_path_log_bucket_enabled ? 1 : 0
-  statement {
-    sid = "AllowAccessToPathLogBucket"
-    actions = [
-      "s3:GetObject",
-      "s3:PutObject",
-      "s3:PutObjectAcl",
-      "s3:GetEncryptionConfiguration",
-    ]
-    resources = [
-      "arn:aws:s3:::${var.ssm_patch_manager_s3_log_bucket}/*",
-      "arn:aws:s3:::${var.ssm_patch_manager_s3_log_bucket}",
-    ]
-  }
-}
-
-resource "aws_iam_policy" "ssm_patch_s3_log_policy" {
-  count       = local.ssm_path_log_bucket_enabled ? 1 : 0
-  name        = module.label_ssm_patch_s3_log_policy.id
-  path        = "/"
-  description = "Policy to allow the local SSM agent on the instance to write the log output to the defined bucket"
-  policy      = data.aws_iam_policy_document.ssm_patch_s3_log_policy[0].json
-}
-
 data "aws_ami" "default" {
   count       = var.ami == "" ? 1 : 0
   most_recent = "true"
@@ -142,19 +106,6 @@ resource "aws_iam_role" "default" {
   tags                 = module.this.tags
 }
 
-resource "aws_iam_role_policy_attachment" "ssm_core" {
-  count      = local.enabled ? local.instance_profile_count : 0
-  role       = aws_iam_role.default[count.index]
-  policy_arn = local.ssm_policy
-}
-
-resource "aws_iam_role_policy_attachment" "ssm_s3_policy" {
-  count      = local.enabled && local.ssm_path_log_bucket_enabled ? local.instance_profile_count : 0
-  role       = aws_iam_role.default[count.index]
-  policy_arn = aws_iam_policy.ssm_patch_s3_log_policy[0].arn
-}
-
-
 resource "aws_instance" "default" {
   #bridgecrew:skip=BC_AWS_GENERAL_31: Skipping `Ensure Instance Metadata Service Version 1 is not enabled` check until BridgeCrew supports conditional evaluation. See https://github.com/bridgecrewio/checkov/issues/793
   #bridgecrew:skip=BC_AWS_NETWORKING_47: Skiping `Ensure AWS EC2 instance is configured with VPC` because it is incorrectly flagging that this instance does not belong to a VPC even though subnet_id is configured.

ssm_patch.tf

@@ -0,0 +1,53 @@
+
+locals {
+  ssm_patch_log_bucket_enabled = local.ssm_enabled && var.ssm_patch_manager_s3_log_bucket != "" && var.ssm_patch_manager_s3_log_bucket != null
+  ssm_policy_arn               = var.ssm_patch_manager_iam_policy_arn == null || var.ssm_patch_manager_iam_policy_arn == "" ? "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore" : var.ssm_patch_manager_iam_policy_arn
+  ssm_enabled                  = local.enabled && var.ssm_patch_manager_enabled
+}
+
+module "label_ssm_patch_s3_log_policy" {
+  source  = "cloudposse/label/null"
+  version = "0.24.1"
+
+  enabled    = local.ssm_patch_log_bucket_enabled
+  attributes = ["ssm-patch-s3-logs"]
+  context    = module.this.context
+}
+
+data "aws_iam_policy_document" "ssm_patch_s3_log_policy" {
+  count = local.ssm_patch_log_bucket_enabled ? 1 : 0
+  statement {
+    sid = "AllowAccessToPathLogBucket"
+    actions = [
+      "s3:GetObject",
+      "s3:PutObject",
+      "s3:PutObjectAcl",
+      "s3:GetEncryptionConfiguration",
+    ]
+    resources = [
+      "arn:aws:s3:::${var.ssm_patch_manager_s3_log_bucket}/*",
+      "arn:aws:s3:::${var.ssm_patch_manager_s3_log_bucket}",
+    ]
+  }
+}
+
+resource "aws_iam_policy" "ssm_patch_s3_log_policy" {
+  count       = local.ssm_patch_log_bucket_enabled ? 1 : 0
+  name        = module.label_ssm_patch_s3_log_policy.id
+  path        = "/"
+  description = "Policy to allow the local SSM agent on the instance to write the log output to the defined bucket"
+  policy      = data.aws_iam_policy_document.ssm_patch_s3_log_policy[0].json
+}
+
+
+resource "aws_iam_role_policy_attachment" "ssm_core" {
+  count      = local.ssm_enabled ? local.instance_profile_count : 0
+  role       = aws_iam_role.default[count.index].name
+  policy_arn = local.ssm_policy_arn
+}
+
+resource "aws_iam_role_policy_attachment" "ssm_s3_policy" {
+  count      = local.ssm_patch_log_bucket_enabled ? local.instance_profile_count : 0
+  role       = aws_iam_role.default[count.index].name
+  policy_arn = aws_iam_policy.ssm_patch_s3_log_policy[0].arn
+}

variables.tf

@@ -326,14 +326,15 @@ variable "ssm_patch_manager_enabled" {
   description = "Whether to enable SSM Patch manager"
 }
 
-variable "ssm_patch_manager_iam_policy" {
+variable "ssm_patch_manager_iam_policy_arn" {
   type        = string
   default     = null
-  description = "IAM policy to allow Patch manager to manage the instance"
+  description = "IAM policy ARN to allow Patch Manager to manage the instance. If not provided, `arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore` will be used"
 }
 
 variable "ssm_patch_manager_s3_log_bucket" {
   type        = string
   default     = null
   description = "The name of the s3 bucket to export the patch log to"
 }
+