search

ministryofjustice / hmpps-delius-bastion

Bastion servers for the Delius migration project.
1 stars 1 forks source link

Adding role and instance profile to enable SSM connections #92

Closed adeweetman-al closed 2 years ago

adeweetman-al commented 2 years ago

Work item: https://dsdmoj.atlassian.net/browse/NIT-306

Adding IaC for the IAM role (attached managed policy and trust relationship) and instance profile for the bastions. These changes have already been done in dev through the console, with nothing done in prod.

So for dev, we should import the resources into state. Given the jenkins pipeline is not trustworthy and only local TF operations seem to succeed, in dev, the plan would be

  1. Take a back of the state file
  2. Run 
    ENVIRONMENT=eng-dev COMPONENT=service-bastion tg import 'aws_iam_instance_profile.instance_profile' SSMBastionAccess
ENVIRONMENT=eng-dev COMPONENT=service-bastion tg import 'aws_iam_role.instance_iam_role' SSMBastionAccess
ENVIRONMENT=eng-dev COMPONENT=service-bastion tg import 'aws_iam_role_policy_attachment.instance_iam_policy_attach_amazonssmmanagedinstancecore' SSMBastionAccess/arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore
  3. Run a terraform plan to confirm desired state = actual state

Changes can be locally applied in prod.