From 2dee48bab954663698256c04e55a2bed5a0f10ea Mon Sep 17 00:00:00 2001 From: Andriy Knysh Date: Sun, 29 Apr 2018 20:33:01 -0400 Subject: [PATCH] Add `ssm:GetParametersByPath` (#5) --- README.md | 2 +- main.tf | 18 ++++++++++-------- variables.tf | 2 +- 3 files changed, 12 insertions(+), 10 deletions(-) diff --git a/README.md b/README.md index 1f90ea3..633b719 100644 --- a/README.md +++ b/README.md @@ -33,7 +33,7 @@ module "chamber_user" { | `force_destroy` | `false` | Destroy even if it has non-Terraform-managed IAM access keys, login profiles or MFA devices | No | | `path` | `/` | Path in which to create the user | No | | `enabled` | `true` | Set to `false` to prevent the module from creating any resources | No | -| `ssm_actions` | `["ssm:DescribeParameters","ssm:GetParameters"]` | Actions to allow in the policy | No | +| `ssm_actions` | `["ssm:GetParametersByPath", "ssm:GetParameters"]` | Actions to allow in the policy | No | | `ssm_resources` | `["*"]` | Resources to apply the actions specified in the policy | No | diff --git a/main.tf b/main.tf index d6ee87b..5d8ccf3 100644 --- a/main.tf +++ b/main.tf @@ -1,18 +1,20 @@ data "aws_iam_policy_document" "default" { statement { - actions = ["${var.ssm_actions}"] + actions = ["ssm:DescribeParameters"] + resources = ["*"] + effect = "Allow" + } + statement { + actions = ["${var.ssm_actions}"] resources = ["${var.ssm_resources}"] + effect = "Allow" } statement { - actions = [ - "kms:Decrypt", - ] - - resources = [ - "${var.kms_key_arn}", - ] + actions = ["kms:Decrypt"] + resources = ["${var.kms_key_arn}"] + effect = "Allow" } } diff --git a/variables.tf b/variables.tf index b1e2cdf..6b3cd8a 100644 --- a/variables.tf +++ b/variables.tf @@ -37,7 +37,7 @@ variable "kms_key_arn" { variable "ssm_actions" { type = "list" - default = ["ssm:DescribeParameters", "ssm:GetParameters"] + default = ["ssm:GetParametersByPath", "ssm:GetParameters"] description = "Actions to allow in the policy" }