Conditionally add ECS cluster SSM policies

* This conditionally adds the policies with permissions required to use
  SSM default host management configuration.
* It checks for the value of the service setting to ensure dhcm has been
  enabled to decide wether to add the policies. `aws_ssm_service_setting`
  doesn't yet have a data source (hashicorp/terraform-provider-aws#25170),
  so it uses a script along with the `external` provider instead to get
  the service setting parameters.

Author: Stretch96

README.md

@@ -21,6 +21,7 @@ This project creates and manages resources within an AWS account for infrastruct
 | <a name="provider_archive"></a> [archive](#provider\_archive) | 2.4.1 |
 | <a name="provider_aws"></a> [aws](#provider\_aws) | 5.31.0 |
 | <a name="provider_aws.awsroute53root"></a> [aws.awsroute53root](#provider\_aws.awsroute53root) | 5.31.0 |
+| <a name="provider_external"></a> [external](#provider\_external) | n/a |
 
 ## Resources
 
@@ -46,6 +47,8 @@ This project creates and manages resources within an AWS account for infrastruct
 | [aws_iam_policy.infrastructure_ecs_cluster_autoscaling_lifecycle_termination_kms_encrypt](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_policy.infrastructure_ecs_cluster_autoscaling_lifecycle_termination_sns_publish](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_policy.infrastructure_ecs_cluster_ec2_ecs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
+| [aws_iam_policy.infrastructure_ecs_cluster_pass_role_ssm_dhmc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
+| [aws_iam_policy.infrastructure_ecs_cluster_ssm_service_setting_rw](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_role.ecs_cluster_infrastructure_draining_lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
 | [aws_iam_role.infrastructure_ecs_cluster](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
 | [aws_iam_role.infrastructure_ecs_cluster_autoscaling_lifecycle_termination](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
@@ -58,6 +61,8 @@ This project creates and manages resources within an AWS account for infrastruct
 | [aws_iam_role_policy_attachment.infrastructure_ecs_cluster_autoscaling_lifecycle_termination_kms_encrypt](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_iam_role_policy_attachment.infrastructure_ecs_cluster_autoscaling_lifecycle_termination_sns_publish](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_iam_role_policy_attachment.infrastructure_ecs_cluster_ec2_ecs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
+| [aws_iam_role_policy_attachment.infrastructure_ecs_cluster_pass_role_ssm_dhmc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
+| [aws_iam_role_policy_attachment.infrastructure_ecs_cluster_ssm_service_setting_rw](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_internet_gateway.infrastructure_public](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/internet_gateway) | resource |
 | [aws_kms_alias.infrastructure](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_alias) | resource |
 | [aws_kms_key.infrastructure](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource |
@@ -108,6 +113,7 @@ This project creates and manages resources within an AWS account for infrastruct
 | [aws_ami.ecs_cluster_ami](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ami) | data source |
 | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
 | [aws_route53_zone.root](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/route53_zone) | data source |
+| [external_external.ssm_dhmc_setting](https://registry.terraform.io/providers/hashicorp/external/latest/docs/data-sources/external) | data source |
 
 ## Inputs
 

data.tf

@@ -26,3 +26,16 @@ data "aws_ami" "ecs_cluster_ami" {
     ]
   }
 }
+
+# aws_ssm_service_setting doesn't yet have a data source, so we need to use
+# a script to retrieve SSM service settings
+# https://github.com/hashicorp/terraform-provider-aws/issues/25170
+data "external" "ssm_dhmc_setting" {
+  count = local.enable_infrastructure_ecs_cluster ? 1 : 0
+
+  program = ["/bin/bash", "external-data-scripts/get-ssm-service-setting.sh"]
+
+  query = {
+    setting_id = "arn:aws:ssm:${local.aws_region}:${local.aws_account_id}:servicesetting/ssm/managed-instance/default-ec2-instance-management-role"
+  }
+}

ecs-cluster-infrastructure.tf

@@ -126,6 +126,43 @@ resource "aws_iam_role_policy_attachment" "infrastructure_ecs_cluster_ec2_ecs" {
   policy_arn = aws_iam_policy.infrastructure_ecs_cluster_ec2_ecs[0].arn
 }
 
+resource "aws_iam_policy" "infrastructure_ecs_cluster_ssm_service_setting_rw" {
+  count =  local.infrastructure_ecs_cluster_enable_ssm_dhmc ? 1 : 0
+
+  name   = "${local.resource_prefix}-ssm-service-setting-rw"
+  policy = templatefile(
+    "${path.root}/policies/ssm-service-setting-rw.json.tpl",
+    { ssm_service_setting_arn = data.external.ssm_dhmc_setting.result.arn }
+  )
+}
+
+resource "aws_iam_role_policy_attachment" "infrastructure_ecs_cluster_ssm_service_setting_rw" {
+  count = local.infrastructure_ecs_cluster_enable_ssm_dhmc ? 1 : 0
+
+  role       = aws_iam_role.infrastructure_ecs_cluster[0].name
+  policy_arn = aws_iam_policy.infrastructure_ecs_cluster_ssm_service_setting_rw[0].arn
+}
+
+resource "aws_iam_policy" "infrastructure_ecs_cluster_pass_role_ssm_dhmc" {
+  count =  local.infrastructure_ecs_cluster_enable_ssm_dhmc ? 1 : 0
+
+  name   = "${local.resource_prefix}-pass-role-ssm-dhmc"
+  policy = templatefile(
+    "${path.root}/policies/pass-role.json.tpl",
+    {
+      role_arn = "arn:aws:iam::${local.aws_account_id}:role/${data.external.ssm_dhmc_setting.result.setting_value}",
+      service  = "ssm.amazonaws.com"
+    }
+  )
+}
+
+resource "aws_iam_role_policy_attachment" "infrastructure_ecs_cluster_pass_role_ssm_dhmc" {
+  count = local.infrastructure_ecs_cluster_enable_ssm_dhmc ? 1 : 0
+
+  role       = aws_iam_role.infrastructure_ecs_cluster[0].name
+  policy_arn = aws_iam_policy.infrastructure_ecs_cluster_pass_role_ssm_dhmc[0].arn
+}
+
 resource "aws_iam_instance_profile" "infrastructure_ecs_cluster" {
   count = local.enable_infrastructure_ecs_cluster ? 1 : 0
 

external-data-scripts/get-ssm-service-setting.sh

@@ -0,0 +1,36 @@
+#!/bin/bash
+
+set -e
+set -o pipefail
+
+eval "$(jq -r '@sh "SSM_SERVICE_SETTING_ID=\(.setting_id)"')"
+
+SERVICE_SETTING="$(aws ssm get-service-setting --setting-id "$SSM_SERVICE_SETTING_ID" | jq -cr '.ServiceSetting')"
+
+#SETTING_ID="$(echo "$SERVICE_SETTING" | jq -cr '.SettingId')"
+#SETTING_VALUE="$(echo "$SERVICE_SETTING" | jq -cr 'SettingValue')"
+#LAST_MODIFIED_DATE="$(echo "$SERVICE_SETTING" | jq -cr '.LastModifiedDate')"
+#LAST_MODIFIED_USER="$(echo "$SERVICE_SETTING" | jq -cr '.LastModifiedUser')"
+#ARN="$(echo "$SERVICE_SETTING" | jq -cr '.ARN')"
+#STATUS="$(echo "$SERVICE_SETTING" | jq -cr '.Status')"
+#
+#jq -n \
+#  --arg setting_id "$SETTING_ID" \
+#  --arg setting_value "$SETTING_VALUE" \
+#  --arg last_modified_date "$LAST_MODIFIED_DATE" \
+#  --arg last_modified_user "$LAST_MODIFIED_USER" \
+#  --arg arn "$ARN" \
+#  --arg status "$STATUS" \
+#  '{
+#    setting_id = 
+#  }'
+
+jq -ncr --argjson service_setting "$SERVICE_SETTING" \
+  '$service_setting | {
+    setting_id: .SettingId,
+    setting_value: .SettingValue,
+    last_modified_date: .LastModifiedDate,
+    last_modified_user: .LastModifiedUser,
+    arn: .ARN,
+    status: .Status
+  }'

locals.tf

@@ -107,6 +107,7 @@ locals {
   infrastructure_ecs_cluster_min_size                              = var.infrastructure_ecs_cluster_min_size
   infrastructure_ecs_cluster_max_size                              = var.infrastructure_ecs_cluster_max_size
   infrastructure_ecs_cluster_max_instance_lifetime                 = var.infrastructure_ecs_cluster_max_instance_lifetime
+  infrastructure_ecs_cluster_enable_ssm_dhmc                       = data.external.ssm_dhmc_setting.result.setting_value != "$None"
   infrastructure_ecs_cluster_user_data = base64encode(
     templatefile("ec2-userdata/ecs-instance.tpl", {
       docker_storage_volume_device_name = local.infrastructure_ecs_cluster_ebs_docker_storage_volume_device_name,

policies/pass-role.json.tpl

@@ -0,0 +1,19 @@
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Action": [
+        "iam:PassRole"
+      ],
+      "Resource": "${role_arn}",
+      "Condition": {
+        "StringEquals": {
+          "iam:PassedToService": [
+            "${service}"
+          ]
+        }
+      }
+    }
+  ]
+}

policies/ssm-service-setting-rw.json.tpl

@@ -0,0 +1,14 @@
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Action": [
+        "ssm:GetServiceSetting",
+        "ssm:ResetServiceSetting",
+        "ssm:UpdateServiceSetting"
+      ],
+      "Resource": "${ssm_service_setting_arn}"
+    }
+  ]
+}