added SSM description and example in README.md file

binbashar · May 25, 2022 · e46918e · e46918e
1 parent ac622e1
commit e46918e
Showing 1 changed file with 83 additions and 0 deletions.
diff --git a/README.md b/README.md
@@ -25,6 +25,7 @@ among others.
 * Optionally associate a public IP address with the instance.
 * DNS record with a record that points to the instance private IP / public IP.
 * Tags: both EC2 and EBS.
+* SSM support for interactive shell access via browser or AWS CLI
 
 Personally we have seen the need of creating a similar set of such resources
  for an OpenVPN instance, for Jenkins, Spinnaker, DroneCI, Prometheus, Grafana,
@@ -227,6 +228,88 @@ module "terraform-aws-basic-layout" {
     tags = local.tags
 }
 ```
+#### ec2-default-instance-profile-ssm
+
+```terraform
+module "terraform-aws-basic-layout" {
+    source = "../../"
+
+    prefix                      = var.prefix
+    name                        = var.name
+
+    aws_ami_os_id               = var.aws_ami_os_id
+    aws_ami_os_owner            = var.aws_ami_os_owner
+    instance_type               = var.instance_type
+    vpc_id                      = data.terraform_remote_state.vpc.outputs.vpc_id
+    subnet_id                   = data.terraform_remote_state.vpc.outputs.public_subnets[0]
+    associate_public_ip_address = var.associate_public_ip_address
+    key_pair_name               = data.terraform_remote_state.security.outputs.aws_key_pair_name
+    ebs_optimized               = var.ebs_optimized
+    monitoring                  = var.monitoring
+    user_data_base64            = base64encode(local.user_data)
+    enable_ssm_access           = local.enable_ssm_access
+
+    root_block_device = [
+        {
+            volume_type = "gp2"
+            volume_size = 10
+            encrypted   = true
+        },
+    ]
+
+    ebs_block_device = [
+        {
+            device_name = "/dev/sdf"
+            volume_type = "gp2"
+            volume_size = 5
+            encrypted   = true
+        },
+        {
+            device_name = "/dev/sdg"
+            volume_type = "gp2"
+            volume_size = 5
+            encrypted   = true
+        }
+    ]
+
+    security_group_rules = [
+        {
+            from_port   = 8080,
+            to_port     = 8082,
+            protocol    = "tcp",
+            cidr_blocks = [ "0.0.0.0/0" ],
+            description = "Allow nginx proxy"
+        }
+    ]
+
+    dns_records_internal_hosted_zone = [{
+        zone_id = data.terraform_remote_state.vpc.outputs.aws_internal_zone_id[0],
+        name    = "ec2-basic-layout.aws.binbash.com.ar",
+        type    = "A",
+        ttl     = 300
+    }]
+
+    dns_records_public_hosted_zone = [{
+        zone_id = data.terraform_remote_state.vpc.outputs.aws_public_zone_id[0],
+        name    = "ec2-basic-layout.binbash.com.ar",
+        type    = "A",
+        ttl     = 300
+    }]
+
+    # EC2 IAM Profile (Role + Policies)
+    cross_account_roles_resource_arn_list = [
+        "arn:aws:iam::${var.dev_account_id}:role/DevOps",
+        "arn:aws:iam::${var.shared_account_id}:role/DevOps",
+        "arn:aws:iam::${var.dev_account_id}:role/Auditor",
+        "arn:aws:iam::${var.shared_account_id}:role/Auditor",
+    ]
+    policy_arn = [
+        "arn:aws:iam::aws:policy/AmazonEC2ReadOnlyAccess",
+        "arn:aws:iam::aws:policy/CloudWatchReadOnlyAccess",
+    ]
+
+    tags = local.tags
+}
 
 #### ec2-external-instance-profile