Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- // grafana assume role
- resource "aws_iam_role" "grafana_assume" {
- name = "Grafana"
- assume_role_policy = "${data.aws_iam_policy_document.grafana_role_assume_role_policy.json}"
- }
- resource "aws_iam_role_policy" "grafana_assume_role" {
- name = "ReadOnlyAccessToCloudWatchAndEC2"
- role = "${aws_iam_role.grafana_assume.name}"
- policy = "${data.aws_iam_policy_document.grafana_role.json}"
- }
- data "aws_iam_policy_document" "grafana_role_assume_role_policy" {
- statement {
- sid = "AllowTrustedAccountsToAssumeTheRole"
- effect = "Allow"
- actions = ["sts:AssumeRole"]
- principals {
- type = "AWS"
- identifiers = "${formatlist("arn:aws:iam::%s:root", values(var.aws_account_ids))}"
- }
- }
- }
- data "aws_iam_policy_document" "grafana_role" {
- statement {
- sid = "AllowReadingMetricsFromCloudWatch"
- effect = "Allow"
- actions = [
- "cloudwatch:GetMetricStatistics",
- "cloudwatch:ListMetrics",
- ]
- resources = ["*"]
- }
- statement {
- sid = "AllowReadingTagsFromEC2"
- effect = "Allow"
- actions = [
- "ec2:DescribeInstances",
- "ec2:DescribeTags",
- ]
- resources = ["*"]
- }
- }
Add Comment
Please, Sign In to add comment