diff --git a/terraform/account-wide-infrastructure/dev/vars.tf b/terraform/account-wide-infrastructure/dev/vars.tf index d271c7527..83017245e 100644 --- a/terraform/account-wide-infrastructure/dev/vars.tf +++ b/terraform/account-wide-infrastructure/dev/vars.tf @@ -71,7 +71,7 @@ variable "use_powerbi_gw_custom_ami" { variable "powerbi_gw_root_volume_size" { type = number description = "Size of the root EBS volume in GB" - default = 40 + default = 120 } variable "powerbi_gw_root_volume_iops" { diff --git a/terraform/account-wide-infrastructure/modules/powerbi-gw-ec2/iam.tf b/terraform/account-wide-infrastructure/modules/powerbi-gw-ec2/iam.tf index c9de70541..25cbfb364 100644 --- a/terraform/account-wide-infrastructure/modules/powerbi-gw-ec2/iam.tf +++ b/terraform/account-wide-infrastructure/modules/powerbi-gw-ec2/iam.tf @@ -17,16 +17,20 @@ resource "aws_iam_role" "ec2_service_role" { data "aws_iam_policy_document" "ec2_service" { statement { + effect = "Allow" actions = [ + "s3:ListBucket", "s3:GetBucketLocation", + ] + resources = ["*"] + } + + statement { + actions = [ "s3:GetObject", - "s3:ListBucket", - "s3:ListBucketMultipartUploads", "s3:ListMultipartUploadParts", "s3:AbortMultipartUpload", - "s3:CreateBucket", "s3:PutObject", - "s3:PutBucketPublicAccessBlock" ] resources = compact([ @@ -70,7 +74,26 @@ data "aws_iam_policy_document" "ec2_service" { statement { actions = [ - "athena:*", + "athena:GetQueryExecution", + "athena:GetQueryResults", + "athena:GetWorkGroup", + "athena:ListTagsForResource", + "athena:TagResource", + "athena:UntagResource", + "athena:GetCatalogs", + "athena:GetExecutionEngine", + "athena:GetExecutionEngines", + "athena:GetNamespace", + "athena:GetNamespaces", + "athena:GetQueryExecutions", + "athena:GetTable", + "athena:GetTables", + "athena:ListDatabases", + "athena:ListDataCatalogs", + "athena:ListTableMetadata", + "athena:RunQuery", + "athena:CancelQueryExecution", + "athena:StartQueryExecution" ] effect = "Allow" resources = [ @@ -87,21 +110,45 @@ data "aws_iam_policy_document" "ec2_service" { "*" ] } -} -resource "aws_iam_policy" "ec2_service" { - name = "${var.name_prefix}-ec2" - policy = data.aws_iam_policy_document.ec2_service.json + statement { + effect = "Allow" + actions = [ + "ssm:GetDeployablePatchSnapshotForInstance", + "ssm:GetDocument", + "ssm:GetManifest", + "ssm:ListAssociations", + "ssm:ListInstanceAssociations", + "ssm:PutInventory", + "ssm:PutComplianceItems", + "ssm:PutConfigurePackageResult", + "ssm:UpdateInstanceAssociationStatus", + "ssm:UpdateInstanceInformation", + "ec2messages:AcknowledgeMessage", + "ec2messages:DeleteMessage", + "ec2messages:FailMessage", + "ec2messages:GetEndpoint", + "ec2messages:GetMessages", + "ec2messages:SendReply", + "ssmmessages:CreateControlChannel", + "ssmmessages:CreateDataChannel", + "ssmmessages:OpenControlChannel", + "ssmmessages:OpenDataChannel" + ] + resources = [ + "*" + ] + } } -resource "aws_iam_role_policy_attachment" "ec2_role_policy" { - role = aws_iam_role.ec2_service_role.name - policy_arn = aws_iam_policy.ec2_service.arn +resource "aws_iam_policy" "ec2_role_policy" { + name = "${var.name_prefix}-ec2-role-policy" + policy = data.aws_iam_policy_document.ec2_service.json } -resource "aws_iam_role_policy_attachment" "ec2_role_policy_ssm" { +resource "aws_iam_role_policy_attachment" "ec2_role_policy_attachment" { role = aws_iam_role.ec2_service_role.name - policy_arn = "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore" + policy_arn = aws_iam_policy.ec2_role_policy.arn } resource "aws_iam_instance_profile" "powerbi_profile" { diff --git a/terraform/account-wide-infrastructure/modules/powerbi-gw-ec2/vars.tf b/terraform/account-wide-infrastructure/modules/powerbi-gw-ec2/vars.tf index 74d4a7010..0479057d4 100644 --- a/terraform/account-wide-infrastructure/modules/powerbi-gw-ec2/vars.tf +++ b/terraform/account-wide-infrastructure/modules/powerbi-gw-ec2/vars.tf @@ -10,7 +10,7 @@ variable "use_custom_ami" {} variable "root_volume_size" { type = number description = "Size of the root EBS volume in GB" - default = 40 + default = 120 } variable "root_volume_iops" { type = number