Enable AWS Systems Manager for the Beanstalk EC2 instances and the bastion

55b94b0f · Craig Andrews · 92ad2042 · 55b94b0f
Commit 55b94b0f authored Oct 02, 2019 by Craig Andrews
--- a/cloudformation.json
+++ b/cloudformation.json
@@ -1617,6 +1617,35 @@
 				"SourceType": "db-instance"
 			}
 		},
+		"BastionIamRole": {
+			"Type" : "AWS::IAM::Role",
+			"Properties" : {
+				"AssumeRolePolicyDocument": {
+					"Version" : "2012-10-17",
+					"Statement": [ {
+						"Effect": "Allow",
+						"Principal": {
+						"Service": [ "ec2.amazonaws.com" ]
+					},
+					"Action": [ "sts:AssumeRole" ]
+					} ]
+				},
+				"ManagedPolicyArns" : [
+					"arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore",
+					"arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy"
+				]
+			}
+		},
+		"BastionIamInstanceProfile": {
+			"Type" : "AWS::IAM::InstanceProfile",
+			"Properties" : {
+				"Roles" : [
+					{
+						"Ref": "BastionIamRole"
+					}
+				]
+			}
+		},
 		"BastionHost": {
 			"DependsOn": [
 				"MountTarget1",
@@ -1628,6 +1657,9 @@
 			"Condition": "BastionEnabled",
 			"Properties": {
 				"InstanceType": "t3.nano",
+				"IamInstanceProfile":{
+					"Ref": "BastionIamInstanceProfile"
+				},
 				"KeyName": {
 					"Ref": "KeyPair"
 				},
@@ -1663,6 +1695,7 @@
 								"repo_upgrade: all",
 								"",
 								"packages:",
+								"  - amazon-ssm-agent",
 								"  - amazon-efs-utils",
 								"  - cachefilesd",
 								"  - git",
@@ -1806,6 +1839,35 @@
 				}
 			}
 		},
+		"BeanstalkInstanceIamRole": {
+			"Type" : "AWS::IAM::Role",
+			"Properties" : {
+				"AssumeRolePolicyDocument": {
+					"Version" : "2012-10-17",
+					"Statement": [ {
+						"Effect": "Allow",
+						"Principal": {
+						"Service": [ "ec2.amazonaws.com" ]
+					},
+					"Action": [ "sts:AssumeRole" ]
+					} ]
+				},
+				"ManagedPolicyArns" : [
+					"arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore",
+					"arn:aws:iam::aws:policy/AWSElasticBeanstalkWebTier"
+				]
+			}
+		},
+		"BeanstalkInstanceIamInstanceProfile": {
+			"Type" : "AWS::IAM::InstanceProfile",
+			"Properties" : {
+				"Roles" : [
+					{
+						"Ref": "BeanstalkInstanceIamRole"
+					}
+				]
+			}
+		},
 		"BeanstalkEnvironment": {
 			"DependsOn": [
 				"DBSecurityGroupUpdate",
@@ -1876,7 +1938,10 @@
 					{
 						"Namespace": "aws:autoscaling:launchconfiguration",
 						"OptionName": "IamInstanceProfile",
-						"Value": "aws-elasticbeanstalk-ec2-role"
+						"Value":
+							{
+								"Ref": "BeanstalkInstanceIamInstanceProfile"
+							}
 					},
 					{
 						"Namespace": "aws:autoscaling:launchconfiguration",