Adding SSM role to EC2 instance to connect not via SSH

thisisqubika · Apr 1, 2024 · 758d8e1 · 758d8e1
1 parent ea89a7b
commit 758d8e1
Showing 1 changed file with 54 additions and 1 deletion.
diff --git a/terraform/main.tf b/terraform/main.tf
@@ -147,7 +147,9 @@ resource "aws_instance" "milvus_instance" {
   key_name                    = var.key_name
   subnet_id                   = aws_subnet.vectorstore_subnet.id
   vpc_security_group_ids      = [aws_security_group.milvus_sg_api.id]
-  associate_public_ip_address = true // This line assigns a public IP address to your instance
+  associate_public_ip_address = true
+
+  iam_instance_profile        = "SSMInstanceProfile"  # Attach the instance profile here
 
   user_data = file("${path.module}/../create-milvus.sh")
 
@@ -160,3 +162,54 @@ resource "aws_instance" "milvus_instance" {
   }
 }
 
+
+# resource "aws_instance" "milvus_instance" {
+#   ami                         = var.ami
+#   instance_type               = var.instance_type
+#   key_name                    = var.key_name
+#   subnet_id                   = aws_subnet.vectorstore_subnet.id
+#   vpc_security_group_ids      = [aws_security_group.milvus_sg_api.id]
+#   associate_public_ip_address = true // This line assigns a public IP address to your instance
+
+#   user_data = file("${path.module}/../create-milvus.sh")
+
+#   root_block_device {
+#     volume_size = 30
+#   }
+
+#   tags = {
+#     Name = "Milvus-db-for-api"
+#   }
+# }
+
+
+
+# create SSMRoleForEC2 that the EC2 instance needs to assume to connect via System Manager , instead of via SSH
+
+resource "aws_iam_role" "ssm_role" {
+  name = "SSMRoleForEC2"
+
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Action = "sts:AssumeRole"
+        Effect = "Allow"
+        Principal = {
+          Service = "ec2.amazonaws.com"
+        }
+        Sid = ""
+      },
+    ]
+  })
+}
+
+resource "aws_iam_role_policy_attachment" "ssm_policy_attachment" {
+  role       = aws_iam_role.ssm_role.name
+  policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonSSMManagedInstanceCore"
+}
+
+resource "aws_iam_instance_profile" "ssm_instance_profile" {
+  name = "SSMInstanceProfile"
+  role = aws_iam_role.ssm_role.name
+}