feat: add SSM write permissions

README.md

@@ -71,23 +71,26 @@ Here is an example of using this module:
 
 ## Providers
 
-| Name                                                               | Version   |
-| ------------------------------------------------------------------ | --------- |
-| <a name="provider_tailscale"></a> [tailscale](#provider_tailscale) | >= 0.13.7 |
+| Name                                                               | Version |
+| ------------------------------------------------------------------ | ------- |
+| <a name="provider_aws"></a> [aws](#provider_aws)                   | 5.76.0  |
+| <a name="provider_tailscale"></a> [tailscale](#provider_tailscale) | 0.17.2  |
 
 ## Modules
 
 | Name                                                                                                     | Source                             | Version |
 | -------------------------------------------------------------------------------------------------------- | ---------------------------------- | ------- |
+| <a name="module_ssm_policy"></a> [ssm_policy](#module_ssm_policy)                                        | cloudposse/iam-policy/aws          | 2.0.1   |
 | <a name="module_ssm_state"></a> [ssm_state](#module_ssm_state)                                           | cloudposse/ssm-parameter-store/aws | 0.13.0  |
 | <a name="module_tailscale_subnet_router"></a> [tailscale_subnet_router](#module_tailscale_subnet_router) | masterpointio/ssm-agent/aws        | 1.2.0   |
 | <a name="module_this"></a> [this](#module_this)                                                          | cloudposse/label/null              | 0.25.0  |
 
 ## Resources
 
-| Name                                                                                                                           | Type     |
-| ------------------------------------------------------------------------------------------------------------------------------ | -------- |
-| [tailscale_tailnet_key.default](https://registry.terraform.io/providers/tailscale/tailscale/latest/docs/resources/tailnet_key) | resource |
+| Name                                                                                                                                             | Type     |
+| ------------------------------------------------------------------------------------------------------------------------------------------------ | -------- |
+| [aws_iam_role_policy_attachment.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
+| [tailscale_tailnet_key.default](https://registry.terraform.io/providers/tailscale/tailscale/latest/docs/resources/tailnet_key)                   | resource |
 
 ## Inputs
 

main.tf

@@ -14,6 +14,8 @@ locals {
 
   tailscale_up_extra_flags_enabled = length(var.tailscale_up_extra_flags) > 0
 
+  additional_policies = length(try(module.ssm_policy[0].arn, [])) > 0 ? [module.ssm_policy[0].arn] : []
+
   userdata = templatefile("${path.module}/userdata.sh.tmpl", {
     authkey           = tailscale_tailnet_key.default.key
     exit_node_enabled = var.exit_node_enabled
@@ -90,3 +92,32 @@ module "ssm_state" {
   context = module.this.context
   tags    = module.this.tags
 }
+
+module "ssm_policy" {
+  count   = var.ssm_state_enabled ? 1 : 0
+  source  = "cloudposse/iam-policy/aws"
+  version = "2.0.1"
+
+  name        = "ssm"
+  description = "Additional SSM access for SSM Agent"
+  iam_policy = [{
+    statements = [
+      {
+        sid     = "SSMAgentPutParameter"
+        effect  = "Allow"
+        actions = ["ssm:PutParameter"]
+        resources = [
+          module.ssm_state[0].arn_map[local.ssm_state_param_name],
+        ]
+      },
+    ]
+  }]
+  context = module.this.context
+  tags    = module.this.tags
+}
+
+resource "aws_iam_role_policy_attachment" "default" {
+  for_each   = toset(local.additional_policies)
+  role       = module.tailscale_subnet_router.role_id
+  policy_arn = each.value
+}