diff --git a/vpc-v2.cfhighlander.rb b/vpc-v2.cfhighlander.rb index f2d010f..5e46688 100644 --- a/vpc-v2.cfhighlander.rb +++ b/vpc-v2.cfhighlander.rb @@ -2,6 +2,8 @@ CfhighlanderTemplate do Name 'vpc-v2' + + DependsOn 'lib-iam@0.1.0' Parameters do ComponentParam 'EnvironmentName', 'dev', isGlobal: true diff --git a/vpc-v2.cfndsl.rb b/vpc-v2.cfndsl.rb index cf841b7..3ebdbb4 100644 --- a/vpc-v2.cfndsl.rb +++ b/vpc-v2.cfndsl.rb @@ -140,24 +140,9 @@ IAM_Role(:NatInstanceRole) { Condition(:NatInstance) - AssumeRolePolicyDocument service_role_assume_policy('ec2') + AssumeRolePolicyDocument service_assume_role_policy('ec2') Path '/' - Policies([ - iam_policy_allow('eni-attach', - 'ec2:AttachNetworkInterface', - '*' - ), - iam_policy_allow('session-manager', - %w(ssm:UpdateInstanceInformation - ssm:ListInstanceAssociations - ec2messages:GetMessages - ssmmessages:CreateControlChannel - ssmmessages:CreateDataChannel - ssmmessages:OpenControlChannel - ssmmessages:OpenDataChannel), - '*' - ) - ]) + Policies iam_role_policies(nat_iam_policies) } InstanceProfile(:NatInstanceProfile) { diff --git a/vpc-v2.config.yaml b/vpc-v2.config.yaml index fabac4e..767917b 100644 --- a/vpc-v2.config.yaml +++ b/vpc-v2.config.yaml @@ -70,4 +70,7 @@ endpoint_subnets: Compute ip_blocks: public: - 0.0.0.0/0 - \ No newline at end of file + +nat_iam_policies: + eni-attach: + action: ec2:AttachNetworkInterface \ No newline at end of file