cloudposse · LawrenceWarren · Mar 22, 2021 · Mar 22, 2021 · Feb 2, 2022 · Feb 2, 2022
@@ -0,0 +1,9 @@
+module "cloudwatch_logs" {
+  count             = module.this.enabled && var.cloudwatch_logs_enabled == true ? 1 : 0
+  source            = "cloudposse/cloudwatch-logs/aws"
+  version           = "0.6.4"
+  context           = module.this.context
+  attributes        = ["log-group"]
+  kms_key_arn       = var.kms_key_arn != "" ? var.kms_key_arn : null
+  retention_in_days = var.retention_in_days
+}
@@ -14,6 +14,13 @@ resource "aws_iam_role" "default" {
   assume_role_policy = data.aws_iam_policy_document.default.json
 }
 
+resource "aws_iam_role_policy_attachment" "existing_policies" {
+  count      = module.this.enabled && length(var.existing_policy_arns) > 0 ? length(var.existing_policy_arns) : 0
+  role       = aws_iam_role.default[0].name
+  policy_arn = var.existing_policy_arns[count.index]
+}
+
+
 resource "aws_iam_role_policy" "main" {
   count  = module.this.enabled && local.create_instance_profile ? 1 : 0
   name   = module.this.id
@@ -100,4 +107,24 @@ data "aws_iam_policy_document" "main" {
 
     resources = ["*"]
   }
+
+  statement {
+    effect = "Allow"
+
+    actions = [
+      "kms:Decrypt"
+    ]
+
+    resources = [var.kms_key_arn]
+  }
+
+  statement {
+    effect = "Allow"
+
+    actions = [
+      "kms:GenerateDataKey"
+    ]
+
+    resources = ["*"]
+  }
 }
@@ -86,6 +86,7 @@ resource "aws_instance" "default" {
       volume_size           = var.ebs_block_device_volume_size
       delete_on_termination = var.ebs_delete_on_termination
       device_name           = var.ebs_device_name
+      tags                  = module.this.tags
     }
   }
 

@@ -19,6 +19,11 @@ then
     systemctl enable amazon-ssm-agent
     systemctl start amazon-ssm-agent
     systemctl status amazon-ssm-agent
+
+    sudo mkdir -p /etc/amazon/ssm
+    sudo cp -pr /snap/amazon-ssm-agent/current/* /etc/amazon/ssm
+    sudo cp -p /etc/amazon/ssm/seelog.xml.template /etc/amazon/ssm/seelog.xml
+
 else
     systemctl disable amazon-ssm-agent
     systemctl stop amazon-ssm-agent

@@ -182,8 +182,8 @@ variable "security_group_rules" {
     }
   ]
   description = <<-EOT
-    A list of maps of Security Group rules. 
-    The values of map is fully complated with `aws_security_group_rule` resource. 
+    A list of maps of Security Group rules.
+    The values of map is fully complated with `aws_security_group_rule` resource.
     To get more info see https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule .
   EOT
 }
@@ -217,3 +217,29 @@ variable "instance_profile" {
   description = "A pre-defined profile to attach to the instance (default is to build our own)"
   default     = ""
 }
+
+variable "existing_policy_arns" {
+  description = "(Optional) - A list of existing policy ARNs to associate with the role"
+  type        = list(string)
+  default     = []
+}
+
+variable "cloudwatch_logs_enabled" {
+  type        = bool
+  default     = false
+  description = "(Optional) - Flag to enable session logs to ship to a CloudWatch log group"
+}
+
+variable "kms_key_arn" {
+  description = <<-EOT
+  (Optional) - The ARN of the KMS Key to use when encrypting log data.
+  Please note, after the AWS KMS CMK is disassociated from the log group, AWS CloudWatch Logs stops encrypting newly ingested data for the log group.
+  All previously ingested data remains encrypted, and AWS CloudWatch Logs requires permissions for the CMK whenever the encrypted data is requested.
+  EOT
+  default     = ""
+}
+
+variable "retention_in_days" {
+  description = "(Optional) - Number of days you want to retain log events in the log group"
+  default     = "30"
+}