# ---------------------------
# IAMポリシー
# ---------------------------
# セッションマネージャー経由でEC2に接続できるようにする
# 信頼ポリシーの設定
data "aws_iam_policy_document" "cmdb_assume_role_for_ec2" {
  statement {
    actions = ["sts:AssumeRole"]
    principals {
      type        = "Service"
      identifiers = ["ec2.amazonaws.com"]
    }
  }
}

# SSMの許可ポリシーを取得
data "aws_iam_policy" "cmdb_ssm_core" {
  name = "AmazonSSMManagedInstanceCore"
}

# IAMロールの作成
resource "aws_iam_role" "cmdb_ssm_role" {
  name               = "cmdb-ssm-role"
  assume_role_policy = data.aws_iam_policy_document.cmdb_assume_role_for_ec2.json
}

# ポリシーをロールにアタッチ
resource "aws_iam_role_policy_attachment" "cmdb_ssm_policy_attachment" {
  role       = aws_iam_role.cmdb_ssm_role.name
  policy_arn = data.aws_iam_policy.cmdb_ssm_core.arn
}

# EC2に設定するためのインスタンスプロファイルを作成
resource "aws_iam_instance_profile" "cmdb_ssm_instance_profile" {
  name = "cmdb-ssm-instance-profile"
  role = aws_iam_role.cmdb_ssm_role.name
}