TheDocumentation Index
Fetch the complete documentation index at: https://mintlify.com/mcamacho97/terraform-mean-stack-aws/llms.txt
Use this file to discover all available pages before exploring further.
iam module provisions the IAM resources required for AWS Systems Manager (SSM) access across all three EC2 instances — both public Node.js servers and the private MongoDB instance. By attaching the AmazonSSMManagedInstanceCore managed policy, every instance can register with the SSM service at boot, eliminating the need for a bastion host or open SSH ports to reach the private MongoDB instance. The resulting instance profile is passed to the ec2-instance module, which attaches it to each instance at launch.
Resources Created
| Resource | Terraform name | Description |
|---|---|---|
aws_iam_role | ec2 | IAM role named <project_name>-ec2-role with an EC2 service trust policy |
aws_iam_role_policy_attachment | ssm | Attaches the AmazonSSMManagedInstanceCore AWS-managed policy to the role |
aws_iam_instance_profile | this | Instance profile named <project_name>-instance-profile wrapping the role |
Trust Policy
The IAM role uses the following trust policy, which allows the EC2 service to assume the role on behalf of any instance the profile is attached to:What AmazonSSMManagedInstanceCore Enables
Attaching this managed policy grants the following capabilities to every EC2 instance in the stack:
| Capability | Description |
|---|---|
| SSM Agent registration | Instances register with the SSM service on startup and appear in the Systems Manager Fleet Manager console |
| Session Manager shell access | Interactive shell sessions via aws ssm start-session — no SSH or open ports required |
| Run Command | Execute shell commands on one or more instances remotely from the AWS console or CLI |
| Parameter Store (read) | Instances can read SSM Parameter Store values (useful for injecting secrets at runtime) |
| Patch Manager | Instances can be scanned and patched through AWS Systems Manager Patch Manager |
Input Variables
Prefix for the IAM role name (
<project_name>-ec2-role) and instance profile name (<project_name>-instance-profile).Outputs
The name of the IAM instance profile. Defined inline in
main.tf and consumed by the ec2-instance module via the iam_instance_profile variable in all three instance calls.