From 3a55d5a6c4aaee6a002c771542792bb86383baf8 Mon Sep 17 00:00:00 2001
From: Thomas North <thomas.north@l01013504.mynet>
Date: Wed, 8 Jul 2020 17:20:08 +0100
Subject: [PATCH] Allow instances to kill themselves via ASG custom health
 check

---
 ...-07-08-PLAT-4678_perms-for-set-instance-health.yml |  4 ++++
 iam_child.tf                                          | 11 +++++++++++
 2 files changed, 15 insertions(+)
 create mode 100644 CHANGELOG/2020-07-08-PLAT-4678_perms-for-set-instance-health.yml

diff --git a/CHANGELOG/2020-07-08-PLAT-4678_perms-for-set-instance-health.yml b/CHANGELOG/2020-07-08-PLAT-4678_perms-for-set-instance-health.yml
new file mode 100644
index 0000000..c847caa
--- /dev/null
+++ b/CHANGELOG/2020-07-08-PLAT-4678_perms-for-set-instance-health.yml
@@ -0,0 +1,4 @@
+- type: added
+  m: Allow instances to set themselves as unhealthy so that Autoscaling can kill them.
+  jira: PLAT-4678
+  owner: tomnorth
diff --git a/iam_child.tf b/iam_child.tf
index d0d9595..7b04ad4 100644
--- a/iam_child.tf
+++ b/iam_child.tf
@@ -56,6 +56,17 @@ data "aws_iam_policy_document" "bastion_service_assume_role_in_parent" {
       var.assume_role_arn,
     ]
   }
+
+  # Allow instances to mark themselves unhealthy
+  statement {
+    effect = "Allow"
+
+    actions = [
+      "autoscaling:SetInstanceHealth"
+    ]
+
+    resources = ["*"]
+  }
 }
 
 resource "aws_iam_policy" "bastion_service_assume_role_in_parent" {