REGION="ap-northeast-2"
EC2_TAG_VALUE="skills-deployment-group"  # EC2 인스턴스 태그 값
ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text)

aws iam create-role \\
  --role-name eventbridge-ssm-role \\
  --assume-role-policy-document '{
    "Version": "2012-10-17",
    "Statement": [
      {
        "Effect": "Allow",
        "Principal": {
          "Service": "events.amazonaws.com"
        },
        "Action": "sts:AssumeRole"
      }
    ]
  }'

aws iam put-role-policy \\
  --role-name eventbridge-ssm-role \\
  --policy-name eventbridge-ssm-policy \\
  --policy-document '{
    "Version": "2012-10-17",
    "Statement": [
      {
        "Effect": "Allow",
        "Action": [
          "ssm:SendCommand"
        ],
        "Resource": [
          "arn:aws:ssm:'$REGION':'$ACCOUNT_ID':document/AWS-RunShellScript",
          "arn:aws:ec2:'$REGION':'$ACCOUNT_ID':instance/*"
        ],
        "Condition": {
          "StringEquals": {
            "ec2:ResourceTag/DeploymentGroup": "'$EC2_TAG_VALUE'"
          }
        }
      },
      {
        "Effect": "Allow",
        "Action": [
          "ssm:GetCommandInvocation"
        ],
        "Resource": "*"
      }
    ]
  }'

aws iam attach-role-policy \\
  --role-name eventbridge-ssm-role \\
  --policy-arn arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryFullAccess

aws iam attach-role-policy \\
  --role-name eventbridge-ssm-role \\
  --policy-arn arn:aws:iam::aws:policy/AmazonSSMFullAccess