From 471cddf7a460674caae5a065ad793a8fb17c60b7 Mon Sep 17 00:00:00 2001
From: Ben <ben@coder.com>
Date: Tue, 17 May 2022 22:05:26 +0000
Subject: [PATCH 1/3] example: ec2: document "minimal" policy

---
 examples/aws-linux/README.md | 60 ++++++++++++++++++++++++++++++++++++
 examples/aws-linux/main.tf   |  5 +++
 2 files changed, 65 insertions(+)

diff --git a/examples/aws-linux/README.md b/examples/aws-linux/README.md
index 6bc248d3ba837..88f871a244f0e 100644
--- a/examples/aws-linux/README.md
+++ b/examples/aws-linux/README.md
@@ -3,3 +3,63 @@ name: Develop in Linux on AWS EC2
 description: Get started with Linux development on AWS EC2.
 tags: [cloud, aws]
 ---
+
+# aws-linux
+
+## Getting started
+
+Pick this template in `coder templates init` and follow instructions.
+
+## Required permissions / policy
+
+This example policy allows Coder to create EC2 instances and modify instances provisioned by Coder.
+
+```json
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Sid": "VisualEditor0",
+            "Effect": "Allow",
+            "Action": [
+                "ec2:GetDefaultCreditSpecification",
+                "ec2:DescribeInstances",
+                "ec2:DescribeIamInstanceProfileAssociations",
+                "ec2:DescribeTags",
+                "ec2:CreateTags",
+                "ec2:DescribeInstanceAttribute",
+                "ec2:RunInstances",
+                "ec2:DescribeInstanceCreditSpecifications",
+                "ec2:DescribeImages",
+                "ec2:ModifyInstanceCreditSpecification",
+                "ec2:ModifyDefaultCreditSpecification",
+                "ec2:DescribeVolumes"
+            ],
+            "Resource": "*"
+        },
+        {
+            "Sid": "CoderResouces",
+            "Effect": "Allow",
+            "Action": [
+                "ec2:DescribeInstances",
+                "ec2:UnmonitorInstances",
+                "ec2:TerminateInstances",
+                "ec2:StartInstances",
+                "ec2:StopInstances",
+                "ec2:DeleteTags",
+                "ec2:MonitorInstances",
+                "ec2:CreateTags",
+                "ec2:RunInstances",
+                "ec2:ModifyInstanceAttribute"
+            ],
+            "Resource": "arn:aws:ec2:*:*:instance/*",
+            "Condition": {
+                "StringEquals": {
+                    "aws:ResourceTag/Coder_Provisioned": "true"
+                }
+            }
+        }
+    ]
+}
+```
+
diff --git a/examples/aws-linux/main.tf b/examples/aws-linux/main.tf
index b5fc1f3283ea4..d6eb41a2da6ac 100644
--- a/examples/aws-linux/main.tf
+++ b/examples/aws-linux/main.tf
@@ -11,6 +11,9 @@ variable "access_key" {
   description = <<EOT
 Create an AWS access key to provision resources with Coder:
 - https://console.aws.amazon.com/iam/home#/users
+
+See the template README for an example permissions policy,
+if needed.
   
 AWS Access Key ID
 EOT
@@ -138,5 +141,7 @@ resource "aws_instance" "dev" {
   user_data = data.coder_workspace.me.transition == "start" ? local.user_data_start : local.user_data_end
   tags = {
     Name = "coder-${data.coder_workspace.me.owner}-${data.coder_workspace.me.name}"
+    # Required if you are using our example policy, see template README
+    Coder_Provisioned = "true"
   }
 }

From 7e38642b16cf490cf4ea6d5b2000232be4c5465b Mon Sep 17 00:00:00 2001
From: Ben <ben@coder.com>
Date: Tue, 17 May 2022 22:20:16 +0000
Subject: [PATCH 2/3] move DescribeInstances

---
 examples/aws-linux/README.md | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/examples/aws-linux/README.md b/examples/aws-linux/README.md
index 88f871a244f0e..2a436be36691d 100644
--- a/examples/aws-linux/README.md
+++ b/examples/aws-linux/README.md
@@ -23,11 +23,9 @@ This example policy allows Coder to create EC2 instances and modify instances pr
             "Effect": "Allow",
             "Action": [
                 "ec2:GetDefaultCreditSpecification",
-                "ec2:DescribeInstances",
                 "ec2:DescribeIamInstanceProfileAssociations",
                 "ec2:DescribeTags",
                 "ec2:CreateTags",
-                "ec2:DescribeInstanceAttribute",
                 "ec2:RunInstances",
                 "ec2:DescribeInstanceCreditSpecifications",
                 "ec2:DescribeImages",
@@ -42,6 +40,7 @@ This example policy allows Coder to create EC2 instances and modify instances pr
             "Effect": "Allow",
             "Action": [
                 "ec2:DescribeInstances",
+                "ec2:DescribeInstanceAttribute",
                 "ec2:UnmonitorInstances",
                 "ec2:TerminateInstances",
                 "ec2:StartInstances",

From ded77298c34887d702e653aee4b1f6ffa0db90eb Mon Sep 17 00:00:00 2001
From: Ben <ben@coder.com>
Date: Tue, 17 May 2022 22:20:56 +0000
Subject: [PATCH 3/3] move ModifyInstanceCreditSpecification

---
 examples/aws-linux/README.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/examples/aws-linux/README.md b/examples/aws-linux/README.md
index 2a436be36691d..bf50e661334bc 100644
--- a/examples/aws-linux/README.md
+++ b/examples/aws-linux/README.md
@@ -29,7 +29,6 @@ This example policy allows Coder to create EC2 instances and modify instances pr
                 "ec2:RunInstances",
                 "ec2:DescribeInstanceCreditSpecifications",
                 "ec2:DescribeImages",
-                "ec2:ModifyInstanceCreditSpecification",
                 "ec2:ModifyDefaultCreditSpecification",
                 "ec2:DescribeVolumes"
             ],
@@ -49,7 +48,8 @@ This example policy allows Coder to create EC2 instances and modify instances pr
                 "ec2:MonitorInstances",
                 "ec2:CreateTags",
                 "ec2:RunInstances",
-                "ec2:ModifyInstanceAttribute"
+                "ec2:ModifyInstanceAttribute",
+                "ec2:ModifyInstanceCreditSpecification"
             ],
             "Resource": "arn:aws:ec2:*:*:instance/*",
             "Condition": {