We've enabled Session Manager on all instance in tvlk-prod*. Previously, not all instances have sufficient IAM permission and required version of SSM agent.
What is the impact to production?
CommonEC2_<productdomain>) to your Instance Role. On common usage, you will have 4-5 managed policy already attached in tvlk-prod environment. (Max. attached managed policy: 10)
What to do after this?
We've attached the policy using AWS CLI command instead of Terraform. We need your help to update your Terraform config to prevent future confusion. Here is the list of modified Instance Role
Why do you use CLI command instead of Terraform?
It requires huge amount of effort to modify all Instance Roles in tvlk-prod using Terraform, both for Site-Infra and also for Infra Delegates. To enable troubleshooting on instances during incident, we decided to update it quickly using CLI command, instead of let the instance unconfigured and later Product team found they can't troubleshoot the instances during incident and cause delay on incident resolution. But after manual changes, we expect Delegates and Product teams to later update the Terraform config to reflect the changes that we made.
* For ProductDomain AXT, LOC/COI, PAY
We didn't modify some of your instances because there is special case or uncertainty what is inside / is that cluster still being used or not. Please go to list of modified Instance Role and open Not Updated Role sheet to see Instance Role that hasn't been modified yet.