IAM policy to describe and create tags on its own instance

iam-policy-to-modify-ec2s-own-tags.md

data "aws_iam_policy_document" "hello" {
  statement {
    sid       = "VisualEditor0"
    effect    = "Allow"
    resources = ["arn:<PARTITION>:ec2:<REGION>:<ACCOUNT_ID>:instance/${ec2:InstanceID}"]
    actions   = ["ec2:CreateTags"]

    condition {
      test     = "StringLike"
      variable = "ec2:SourceInstanceARN"
      values   = ["arn:<PARTITION>:ec2:<REGION>:<ACCOUNT_ID>:instance/${ec2:InstanceID}"]
    }
  }
}