Creates a number of default roles, especially the default instance role.

base/account_standards/iam.tf

@@ -0,0 +1,145 @@
+# IAM Roles in All Accounts
+
+
+#############################
+# Default instance profile
+#
+# Basic profile to allow basic things
+resource "aws_iam_instance_profile" "default_instance_profile" {
+  name  = "msoc-default-instance-profile"
+  role = aws_iam_role.default_instance_role.name
+}
+
+resource "aws_iam_role"  "default_instance_role" {
+  name = "msoc-default-instance-role"
+  assume_role_policy = <<EOF
+{
+    "Version": "2012-10-17",
+    "Statement": [
+      {
+        "Sid": "",
+        "Effect": "Allow",
+        "Principal": {
+          "Service": [
+            "ec2.amazonaws.com",
+            "ssm.amazonaws.com"
+            ]
+        },
+        "Action": "sts:AssumeRole"
+      }
+    ]
+  }
+EOF
+}
+
+data "aws_iam_policy_document" "default_instance_policy_doc" {
+  statement {
+    effect = "Allow"
+    actions = [
+        "ec2:DescribeTags"
+    ]
+
+    resources = [
+      "*"
+    ]
+  }
+}
+
+
+resource "aws_iam_policy" "default_instance_policy" {
+  name        = "default_instance_tag_read"
+  path        = "/launchroles/"
+  description = "This policy allows a EC2 server to read tags"
+  policy      = data.aws_iam_policy_document.default_instance_policy_doc.json
+}
+
+resource "aws_iam_role_policy_attachment" "default_instance_AmazonEC2RoleforSSM" {
+  role       = aws_iam_role.default_instance_role.name
+  policy_arn = "arn:${var.aws_partition}:iam::aws:policy/service-role/AmazonEC2RoleforSSM"
+}
+
+resource "aws_iam_role_policy_attachment" "default_instance_default_policy_attach" {
+  role       = aws_iam_role.default_instance_role.name
+  policy_arn = aws_iam_policy.default_instance_policy.arn
+}
+
+resource "aws_iam_role_policy_attachment" "default_instance_cloudwatch_policy_attach" {
+  role       = aws_iam_role.default_instance_role.name
+  policy_arn = aws_iam_policy.cloudwatch_events.arn
+}
+
+
+##########################
+# cloudwatch events
+data "aws_iam_policy_document" "cloudwatch_events" {
+  statement {
+    sid = "1"
+    actions = [
+      "events:PutRule"
+    ]
+
+    resources = [ "*" ]
+  }
+}
+
+resource "aws_iam_policy" "cloudwatch_events" {
+  name        = "cloudwatch_events"
+  description = "Creation of cloudwatch events"
+  policy      = data.aws_iam_policy_document.cloudwatch_events.json
+}
+
+##########################
+# dlm_lifecycle
+#
+# This is to setup the needed IAM role and premissions for the AWS feature Data Lifecycle Manager (DLM) lifecycle policy so we can have it do "backups" on our EBS
+# Docs can be found here https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/snapshot-lifecycle.html
+# Chris Lynch 1/25/2019
+
+resource "aws_iam_role" "dlm_lifecycle_role" {
+  name = "dlm-lifecycle-role"
+
+  assume_role_policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Action": "sts:AssumeRole",
+      "Principal": {
+        "Service": "dlm.amazonaws.com"
+      },
+      "Effect": "Allow",
+      "Sid": ""
+    }
+  ]
+}
+EOF
+}
+
+resource "aws_iam_role_policy" "dlm_lifecycle" {
+  name = "dlm-lifecycle-policy"
+  role = aws_iam_role.dlm_lifecycle_role.id
+  policy = <<EOF
+{
+   "Version": "2012-10-17",
+   "Statement": [
+      {
+         "Effect": "Allow",
+         "Action": [
+            "ec2:CreateSnapshot",
+            "ec2:DeleteSnapshot",
+            "ec2:DescribeVolumes",
+            "ec2:DescribeSnapshots"
+         ],
+         "Resource": "*"
+      },
+      {
+         "Effect": "Allow",
+         "Action": [
+            "ec2:CreateTags"
+         ],
+         "Resource": "arn:${var.aws_partition}:ec2:*::snapshot/*"
+      }
+   ]
+}
+EOF
+}