Creates a better path to indexer instance role migration

Changes app distribution to use the new role.

Migration path:
1) Apply this module
2) Update running instances to use the new profile
3) Update teh app_s3_bucket to use the new profile
4) Submit a new PR to remove the old profile
5) Apply the new module.

To be tagged v3.5.1

base/splunk_servers/app_s3_bucket/iam_splunk_apps_s3_role.tf

@@ -4,7 +4,7 @@ locals {
 
   base_role_arns = [
     local.sh_role,
-    "arn:${ var.aws_partition }:iam::${ var.aws_account_id }:role/instance/xdr-indexer-instance-role",
+    "arn:${ var.aws_partition }:iam::${ var.aws_account_id }:role/instance/xdr-idx-instance-role",
     "arn:${ var.aws_partition }:iam::${ var.aws_account_id }:role/instance/xdr-cm-instance-role",
     "arn:${ var.aws_partition }:iam::${ var.aws_account_id }:role/instance/xdr-hf-instance-role",
   ]

base/splunk_servers/indexer_cluster/instance_profile.tf

@@ -1,19 +1,62 @@
-module "instance_profile" {
-  source = "../../../submodules/iam/base_instance_profile"
-  prefix = "xdr-indexer"
-  aws_partition = var.aws_partition
-  aws_account_id = var.aws_account_id
+#############################
+# Indexer instance profile
+#
+# Includes policies for the indexers:
+#  * Same policies as the default instance profile
+resource "aws_iam_instance_profile" "indexer_instance_profile" {
+  name = "xdr-indexer-instance-profile"
+  path = "/instance/"
+  role = aws_iam_role.indexer_instance_role.name
+}
+
+resource "aws_iam_role"  "indexer_instance_role" {
+  name = "xdr-indexer-instance-role"
+  path = "/instance/"
+  assume_role_policy = <<EOF
+{
+    "Version": "2012-10-17",
+    "Statement": [
+      {
+        "Sid": "",
+        "Effect": "Allow",
+        "Principal": {
+          "Service": [
+            "ec2.amazonaws.com",
+            "ssm.amazonaws.com"
+            ]
+        },
+        "Action": "sts:AssumeRole"
+      }
+    ]
+  }
+EOF
+}
+
+# These 3 are the default profile attachments:
+resource "aws_iam_role_policy_attachment" "indexer_instance_AmazonEC2RoleforSSM" {
+  role       = aws_iam_role.indexer_instance_role.name
+  policy_arn = "arn:${var.aws_partition}:iam::aws:policy/service-role/AmazonEC2RoleforSSM"
+}
+
+resource "aws_iam_role_policy_attachment" "indexer_instance_default_policy_attach" {
+  role       = aws_iam_role.indexer_instance_role.name
+  policy_arn = "arn:${ var.aws_partition }:iam::${ var.aws_account_id }:policy/launchroles/default_instance_tag_read"
+}
+
+resource "aws_iam_role_policy_attachment" "indexer_instance_cloudwatch_policy_attach" {
+  role       = aws_iam_role.indexer_instance_role.name
+  policy_arn = "arn:${ var.aws_partition }:iam::${ var.aws_account_id }:policy/cloudwatch_events"
 }
 
 # Indexer Specific Policy
-resource "aws_iam_policy" "instance_policy" {
+resource "aws_iam_policy" "indexer_instance_policy" {
   name        = "indexer_instance_policy"
   path        = "/launchroles/"
   description = "This policy allows indexer-specific functions"
-  policy      = data.aws_iam_policy_document.instance_policy_doc.json
+  policy      = data.aws_iam_policy_document.indexer_instance_policy_doc.json
 }
 
-data "aws_iam_policy_document" "instance_policy_doc" {
+data "aws_iam_policy_document" "indexer_instance_policy_doc" {
   # Allow copying to S3 for frozen
   # Allow use of S3 for SmartStore
   statement {
@@ -70,22 +113,9 @@ data "aws_iam_policy_document" "instance_policy_doc" {
     ]
     resources = [ "*" ]
   }      
-
-  statement {
-    sid    = "AllowAssumeRoleToSplunkApps"
-    effect = "Allow"
-
-    actions = [
-      "sts:AssumeRole"
-    ]
-
-    resources = [
-      "arn:${ var.aws_partition }:iam::${ var.aws_account_id }:role/service/splunk-apps-s3"
-    ]
-  }
 }
 
 resource "aws_iam_role_policy_attachment" "indexer_instance_policy_attach" {
-  role       = module.instance_profile.role_id
-  policy_arn = aws_iam_policy.instance_policy.arn
+  role       = aws_iam_role.indexer_instance_role.name
+  policy_arn = aws_iam_policy.indexer_instance_policy.arn
 }

base/splunk_servers/indexer_cluster/instance_profile_indexers.tf

@@ -0,0 +1,91 @@
+module "instance_profile" {
+  source = "../../../submodules/iam/base_instance_profile"
+  prefix = "xdr-idx"
+  aws_partition = var.aws_partition
+  aws_account_id = var.aws_account_id
+}
+
+# Indexer Specific Policy
+resource "aws_iam_policy" "instance_policy_idx" {
+  name        = "idx_instance_policy"
+  path        = "/launchroles/"
+  description = "This policy allows indexer-specific functions"
+  policy      = data.aws_iam_policy_document.instance_policy_doc_idx.json
+}
+
+data "aws_iam_policy_document" "instance_policy_doc_idx" {
+  # Allow copying to S3 for frozen
+  # Allow use of S3 for SmartStore
+  statement {
+    sid = "GeneralBucketAccess"
+    effect = "Allow"
+    actions = [
+      "s3:ListAllMyBuckets",
+      "s3:HeadBucket",
+    ]
+    resources = [ "*" ]
+  }
+
+  statement {
+    sid = "S3BucketAccess"
+    effect = "Allow"
+    actions = [
+      "s3:GetLifecycleConfiguration",
+      "s3:DeleteObjectVersion",
+      "s3:ListBucketVersions",
+      "s3:GetBucketLogging",
+      "s3:RestoreObject",
+      "s3:ListBuckets",
+      "s3:GetBucketVersioning",
+      "s3:PutObject",
+      "s3:GetObject",
+      "s3:PutLifecycleConfiguration",
+      "s3:GetBucketCORS",
+      "s3:DeleteObject",
+      "s3:GetBucketLocation",
+      "s3:GetObjectVersion",
+    ]
+    resources = [ 
+      "arn:${ var.aws_partition }:s3:::xdr-${ var.prefix }-${ var.environment }-splunk-frozen",
+      "arn:${ var.aws_partition }:s3:::xdr-${ var.prefix }-${ var.environment }-splunk-frozen/*",
+      "arn:${ var.aws_partition }:s3:::xdr-${ var.prefix }-${ var.environment }-splunk-smartstore",
+      "arn:${ var.aws_partition }:s3:::xdr-${ var.prefix }-${ var.environment }-splunk-smartstore/*",
+    ]
+  }
+
+  statement {
+    sid = "KMSKeyAccess"
+    effect = "Allow"
+    actions = [
+      "kms:Decrypt",
+      "kms:GenerateDataKeyWithoutPlaintext",
+      "kms:Verify",
+      "kms:GenerateDataKeyPairWithoutPlaintext",
+      "kms:GenerateDataKeyPair",
+      "kms:ReEncryptFrom",
+      "kms:Encrypt",
+      "kms:GenerateDataKey",
+      "kms:ReEncryptTo",
+      "kms:Sign",
+    ]
+    resources = [ "*" ]
+  }      
+
+  statement {
+    sid    = "AllowAssumeRoleToSplunkApps"
+    effect = "Allow"
+
+    actions = [
+      "sts:AssumeRole"
+    ]
+
+    resources = [
+      "arn:${ var.aws_partition }:iam::${ var.aws_account_id }:role/service/splunk-apps-s3"
+    ]
+  }
+}
+
+resource "aws_iam_role_policy_attachment" "indexer_instance_policy_attach_idx" {
+  role       = module.instance_profile.role_id
+  policy_arn = aws_iam_policy.instance_policy_idx.arn
+}

base/splunk_servers/indexer_cluster/outputs.tf

@@ -6,3 +6,12 @@ output "nlb_ips" {
   # Should be in git@github.xdr.accenturefederalcyber.com:mdr-engineering/msoc-CUST-pop.git in deployment-apps/CUST_hf_outputs/local/outputs.conf
   value = aws_eip.nlb[*].public_ip
 }
+
+output "instance_profile" {
+  value = module.instance_profile.role_id
+}
+
+# TODO: Remove after migration
+output "legacy_instance_profile" {
+  value = aws_iam_instance_profile.indexer_instance_profile.id
+}