Merge pull request #379 from mdr-engineering/hotfix/ftd_na_FixVaultProfiles

Migrates vault and portal to the Instance Profile Submodule

base/phantom/instance-profile.tf.skipped

@@ -1,85 +0,0 @@
-resource "aws_iam_instance_profile" "jira_server_instance_profile" {
-  name     = "jira-server-instance-profile"
-  role     = aws_iam_role.jira_server.name
-}
-
-resource "aws_iam_role" "jira_server" {
-  name     = "jira-server-instance-role"
-  path     = "/instance/"
-
-  assume_role_policy = <<EOF
-{
-    "Version": "2012-10-17",
-    "Statement": [
-      {
-        "Sid": "",
-        "Effect": "Allow",
-        "Principal": {
-          "Service": [
-            "ec2.amazonaws.com",
-            "ssm.amazonaws.com"
-            ]
-        },
-        "Action": "sts:AssumeRole"
-      }
-    ]
-  }
-EOF
-}
-
-data "aws_iam_policy_document" "jira_server_ecr_policy" {
-  statement {
-    actions = [
-      "ecr:GetAuthorizationToken",
-    ]
-
-    resources = ["*"]
-  }
-
-  statement {
-    sid    = "AllowCluCommunicationECR"
-    effect = "Allow"
-
-    actions = [
-			"ecr:BatchCheckLayerAvailability",
-			"ecr:GetDownloadUrlForLayer",
-			"ecr:GetRepositoryPolicy",
-			"ecr:DescribeRepositories",
-			"ecr:ListImages",
-			"ecr:DescribeImages",
-			"ecr:BatchGetImage",
-			"ecr:InitiateLayerUpload",
-			"ecr:UploadLayerPart",
-			"ecr:CompleteLayerUpload",
-			"ecr:PutImage"
-    ]
-
-    resources = [
-      "arn:${var.aws_partition}:ecr:us-east-1:${var.aws_account_id}:repository/*"
-    ]
-  }
-
-  statement {
-    sid    = "Tags"
-    effect = "Allow"
-
-    actions = [
-      "ec2:DescribeTags",
-      "ec2:DescribeInstances"
-    ]
-    resources = [
-      "*"
-    ]
-  }
-}
-
-resource "aws_iam_policy" "jira_server_ecr_policy" {
-  name     = "jira-server"
-  path     = "/instance/"
-  policy   = data.aws_iam_policy_document.jira_server_ecr_policy.json
-}
-
-resource "aws_iam_role_policy_attachment" "jira_server_ecr" {
-  role       = aws_iam_role.jira_server.name
-  policy_arn = aws_iam_policy.jira_server_ecr_policy.arn
-}

base/phantom/instance_profile.tf

@@ -1,46 +1,8 @@
-resource "aws_iam_instance_profile" "phantom_instance_profile" {
-  name = "xdr-phantom-instance-profile"
-  path = "/instance/"
-  role = aws_iam_role.phantom_instance_role.name
-}
-
-resource "aws_iam_role"  "phantom_instance_role" {
-  name = "xdr-phantom-instance-role"
-  path = "/instance/"
-  assume_role_policy = <<EOF
-{
-    "Version": "2012-10-17",
-    "Statement": [
-      {
-        "Sid": "",
-        "Effect": "Allow",
-        "Principal": {
-          "Service": [
-            "ec2.amazonaws.com",
-            "ssm.amazonaws.com"
-            ]
-        },
-        "Action": "sts:AssumeRole"
-      }
-    ]
-  }
-EOF
-}
-
-# These 3 are the default profile attachments:
-resource "aws_iam_role_policy_attachment" "phantom_instance_AmazonEC2RoleforSSM" {
-  role       = aws_iam_role.phantom_instance_role.name
-  policy_arn = "arn:${var.aws_partition}:iam::aws:policy/service-role/AmazonEC2RoleforSSM"
-}
-
-resource "aws_iam_role_policy_attachment" "phantom_instance_default_policy_attach" {
-  role       = aws_iam_role.phantom_instance_role.name
-  policy_arn = "arn:${ var.aws_partition }:iam::${ var.aws_account_id }:policy/launchroles/default_instance_tag_read"
-}
-
-resource "aws_iam_role_policy_attachment" "phantom_instance_cloudwatch_policy_attach" {
-  role       = aws_iam_role.phantom_instance_role.name
-  policy_arn = "arn:${ var.aws_partition }:iam::${ var.aws_account_id }:policy/cloudwatch_events"
+module "instance_profile" {
+  source = "../../submodules/iam/base_instance_profile"
+  prefix = "xdr-phantom"
+  aws_partition = var.aws_partition
+  aws_account_id = var.aws_account_id
 }
 
 # Phantom Specific Policy
@@ -129,6 +91,6 @@ resource "aws_iam_role_policy_attachment" "phantom_instance_cloudwatch_policy_at
 #}
 #
 #resource "aws_iam_role_policy_attachment" "phantom_instance_policy_attach" {
-#  role       = aws_iam_role.phantom_instance_role.name
+#  role       = module.instance_profile.role_id
 #  policy_arn = aws_iam_policy.phantom_instance_policy.arn
 #}

base/phantom/main.tf

@@ -42,7 +42,7 @@ resource "aws_instance" "phantom-server-instance" {
   instance_type = var.instance_type
   key_name = "msoc-build"
   monitoring = false
-  iam_instance_profile = aws_iam_instance_profile.phantom_instance_profile.id
+  iam_instance_profile = module.instance_profile.profile_id
 
   ami = local.ami_map[local.ami_selection]
   # We need to ignore ebs_block_device changes, because if the AMI changes, so does the snapshot_id.

base/vault/iam.tf → base/vault/instance_profile.tf

@@ -1,30 +1,37 @@
-resource "aws_iam_instance_profile" "vault_instance_profile" {
-  name     = "vault-instance-profile"
-  role     = aws_iam_role.vault.name
+module "instance_profile" {
+  source = "../../submodules/iam/base_instance_profile"
+  prefix = "vault"
+  aws_partition = var.aws_partition
+  aws_account_id = var.aws_account_id
 }
 
-resource "aws_iam_role" "vault" {
-  name     = "vault-instance-role"
-
-  assume_role_policy = <<EOF
-{   
-    "Version": "2012-10-17",
-    "Statement": [
-      { 
-        "Sid": "",
-        "Effect": "Allow",
-        "Principal": {
-          "Service": [
-            "ec2.amazonaws.com",
-            "ssm.amazonaws.com"
-            ]
-        },
-        "Action": "sts:AssumeRole"
-      }
-    ]
-  }
-EOF
-}
+#resource "aws_iam_instance_profile" "vault_instance_profile" {
+#  name     = "vault-instance-profile"
+#  role     = aws_iam_role.vault.name
+#}
+#
+#resource "aws_iam_role" "vault" {
+#  name     = "vault-instance-role"
+#
+#  assume_role_policy = <<EOF
+#{   
+#    "Version": "2012-10-17",
+#    "Statement": [
+#      { 
+#        "Sid": "",
+#        "Effect": "Allow",
+#        "Principal": {
+#          "Service": [
+#            "ec2.amazonaws.com",
+#            "ssm.amazonaws.com"
+#            ]
+#        },
+#        "Action": "sts:AssumeRole"
+#      }
+#    ]
+#  }
+#EOF
+#}
 
 #-------------------------------
 # KMS Policy
@@ -67,15 +74,10 @@ resource "aws_iam_policy" "vault_kms_key_policy" {
 }
 
 resource "aws_iam_role_policy_attachment" "vault_kms" {
-  role       = aws_iam_role.vault.name
+  role       = module.instance_profile.role_id
   policy_arn = aws_iam_policy.vault_kms_key_policy.arn
 }
 
-resource "aws_iam_role_policy_attachment" "AmazonEC2RoleforSSM" {
-  role       = aws_iam_role.vault.name
-  policy_arn = "arn:aws-us-gov:iam::aws:policy/service-role/AmazonEC2RoleforSSM"
-}
-
 #------------------------------
 # DynamoDB 
 #------------------------------
@@ -116,7 +118,7 @@ resource "aws_iam_policy" "vault_dynamodb_policy" {
 }
 
 resource "aws_iam_role_policy_attachment" "vault_dynamodb" {
-  role       = aws_iam_role.vault.name
+  role       = module.instance_profile.role_id
   policy_arn = aws_iam_policy.vault_dynamodb_policy.arn
 }
 
@@ -145,6 +147,6 @@ resource "aws_iam_policy" "vault_approle_policy" {
 }
 
 resource "aws_iam_role_policy_attachment" "vault_approle" {
-  role       = aws_iam_role.vault.name
+  role       = module.instance_profile.role_id
   policy_arn = aws_iam_policy.vault_approle_policy.arn
-}
+}

base/vault/main.tf

@@ -48,7 +48,7 @@ resource "aws_instance" "instance" {
   instance_type = var.instance_type
   key_name = "msoc-build"
   monitoring = false
-  iam_instance_profile = "vault-instance-profile"
+  iam_instance_profile = module.instance_profile.profile_id
 
   ami = local.ami_map[local.ami_selection]
   # We need to ignore ebs_block_device changes, because if the AMI changes, so does the snapshot_id.

base/vmray_instances/cloud-init/cloud-init.tpl

@@ -89,7 +89,7 @@ runcmd:
  - export https_proxy=http://${proxy}:80
  - export no_proxy=localhost,127.0.0.1,169.254.169.254
  - ua auto-attach
- - ua enable --assume-yes cis fips fips-updates
+ - ua enable --assume-yes usg fips fips-updates
  - /usr/share/ubuntu-scap-security-guides/cis-hardening/Canonical_Ubuntu_20.04_CIS-harden.sh lvl2_server
  - apt update 
  - apt upgrade -y
@@ -103,6 +103,7 @@ runcmd:
  - /bin/systemctl enable snap.amazon-ssm-agent.amazon-ssm-agent.service
  - /usr/sbin/aide --update --verbose=0
  - /bin/cp /var/lib/aide/aide.db.new /var/lib/aide/aide.db
+ - /sbin/xfs_growfs /tmp
 
 # Either final message or power state, but probably not both
 #final_message: "The system is up after $UPTIME seconds"