|
|
@@ -0,0 +1,107 @@
|
|
|
+##### MOVE ME TO THE S3 BUCKET TERRAFORM
|
|
|
+
|
|
|
+# the 'splunk-addon-for-aws' role is created in all accounts via
|
|
|
+# the base/account_standards module.
|
|
|
+#
|
|
|
+# Then, there is an instance profile (for use in the partition holding moose)
|
|
|
+# and a user account (for use in the partion _not_ holding moose) that
|
|
|
+# with keys for moose.
|
|
|
+#
|
|
|
+# That instance profile/user is allowed to assumerole into the
|
|
|
+# 'splunk-addon-for-aws' role in the other accounts.
|
|
|
+
|
|
|
+######################
|
|
|
+# Access keys
|
|
|
+#
|
|
|
+# For rotation purposes, there are two of these. Delete the oldest one,
|
|
|
+# add a new one (with a higher version number), and then update the output
|
|
|
+#
|
|
|
+# Possible futue improvement:
|
|
|
+# We could specify a pgp_key attribute, and then the secret will be encrypted
|
|
|
+# in both the state file and in the output. If we used the salt PGP key,
|
|
|
+# no user would ever have to see the secret key.
|
|
|
+resource "aws_iam_access_key" "github-actions-v1" {
|
|
|
+ user = aws_iam_user.github-actions.name
|
|
|
+}
|
|
|
+
|
|
|
+resource "aws_iam_access_key" "github-actions-v2" {
|
|
|
+ user = aws_iam_user.github-actions.name
|
|
|
+}
|
|
|
+
|
|
|
+output "access_keys" {
|
|
|
+ value = {
|
|
|
+ "current" = {
|
|
|
+ "aws_access_key_id" : aws_iam_access_key.github-actions-v2.id
|
|
|
+ "aws_secret_access_key" : aws_iam_access_key.github-actions-v2.secret
|
|
|
+ },
|
|
|
+ "previous" = {
|
|
|
+ "aws_access_key_id" : aws_iam_access_key.github-actions-v1.id
|
|
|
+ "aws_secret_access_key" : aws_iam_access_key.github-actions-v1.secret
|
|
|
+ }
|
|
|
+ }
|
|
|
+ sensitive = true
|
|
|
+}
|
|
|
+
|
|
|
+######################
|
|
|
+# The policy is attached to both the user and the instance profile
|
|
|
+data "aws_iam_policy_document" "github-actions" {
|
|
|
+
|
|
|
+ statement {
|
|
|
+ sid = "1"
|
|
|
+
|
|
|
+ actions = [
|
|
|
+ "s3:PutObject",
|
|
|
+ "s3:GetObject",
|
|
|
+ "s3:ListBucketMultipartUploads",
|
|
|
+ "kms:Decrypt",
|
|
|
+ "s3:AbortMultipartUpload",
|
|
|
+ "kms:GenerateDataKey",
|
|
|
+ "s3:ListBucket",
|
|
|
+ "s3:DeleteObject",
|
|
|
+ "s3:ListMultipartUploadParts"
|
|
|
+ ]
|
|
|
+
|
|
|
+ resources = [
|
|
|
+ aws_kms_key.bucketkey.arn,
|
|
|
+ aws_s3_bucket.bucket.arn,
|
|
|
+ "${aws_s3_bucket.bucket.arn}/*"
|
|
|
+ ]
|
|
|
+ }
|
|
|
+
|
|
|
+}
|
|
|
+
|
|
|
+resource "aws_iam_policy" "github-actions" {
|
|
|
+ name = "github-actions"
|
|
|
+ path = "/"
|
|
|
+ description = "Policy to allow the github-actions to use the GH Actions S3 bucket and KMS"
|
|
|
+ policy = data.aws_iam_policy_document.github-actions.json
|
|
|
+}
|
|
|
+
|
|
|
+######################
|
|
|
+# the user
|
|
|
+#
|
|
|
+# Note: CIS requires that policies _NOT_ be directly attached to a user. Users must
|
|
|
+# be members of groups, and those groups can have policies.
|
|
|
+resource "aws_iam_user" "github-actions" {
|
|
|
+ name = "github-actions"
|
|
|
+ path = "/instance/"
|
|
|
+
|
|
|
+ tags = merge(local.standard_tags, var.tags)
|
|
|
+}
|
|
|
+
|
|
|
+# tfsec:ignore:aws-iam-enforce-mfa
|
|
|
+resource "aws_iam_group" "github-actions" {
|
|
|
+ name = "github-actions"
|
|
|
+ path = "/instance/"
|
|
|
+}
|
|
|
+
|
|
|
+resource "aws_iam_user_group_membership" "github-actions" {
|
|
|
+ user = aws_iam_user.github-actions.name
|
|
|
+
|
|
|
+ groups = [aws_iam_group.github-actions.name]
|
|
|
+}
|
|
|
+
|
|
|
+resource "aws_iam_group_policy_attachment" "github-actions-group" {
|
|
|
+ group = aws_iam_group.github-actions.name
|
|
|
+ policy_arn = aws_iam_policy.github-actions.arn
|
|
|
+}
|
Colby Williams