|
|
@@ -1,121 +0,0 @@
|
|
|
-#############################
|
|
|
-# Indexer instance profile
|
|
|
-#
|
|
|
-# Includes policies for the indexers:
|
|
|
-# * Same policies as the default instance profile
|
|
|
-resource "aws_iam_instance_profile" "indexer_instance_profile" {
|
|
|
- name = "xdr-indexer-instance-profile"
|
|
|
- path = "/instance/"
|
|
|
- role = aws_iam_role.indexer_instance_role.name
|
|
|
-}
|
|
|
-
|
|
|
-resource "aws_iam_role" "indexer_instance_role" {
|
|
|
- name = "xdr-indexer-instance-role"
|
|
|
- path = "/instance/"
|
|
|
- assume_role_policy = <<EOF
|
|
|
-{
|
|
|
- "Version": "2012-10-17",
|
|
|
- "Statement": [
|
|
|
- {
|
|
|
- "Sid": "",
|
|
|
- "Effect": "Allow",
|
|
|
- "Principal": {
|
|
|
- "Service": [
|
|
|
- "ec2.amazonaws.com",
|
|
|
- "ssm.amazonaws.com"
|
|
|
- ]
|
|
|
- },
|
|
|
- "Action": "sts:AssumeRole"
|
|
|
- }
|
|
|
- ]
|
|
|
- }
|
|
|
-EOF
|
|
|
-}
|
|
|
-
|
|
|
-# These 3 are the default profile attachments:
|
|
|
-resource "aws_iam_role_policy_attachment" "indexer_instance_AmazonEC2RoleforSSM" {
|
|
|
- role = aws_iam_role.indexer_instance_role.name
|
|
|
- policy_arn = "arn:${var.aws_partition}:iam::aws:policy/service-role/AmazonEC2RoleforSSM"
|
|
|
-}
|
|
|
-
|
|
|
-resource "aws_iam_role_policy_attachment" "indexer_instance_default_policy_attach" {
|
|
|
- role = aws_iam_role.indexer_instance_role.name
|
|
|
- policy_arn = "arn:${ var.aws_partition }:iam::${ var.aws_account_id }:policy/launchroles/default_instance_tag_read"
|
|
|
-}
|
|
|
-
|
|
|
-resource "aws_iam_role_policy_attachment" "indexer_instance_cloudwatch_policy_attach" {
|
|
|
- role = aws_iam_role.indexer_instance_role.name
|
|
|
- policy_arn = "arn:${ var.aws_partition }:iam::${ var.aws_account_id }:policy/cloudwatch_events"
|
|
|
-}
|
|
|
-
|
|
|
-# Indexer Specific Policy
|
|
|
-resource "aws_iam_policy" "indexer_instance_policy" {
|
|
|
- name = "indexer_instance_policy"
|
|
|
- path = "/launchroles/"
|
|
|
- description = "This policy allows indexer-specific functions"
|
|
|
- policy = data.aws_iam_policy_document.indexer_instance_policy_doc.json
|
|
|
-}
|
|
|
-
|
|
|
-data "aws_iam_policy_document" "indexer_instance_policy_doc" {
|
|
|
- # Allow copying to S3 for frozen
|
|
|
- # Allow use of S3 for SmartStore
|
|
|
- statement {
|
|
|
- sid = "GeneralBucketAccess"
|
|
|
- effect = "Allow"
|
|
|
- actions = [
|
|
|
- "s3:ListAllMyBuckets",
|
|
|
- "s3:HeadBucket",
|
|
|
- ]
|
|
|
- resources = [ "*" ]
|
|
|
- }
|
|
|
-
|
|
|
- statement {
|
|
|
- sid = "S3BucketAccess"
|
|
|
- effect = "Allow"
|
|
|
- actions = [
|
|
|
- "s3:GetLifecycleConfiguration",
|
|
|
- "s3:DeleteObjectVersion",
|
|
|
- "s3:ListBucketVersions",
|
|
|
- "s3:GetBucketLogging",
|
|
|
- "s3:RestoreObject",
|
|
|
- "s3:ListBuckets",
|
|
|
- "s3:GetBucketVersioning",
|
|
|
- "s3:PutObject",
|
|
|
- "s3:GetObject",
|
|
|
- "s3:PutLifecycleConfiguration",
|
|
|
- "s3:GetBucketCORS",
|
|
|
- "s3:DeleteObject",
|
|
|
- "s3:GetBucketLocation",
|
|
|
- "s3:GetObjectVersion",
|
|
|
- ]
|
|
|
- resources = [
|
|
|
- "arn:${ var.aws_partition }:s3:::xdr-${ var.prefix }-${ var.environment }-splunk-frozen",
|
|
|
- "arn:${ var.aws_partition }:s3:::xdr-${ var.prefix }-${ var.environment }-splunk-frozen/*",
|
|
|
- "arn:${ var.aws_partition }:s3:::xdr-${ var.prefix }-${ var.environment }-splunk-smartstore",
|
|
|
- "arn:${ var.aws_partition }:s3:::xdr-${ var.prefix }-${ var.environment }-splunk-smartstore/*",
|
|
|
- ]
|
|
|
- }
|
|
|
-
|
|
|
- statement {
|
|
|
- sid = "KMSKeyAccess"
|
|
|
- effect = "Allow"
|
|
|
- actions = [
|
|
|
- "kms:Decrypt",
|
|
|
- "kms:GenerateDataKeyWithoutPlaintext",
|
|
|
- "kms:Verify",
|
|
|
- "kms:GenerateDataKeyPairWithoutPlaintext",
|
|
|
- "kms:GenerateDataKeyPair",
|
|
|
- "kms:ReEncryptFrom",
|
|
|
- "kms:Encrypt",
|
|
|
- "kms:GenerateDataKey",
|
|
|
- "kms:ReEncryptTo",
|
|
|
- "kms:Sign",
|
|
|
- ]
|
|
|
- resources = [ "*" ]
|
|
|
- }
|
|
|
-}
|
|
|
-
|
|
|
-resource "aws_iam_role_policy_attachment" "indexer_instance_policy_attach" {
|
|
|
- role = aws_iam_role.indexer_instance_role.name
|
|
|
- policy_arn = aws_iam_policy.indexer_instance_policy.arn
|
|
|
-}
|
Frederick Damstra