преди 4 години · b2e90f10bb
--- a/base/splunk_servers/frozen_s3_bucket/kms.tf
+++ b/base/splunk_servers/frozen_s3_bucket/kms.tf
@@ -0,0 +1,108 @@
 
				+locals {
			
 
				+  kms_users = concat( 
			
 
				+          [
			
 
				+            # Anybody else need access?
			
 
				+          ],
			
 
				+          local.account_arns
			
 
				+        )
			
 
				+}
			
 
				+
			
 
				+resource "aws_kms_key" "bucketkey" {
			
 
				+  description             = "S3 KMS for ${local.bucket_name}."
			
 
				+  deletion_window_in_days = 30
			
 
				+  enable_key_rotation     = true
			
 
				+  policy                  = data.aws_iam_policy_document.kms_key_policy.json
			
 
				+  tags                    = merge(var.standard_tags, var.tags)
			
 
				+}
			
 
				+
			
 
				+resource "aws_kms_alias" "bucketkey" {
			
 
				+  name          = "alias/FrozenS3"
			
 
				+  target_key_id = aws_kms_key.bucketkey.key_id
			
 
				+}
			
 
				+
			
 
				+data "aws_iam_policy_document" "kms_key_policy" {
			
 
				+  policy_id = local.bucket_name
			
 
				+  statement {
			
 
				+    sid    = "Enable IAM User Permissions"
			
 
				+    effect = "Allow"
			
 
				+    principals {
			
 
				+      type        = "AWS"
			
 
				+      identifiers = [
			
 
				+        "arn:${var.aws_partition}:iam::${var.aws_account_id}:root",
			
 
				+        "arn:${var.aws_partition}:iam::${var.aws_account_id}:user/MDRAdmin",
			
 
				+      ]
			
 
				+    }
			
 
				+    actions   = ["kms:*"]
			
 
				+    resources = ["*"]
			
 
				+  }
			
 
				+
			
 
				+  statement {
			
 
				+    sid    = "Allow access for Engineers"
			
 
				+    effect = "Allow"
			
 
				+    principals {
			
 
				+      type = "AWS"
			
 
				+      identifiers = [
			
 
				+        "arn:${var.aws_partition}:iam::${var.aws_account_id}:user/MDRAdmin",
			
 
				+        "arn:${var.aws_partition}:iam::${var.aws_account_id}:role/user/mdr_terraformer",
			
 
				+      ]
			
 
				+    }
			
 
				+
			
 
				+    actions = [
			
 
				+      "kms:Create*",
			
 
				+      "kms:Describe*",
			
 
				+      "kms:Enable*",
			
 
				+      "kms:List*",
			
 
				+      "kms:Put*",
			
 
				+      "kms:Update*",
			
 
				+      "kms:Revoke*",
			
 
				+      "kms:Disable*",
			
 
				+      "kms:Get*",
			
 
				+      "kms:Delete*",
			
 
				+      "kms:TagResource",
			
 
				+      "kms:UntagResource",
			
 
				+      "kms:ScheduleKeyDeletion",
			
 
				+      "kms:CancelKeyDeletion"
			
 
				+    ]
			
 
				+    resources = ["*"]
			
 
				+  }
			
 
				+
			
 
				+  statement {
			
 
				+    sid    = "Allow use of the key to encrypt and decrypt"
			
 
				+    effect = "Allow"
			
 
				+    principals {
			
 
				+      type = "AWS"
			
 
				+      identifiers = local.kms_users
			
 
				+    }
			
 
				+    actions = [
			
 
				+      "kms:Encrypt",
			
 
				+      "kms:Decrypt",
			
 
				+      "kms:ReEncrypt*",
			
 
				+      "kms:GenerateDataKey*",
			
 
				+      "kms:DescribeKey"
			
 
				+    ]
			
 
				+    resources = ["*"]
			
 
				+  }
			
 
				+
			
 
				+  statement {
			
 
				+    sid    = "Allow attachment of persistent resources"
			
 
				+    effect = "Allow"
			
 
				+    principals {
			
 
				+      type = "AWS"
			
 
				+      identifiers = [
			
 
				+        "arn:${var.aws_partition}:iam::${var.aws_account_id}:user/MDRAdmin",
			
 
				+        "arn:${var.aws_partition}:iam::${var.aws_account_id}:role/user/mdr_terraformer",
			
 
				+      ]
			
 
				+    }
			
 
				+    actions = [
			
 
				+      "kms:CreateGrant",
			
 
				+      "kms:ListGrants",
			
 
				+      "kms:RevokeGrant"
			
 
				+    ]
			
 
				+    resources = ["*"]
			
 
				+    condition {
			
 
				+      test     = "Bool"
			
 
				+      variable = "kms:GrantIsForAWSResource"
			
 
				+      values   = ["true"]
			
 
				+    }
			
 
				+  }
			
 
				+}
			
--- a/base/splunk_servers/frozen_s3_bucket/main.tf
+++ b/base/splunk_servers/frozen_s3_bucket/main.tf
@@ -0,0 +1,86 @@
 
				+locals {
			
 
				+  bucket_name = "xdr-${ var.splunk_prefix }-${ var.environment }-splunk-frozen"
			
 
				+  accounts = [ var.aws_account_id ]
			
 
				+  account_arns = [ for a in local.accounts: "arn:${var.aws_partition}:iam::${a}:root" ]
			
 
				+}
			
 
				+
			
 
				+resource "aws_s3_bucket" "bucket" {
			
 
				+  bucket = local.bucket_name
			
 
				+  acl    = "private"
			
 
				+
			
 
				+  versioning {
			
 
				+    enabled = false
			
 
				+  }
			
 
				+
			
 
				+  tags = merge(var.standard_tags, var.tags)
			
 
				+
			
 
				+  #logging {
			
 
				+  #  target_bucket = "dps-s3-logs"
			
 
				+  #  target_prefix = "aws_terraform_s3_state_access_logs/"
			
 
				+  #}
			
 
				+
			
 
				+  lifecycle_rule {
			
 
				+    id      = "GLACIER"
			
 
				+    enabled = true
			
 
				+
			
 
				+    abort_incomplete_multipart_upload_days = 2
			
 
				+
			
 
				+    transition {
			
 
				+      days          = 3
			
 
				+      storage_class = "GLACIER"
			
 
				+    }
			
 
				+
			
 
				+    expiration {
			
 
				+      days = 365
			
 
				+    }
			
 
				+  }
			
 
				+
			
 
				+  server_side_encryption_configuration {
			
 
				+    rule {
			
 
				+      apply_server_side_encryption_by_default {
			
 
				+        kms_master_key_id = aws_kms_key.bucketkey.arn
			
 
				+        sse_algorithm     = "aws:kms"
			
 
				+      }
			
 
				+    }
			
 
				+  }
			
 
				+}
			
 
				+
			
 
				+resource "aws_s3_bucket_public_access_block" "public_access_block" {
			
 
				+  bucket                  = aws_s3_bucket.bucket.id
			
 
				+  block_public_acls       = true
			
 
				+  block_public_policy     = true
			
 
				+  ignore_public_acls      = true
			
 
				+  restrict_public_buckets = true
			
 
				+
			
 
				+  # Not technically dependent, but prevents a "Conflicting conditional operation" conflict.
			
 
				+  # See https://github.com/hashicorp/terraform-provider-aws/issues/7628
			
 
				+  depends_on = [ aws_s3_bucket_policy.policy ] 
			
 
				+}
			
 
				+
			
 
				+resource "aws_s3_bucket_policy" "policy" {
			
 
				+  bucket = aws_s3_bucket.bucket.id
			
 
				+
			
 
				+  policy = <<POLICY
			
 
				+{
			
 
				+  "Version": "2012-10-17",
			
 
				+  "Id": "AllowThisAccount",
			
 
				+  "Statement": [
			
 
				+    {
			
 
				+      "Sid": "AccountAllow",
			
 
				+      "Effect": "Allow",
			
 
				+      "Principal": {
			
 
				+        "AWS": ${jsonencode(local.account_arns)}
			
 
				+      },
			
 
				+      "Action": [
			
 
				+        "s3:GetObject",
			
 
				+        "s3:ListBucket"
			
 
				+      ],
			
 
				+      "Resource": [
			
 
				+        "${aws_s3_bucket.bucket.arn}",
			
 
				+        "${aws_s3_bucket.bucket.arn}/*"
			
 
				+      ]
			
 
				+    }
			
 
				+  ]
			
 
				+}
			
 
				+POLICY
			
 
				+}
			
--- a/base/splunk_servers/frozen_s3_bucket/outputs.tf
+++ b/base/splunk_servers/frozen_s3_bucket/outputs.tf
@@ -0,0 +1,3 @@
 
				+output "BucketName" {
			
 
				+  value = aws_s3_bucket.bucket.id
			
 
				+}
			
--- a/base/splunk_servers/frozen_s3_bucket/vars.tf
+++ b/base/splunk_servers/frozen_s3_bucket/vars.tf
@@ -0,0 +1,18 @@
 
				+variable "splunk_prefix" {
			
 
				+  type = string
			
 
				+}
			
 
				+
			
 
				+variable "tags" {
			
 
				+  description = "Tags for the bucket and kms key."
			
 
				+  type = map
			
 
				+}
			
 
				+
			
 
				+# ----------------------------------
			
 
				+# Below this line are variables inherited from higher levels, so they
			
 
				+# do not need to be explicitly passed to this module.
			
 
				+variable "standard_tags" { type = map }
			
 
				+variable "aws_account_id" { type = string }
			
 
				+variable "account_list" { type = list }
			
 
				+variable "aws_region" { type = string }
			
 
				+variable "aws_partition" { type = string }
			
 
				+variable "environment" { type = string }
			
--- a/base/splunk_servers/frozen_s3_bucket/version.tf
+++ b/base/splunk_servers/frozen_s3_bucket/version.tf
@@ -0,0 +1,3 @@
 
				+terraform {
			
 
				+  required_version = "~> 0.13"
			
 
				+}
			
--- a/base/splunk_servers/indexer_cluster/asg.tf
+++ b/base/splunk_servers/indexer_cluster/asg.tf
@@ -12,7 +12,7 @@ module "indexer0" {
 
				   key_name                   = "msoc-build"
			
 
				   min_size                   = var.splunk_asg_sizes[0]
			
 
				   max_size                   = var.splunk_asg_sizes[0]
			
 
				-  iam_instance_profile       = "msoc-default-instance-profile"
			
 
				+  iam_instance_profile       = aws_iam_instance_profile.indexer_instance_profile.name
			
 
				   common_services_account    = var.common_services_account
			
 
				   tags = merge(var.standard_tags, var.tags, { Name = "${local.asg_name}-0" } )
			
 
				 }
			
@@ -31,7 +31,7 @@ module "indexer1" {
 
				   key_name                   = "msoc-build"
			
 
				   min_size                   = var.splunk_asg_sizes[1]
			
 
				   max_size                   = var.splunk_asg_sizes[1]
			
 
				-  iam_instance_profile       = "msoc-default-instance-profile"
			
 
				+  iam_instance_profile       = aws_iam_instance_profile.indexer_instance_profile.name
			
 
				   common_services_account    = var.common_services_account
			
 
				   tags = merge(var.standard_tags, var.tags, { Name = "${local.asg_name}-1" } )
			
 
				 }
			
@@ -50,7 +50,7 @@ module "indexer2" {
 
				   key_name                   = "msoc-build"
			
 
				   min_size                   = var.splunk_asg_sizes[2]
			
 
				   max_size                   = var.splunk_asg_sizes[2]
			
 
				-  iam_instance_profile       = "msoc-default-instance-profile"
			
 
				+  iam_instance_profile       = aws_iam_instance_profile.indexer_instance_profile.name
			
 
				   common_services_account    = var.common_services_account
			
 
				   tags = merge(var.standard_tags, var.tags, { Name = "${local.asg_name}-2" } )
			
 
				 }
			
--- a/base/splunk_servers/indexer_cluster/instance_profile.tf
+++ b/base/splunk_servers/indexer_cluster/instance_profile.tf
@@ -0,0 +1,121 @@
 
				+#############################
			
 
				+# Indexer instance profile
			
 
				+#
			
 
				+# Includes policies for the indexers:
			
 
				+#  * Same policies as the default instance profile
			
 
				+resource "aws_iam_instance_profile" "indexer_instance_profile" {
			
 
				+  name = "xdr-indexer-instance-profile"
			
 
				+  path = "/instance/"
			
 
				+  role = aws_iam_role.indexer_instance_role.name
			
 
				+}
			
 
				+
			
 
				+resource "aws_iam_role"  "indexer_instance_role" {
			
 
				+  name = "xdr-indexer-instance-role"
			
 
				+  path = "/instance/"
			
 
				+  assume_role_policy = <<EOF
			
 
				+{
			
 
				+    "Version": "2012-10-17",
			
 
				+    "Statement": [
			
 
				+      {
			
 
				+        "Sid": "",
			
 
				+        "Effect": "Allow",
			
 
				+        "Principal": {
			
 
				+          "Service": [
			
 
				+            "ec2.amazonaws.com",
			
 
				+            "ssm.amazonaws.com"
			
 
				+            ]
			
 
				+        },
			
 
				+        "Action": "sts:AssumeRole"
			
 
				+      }
			
 
				+    ]
			
 
				+  }
			
 
				+EOF
			
 
				+}
			
 
				+
			
 
				+# These 3 are the default profile attachments:
			
 
				+resource "aws_iam_role_policy_attachment" "indexer_instance_AmazonEC2RoleforSSM" {
			
 
				+  role       = aws_iam_role.indexer_instance_role.name
			
 
				+  policy_arn = "arn:${var.aws_partition}:iam::aws:policy/service-role/AmazonEC2RoleforSSM"
			
 
				+}
			
 
				+
			
 
				+resource "aws_iam_role_policy_attachment" "indexer_instance_default_policy_attach" {
			
 
				+  role       = aws_iam_role.indexer_instance_role.name
			
 
				+  policy_arn = "arn:${ var.aws_partition }:iam::${ var.aws_account_id }:policy/launchroles/default_instance_tag_read"
			
 
				+}
			
 
				+
			
 
				+resource "aws_iam_role_policy_attachment" "indexer_instance_cloudwatch_policy_attach" {
			
 
				+  role       = aws_iam_role.indexer_instance_role.name
			
 
				+  policy_arn = "arn:${ var.aws_partition }:iam::${ var.aws_account_id }:policy/cloudwatch_events"
			
 
				+}
			
 
				+
			
 
				+# Indexer Specific Policy
			
 
				+resource "aws_iam_policy" "indexer_instance_policy" {
			
 
				+  name        = "indexer_instance_policy"
			
 
				+  path        = "/launchroles/"
			
 
				+  description = "This policy allows indexer-specific functions"
			
 
				+  policy      = data.aws_iam_policy_document.indexer_instance_policy_doc.json
			
 
				+}
			
 
				+
			
 
				+data "aws_iam_policy_document" "indexer_instance_policy_doc" {
			
 
				+  # Allow copying to S3 for frozen
			
 
				+  # Allow use of S3 for SmartStore
			
 
				+  statement {
			
 
				+    sid = "GeneralBucketAccess"
			
 
				+    effect = "Allow"
			
 
				+    actions = [
			
 
				+      "s3:ListAllMyBuckets",
			
 
				+      "s3:HeadBucket",
			
 
				+    ]
			
 
				+    resources = [ "*" ]
			
 
				+  }
			
 
				+
			
 
				+  statement {
			
 
				+    sid = "S3BucketAccess"
			
 
				+    effect = "Allow"
			
 
				+    actions = [
			
 
				+      "s3:GetLifecycleConfiguration",
			
 
				+      "s3:DeleteObjectVersion",
			
 
				+      "s3:ListBucketVersions",
			
 
				+      "s3:GetBucketLogging",
			
 
				+      "s3:RestoreObject",
			
 
				+      "s3:ListBuckets",
			
 
				+      "s3:GetBucketVersioning",
			
 
				+      "s3:PutObject",
			
 
				+      "s3:GetObject",
			
 
				+      "s3:PutLifecycleConfiguration",
			
 
				+      "s3:GetBucketCORS",
			
 
				+      "s3:DeleteObject",
			
 
				+      "s3:GetBucketLocation",
			
 
				+      "s3:GetObjectVersion",
			
 
				+    ]
			
 
				+    resources = [ 
			
 
				+      "arn:${ var.aws_partition }:s3:::xdr-${ var.prefix }-${ var.environment }-splunk-frozen",
			
 
				+      "arn:${ var.aws_partition }:s3:::xdr-${ var.prefix }-${ var.environment }-splunk-frozen/*",
			
 
				+      "arn:${ var.aws_partition }:s3:::xdr-${ var.prefix }-${ var.environment }-splunk-smartstore",
			
 
				+      "arn:${ var.aws_partition }:s3:::xdr-${ var.prefix }-${ var.environment }-splunk-smartstore/*",
			
 
				+    ]
			
 
				+  }
			
 
				+
			
 
				+  statement {
			
 
				+    sid = "KMSKeyAccess"
			
 
				+    effect = "Allow"
			
 
				+    actions = [
			
 
				+      "kms:Decrypt",
			
 
				+      "kms:GenerateDataKeyWithoutPlaintext",
			
 
				+      "kms:Verify",
			
 
				+      "kms:GenerateDataKeyPairWithoutPlaintext",
			
 
				+      "kms:GenerateDataKeyPair",
			
 
				+      "kms:ReEncryptFrom",
			
 
				+      "kms:Encrypt",
			
 
				+      "kms:GenerateDataKey",
			
 
				+      "kms:ReEncryptTo",
			
 
				+      "kms:Sign",
			
 
				+    ]
			
 
				+    resources = [ "*" ]
			
 
				+  }      
			
 
				+}
			
 
				+
			
 
				+resource "aws_iam_role_policy_attachment" "indexer_instance_policy_attach" {
			
 
				+  role       = aws_iam_role.indexer_instance_role.name
			
 
				+  policy_arn = aws_iam_policy.indexer_instance_policy.arn
			
 
				+}
			
--- a/base/splunk_servers/indexer_cluster/vars.tf
+++ b/base/splunk_servers/indexer_cluster/vars.tf
@@ -71,6 +71,7 @@ variable "dns_info" { type = map }
 
				 variable "standard_tags" { type = map }
			
 
				 variable "environment" { type = string }
			
 
				 variable "aws_region" { type = string }
			
 
				+variable "aws_account_id" { type = string }
			
 
				 variable "aws_partition" { type = string }
			
 
				 variable "aws_partition_alias" { type = string }
			
 
				 variable "common_services_account" { type = string }