Adds an S3 bucket for VMRay Backups

+ KMS Key
+ Instance Profile

base/vmray_instances/iam.tf

@@ -0,0 +1,70 @@
+# VMRay gets access to read/write to its backup bucket and use its s3 key
+module "instance_profile" {
+  source         = "../../submodules/iam/base_instance_profile"
+  prefix         = "xdr-vmray"
+  aws_partition  = var.aws_partition
+  aws_account_id = var.aws_account_id
+}
+
+// S3 is used for backups
+data "aws_iam_policy_document" "policy_auth_s3" {
+  statement {
+    sid       = ""
+    effect    = "Allow"
+    resources = [aws_s3_bucket.storage.arn]
+
+    actions = [
+      "s3:ListBucket",
+      "s3:ListBucketVersions",
+    ]
+  }
+
+  statement {
+    sid       = ""
+    effect    = "Allow"
+    resources = ["${aws_s3_bucket.storage.arn}/*"]
+
+    actions = [
+      "s3:PutObject",
+      "s3:GetObject",
+      "s3:GetObjectVersion",
+    ]
+  }
+}
+
+resource "aws_iam_policy" "auth_s3" {
+  name   = "xdr-vmray-auth-s3"
+  policy = data.aws_iam_policy_document.policy_auth_s3.json
+}
+
+resource "aws_iam_role_policy_attachment" "attach_auth_s3" {
+  role       = module.instance_profile.role_id
+  policy_arn = aws_iam_policy.auth_s3.arn
+}
+
+// Allow use of the key
+data "aws_iam_policy_document" "policy_kms" {
+  statement {
+    sid       = "AllowKMSUse"
+    effect    = "Allow"
+    resources = [aws_kms_key.s3.arn]
+
+    actions = [
+      "kms:Encrypt",
+      "kms:Decrypt",
+      "kms:ReEncrypt*",
+      "kms:GenerateDataKey*",
+      "kms:DescribeKey"
+    ]
+  }
+}
+
+resource "aws_iam_policy" "auth_kms" {
+  name   = "xdr-vmray-kms"
+  policy = data.aws_iam_policy_document.policy_kms.json
+}
+
+resource "aws_iam_role_policy_attachment" "attach_kms" {
+  role       = module.instance_profile.role_id
+  policy_arn = aws_iam_policy.auth_kms.arn
+}

base/vmray_instances/s3-kms.tf

@@ -0,0 +1,105 @@
+// KMS key for S3
+resource "aws_kms_key" "s3" {
+  description         = "KMS key for VMRay Backups"
+  enable_key_rotation = true
+  policy              = data.aws_iam_policy_document.kms_key_encryption_policy.json
+}
+
+resource "aws_kms_alias" "s3" {
+  name          = "alias/vmray-backups"
+  target_key_id = aws_kms_key.s3.key_id
+}
+
+data "aws_iam_policy_document" "kms_key_encryption_policy" {
+  #policy_id = "key-consolepolicy-3"
+  statement {
+    sid    = "Enable IAM User Permissions"
+    effect = "Allow"
+    principals {
+      type = "AWS"
+      identifiers = [
+        "arn:${var.aws_partition}:iam::${var.aws_account_id}:role/user/mdr_terraformer",
+        "arn:${var.aws_partition}:iam::${var.aws_account_id}:user/MDRAdmin"
+      ]
+    }
+    actions   = ["kms:*"]
+    resources = ["*"]
+  }
+
+  statement {
+    sid    = "Allow access for Key Administrators"
+    effect = "Allow"
+    principals {
+      type = "AWS"
+      identifiers = [
+        "arn:${var.aws_partition}:iam::${var.aws_account_id}:role/user/mdr_terraformer",
+      ]
+    }
+
+    actions = [
+      "kms:Create*",
+      "kms:Describe*",
+      "kms:Enable*",
+      "kms:List*",
+      "kms:Put*",
+      "kms:Update*",
+      "kms:Revoke*",
+      "kms:Disable*",
+      "kms:Get*",
+      "kms:Delete*",
+      "kms:TagResource",
+      "kms:UntagResource",
+      "kms:ScheduleKeyDeletion",
+      "kms:CancelKeyDeletion"
+    ]
+    resources = ["*"]
+  }
+
+  statement {
+    sid    = "Allow use of the key"
+    effect = "Allow"
+    principals {
+      type = "AWS"
+      identifiers = [
+        module.instance_profile.role_arn
+      ]
+    }
+    actions = [
+      "kms:Encrypt",
+      "kms:Decrypt",
+      "kms:ReEncrypt*",
+      "kms:GenerateDataKey*",
+      "kms:DescribeKey"
+    ]
+    resources = ["*"]
+  }
+
+  statement {
+    sid    = "Allow access through Amazon S3 for all principals in the account that are authorized to use Amazon S3"
+    effect = "Allow"
+    principals {
+      type        = "AWS"
+      identifiers = ["*"]
+    }
+    actions = [
+      "kms:Encrypt",
+      "kms:Decrypt",
+      "kms:ReEncrypt*",
+      "kms:GenerateDataKey*",
+      "kms:DescribeKey"
+    ]
+    resources = ["*"]
+
+    condition {
+      test     = "StringEquals"
+      variable = "kms.ViaService"
+      values   = ["s3.${var.aws_region}.amazonaws.com"]
+    }
+
+    condition {
+      test     = "StringEquals"
+      variable = "kms.CallerAccount"
+      values   = [var.aws_account_id]
+    }
+  }
+}

base/vmray_instances/s3.tf

@@ -0,0 +1,59 @@
+/* 
+Configuration of S3 bucket for backups
+Uses server side encryption to secure
+data.
+*/
+
+// S3 bucket for cluster storage
+resource "aws_s3_bucket" "storage" {
+  bucket        = "xdr-${var.environment}-vmray-backups"
+  force_destroy = var.instance_termination_protection ? false : true # reverse of termination protection, destroy if no termination protection
+}
+
+resource "aws_s3_bucket_acl" "s3_acl_storage" {
+  bucket = aws_s3_bucket.storage.id
+  acl    = "private"
+}
+
+resource "aws_s3_bucket_server_side_encryption_configuration" "s3_sse_storage" {
+  bucket = aws_s3_bucket.storage.id
+
+  rule {
+    apply_server_side_encryption_by_default {
+      kms_master_key_id = aws_kms_key.s3.arn
+      sse_algorithm     = "aws:kms"
+    }
+  }
+}
+
+resource "aws_s3_bucket_lifecycle_configuration" "s3_lifecyle_storage" {
+  bucket = aws_s3_bucket.storage.id
+
+  rule {
+    id     = "DeleteAfter90Days"
+    status = "Enabled"
+
+    abort_incomplete_multipart_upload {
+      days_after_initiation = 7
+    }
+
+    expiration {
+      days = 90
+    }
+  }
+}
+
+resource "aws_s3_bucket_public_access_block" "awsconfig_bucket_block_public_access" {
+  block_public_acls       = true
+  block_public_policy     = true
+  bucket                  = aws_s3_bucket.storage.id
+  ignore_public_acls      = true
+  restrict_public_buckets = true
+}
+
+resource "aws_s3_bucket_versioning" "versioning" {
+  bucket = aws_s3_bucket.storage.id
+  versioning_configuration {
+    status = "Enabled"
+  }
+}

base/vmray_instances/server.tf

@@ -71,7 +71,7 @@ resource "aws_instance" "vmray-server-instance" {
   instance_type                        = var.instance_types["vmray-server"]
   key_name                             = "msoc-build"
   monitoring                           = false
-  iam_instance_profile                 = "msoc-default-instance-profile"
+  iam_instance_profile                 = module.instance_profile.profile_id
 
   ami = data.aws_ami.ubuntu2004.image_id
   # We need to ignore ebs_block_device changes, because if the AMI changes, so does the snapshot_id.

base/vmray_instances/worker.tf

@@ -34,7 +34,7 @@ resource "aws_instance" "vmray-worker-instance" {
   instance_type                        = var.instance_types["vmray-worker"]
   key_name                             = "msoc-build"
   monitoring                           = false
-  iam_instance_profile                 = "msoc-default-instance-profile"
+  iam_instance_profile                 = module.instance_profile.profile_id
 
   ami = data.aws_ami.ubuntu2004.image_id
   # We need to ignore ebs_block_device changes, because if the AMI changes, so does the snapshot_id.