Trang chủ Khám phá Trợ giúp
Đăng ký Đăng nhập
AFS
/
xdr-terraform-modules
2
0
Fork 0
Các tập tin Các vấn đề 0 Yêu cầu kéo về 0 Wiki
Browse Source

Grants KMS access to/from the Codebuild Key

Splunk servers need access to key that was used for codebuild artifacts.

To be tagged v3.4.9
Fred Damstra [afs macbook] 3 năm trước cách đây
mục cha
03bc1553f7
commit
d4857f7b85
4 tập tin đã thay đổi với 10 bổ sung64 xóa
Split View Hiển thị tình trạng sai khác
  1. 0 61
      base/codebuild_splunk_apps/iam.tf
  2. 4 2
      base/codebuild_splunk_apps/kms.tf
  3. 2 1
      base/splunk_servers/app_s3_bucket/iam_splunk_apps_s3_role.tf
  4. 4 0
      base/splunk_servers/app_s3_bucket/outputs.tf

+ 0 - 61
base/codebuild_splunk_apps/iam.tf
Xem Tập Tin 

@@ -114,64 +114,3 @@ resource "aws_iam_policy" "codebuild_splunk_apps_policy" {
 
 }
 
 EOF
 
 }
 
-
 
-# !!!!!     RETAINED FOR FUTURE USE   !!!!!
 
-# Defines an IAM user that can only download ECR images, intended for
 
-# use in POP nodes where we need containers, but won't necessarily have
 
-# EC2 instance role credentials.  Maybe one day this goes to vault, I
 
-# hope.   It would be nice.
 
-
 
-# data "aws_iam_policy_document" "ecr_policy_pop" {
 
-#   statement {
 
-#     sid       = "AllowECRReadOnly"
 
-#     effect    = "Allow"
 
-
 
-#     actions   = [
 
-#       "ecr:GetAuthorizationToken",
 
-#       "ecr:BatchCheckLayerAvailability",
 
-#       "ecr:GetDownloadUrlForLayer",
 
-#       "ecr:GetRepositoryPolicy",
 
-#       "ecr:DescribeRepositories",
 
-#       "ecr:ListImages",
 
-#       "ecr:DescribeImages",
 
-#       "ecr:BatchGetImage"
 
-#     ]
 
-    
-#     resources = [
 
-#       "*"
 
-#     ]
 
-
 
-#   }
 
-# }
 
-
 
-# resource "aws_iam_policy" "ecr_policy_pop" {
 
-#   name   = "ecr_policy_pop"
 
-#   path   = "/"
 
-#   policy = "${data.aws_iam_policy_document.ecr_policy_pop.json}"
 
-# }
 
-
 
-# resource "aws_iam_user" "pop_service_account" {
 
-#   name = "svc-mdrpop"
 
-#   path = "/service/"
 
-# }
 
-
 
-# resource "aws_iam_user_policy_attachment" "pop_service_account_1" {
 
-#   user       = "${aws_iam_user.pop_service_account.name}"
 
-#   policy_arn = "${aws_iam_policy.ecr_policy_pop.arn}"
 
-# }
 
-
 
-
 
-# resource "aws_iam_access_key" "pop_service_account" {
 
-#   user    = "${aws_iam_user.pop_service_account.name}"
 
-#   pgp_key = "${file("../00-organizations-and-iam/duane_waddle.pgp")}"
 
-# }
 
-
 
-# output "pop_service_account_key_id" {
 
-#   value = "${aws_iam_access_key.pop_service_account.id}"
 
-# }
 
-
 
-# output "pop_service_account_secret" {
 
-#   value = "${aws_iam_access_key.pop_service_account.encrypted_secret}"
 
-# }
 
-
 
-# !!!!!    END OF RETAINED FOR FUTURE USE   !!!!!

+ 4 - 2
base/codebuild_splunk_apps/kms.tf
Xem Tập Tin 

@@ -111,8 +111,10 @@ data "aws_iam_policy_document" "codebuild_splunk_apps_kms_key_encryption_policy"
 
     principals {
 
       type = "AWS"
 
     
-      # FIXME this needs to be a better role by far
 
-      identifiers = [ aws_iam_role.codebuild_splunk_apps_role.arn ]
 
+      identifiers = [ 
+        aws_iam_role.codebuild_splunk_apps_role.arn,
 
+        "arn:${ var.aws_partition}:iam::${ var.aws_account_id}:role/service/splunk-apps-s3"
 
+      ]
 
     }
 
     actions = [
 
       "kms:Encrypt",

+ 2 - 1
base/splunk_servers/app_s3_bucket/iam_splunk_apps_s3_role.tf
Xem Tập Tin 

@@ -90,7 +90,8 @@ data "aws_iam_policy_document" "splunk_apps_s3_policy_doc" {
 
     sid       = "UseTheKey"
 
     effect    = "Allow"
 
     resources = [
 
-      aws_kms_key.bucketkey.arn
 
+      #aws_kms_key.bucketkey.arn
 
+      "*" # Needs access to the not-yet-created key for codebuild
 
     ]
 
     actions = [
 
       "kms:Decrypt",

+ 4 - 0
base/splunk_servers/app_s3_bucket/outputs.tf
Xem Tập Tin 

@@ -6,6 +6,10 @@ output "Splunk_Role_ARN" {
 
   value = aws_iam_role.splunk_apps_s3_role.arn
 
 }
 
 
+output "bucket_kms_key" {
 
+  value = aws_kms_key.bucketkey.arn
 
+}
 
+
 
 #output "Writer_Role_ARN" {
 
 #  value = aws_iam_role.splunk_apps_s3_writer_role.arn
 
 #}