Merge pull request #26 from mdr-engineering/feature/dw_MSOCI-1334_qualys

[MSOCI-1334] Qualys Users and Connector Roles

base/qualys_connector_role/main.tf

@@ -0,0 +1,50 @@
+data aws_partition "current" {}
+
+data aws_iam_policy_document "qualys_assume_role_policy" {
+  statement {
+    effect = "Allow"
+    principals {
+      type = "AWS"
+      identifiers = [
+        "arn:${data.aws_partition.current.partition}:iam::${var.service_account_home}:user/service_accounts/qualys"
+      ]
+    }
+    actions = [
+      "sts:AssumeRole"
+    ]
+
+    condition {
+      test     = "StringEquals"
+      variable = "sts:ExternalId"
+      values = [
+        var.externalid
+      ]
+    }
+  }
+}
+
+data aws_iam_policy_document "qualys_role_policy" {
+  statement {
+    effect = "Allow"
+    actions = [
+      "ec2:DescribeInstances",
+      "ec2:DescribeAddresses",
+      "ec2:DescribeImages"
+    ]
+    resources = ["*"]
+  }
+}
+
+resource aws_iam_role "qualys" {
+  name               = "QualysConnectorRole"
+  assume_role_policy = data.aws_iam_policy_document.qualys_assume_role_policy.json
+  description        = "Qualys Connector for EC2 instance enumeration"
+  tags               = var.tags
+}
+
+resource aws_iam_role_policy "qualys" {
+  role   = aws_iam_role.qualys.id
+  name   = "QualysEC2Connector"
+  policy = data.aws_iam_policy_document.qualys_role_policy.json
+
+}

base/qualys_connector_role/outputs.tf

@@ -0,0 +1,3 @@
+output qualys_role_arn {
+  value = aws_iam_role.qualys.arn
+}

base/qualys_connector_role/variables.tf

@@ -0,0 +1,14 @@
+variable service_account_home {
+  description = "Home account number for qualys service account"
+  type        = string
+}
+
+variable externalid {
+  description = "External ID from Qualys Connector"
+  type        = string
+}
+
+variable tags {
+  type    = map
+  default = {}
+}

base/qualys_iam_baseaccount/README.md

@@ -0,0 +1,5 @@
+# qualys_iam_baseaccount - makes a qualys "base account"
+
+Qualys has this concept of a "base account" that is effectively
+an IAM account.  This makes an IAM user with keys for qualys to
+use ...

base/qualys_iam_baseaccount/main.tf

@@ -0,0 +1,30 @@
+data aws_partition this {}
+
+resource "aws_iam_user" "this" {
+  name          = "qualys"
+  path          = "/service_accounts/"
+  tags          = var.tags
+  force_destroy = true
+}
+
+resource "aws_iam_access_key" "this" {
+  user    = aws_iam_user.this.name
+  pgp_key = var.pgp_key
+}
+
+resource "aws_iam_user_policy" "assume_role" {
+  name   = "assume_role"
+  user   = aws_iam_user.this.name
+  policy = data.aws_iam_policy_document.assume_role.json
+}
+
+data aws_iam_policy_document "assume_role" {
+  statement {
+    effect  = "Allow"
+    actions = ["sts:AssumeRole"]
+    resources = [
+      "arn:${data.aws_partition.this.partition}:iam::*:role/QualysConnectorRole",
+      "arn:${data.aws_partition.this.partition}:iam::*:role/Role_For_QualysEC2Connector",
+    ]
+  }
+}

base/qualys_iam_baseaccount/outputs.tf

@@ -0,0 +1,7 @@
+output key_id {
+  value = aws_iam_access_key.this.id
+}
+
+output secret {
+  value = aws_iam_access_key.this.encrypted_secret
+}

base/qualys_iam_baseaccount/variables.tf

@@ -0,0 +1,8 @@
+variable tags {
+  type    = map
+  default = {}
+}
+
+variable pgp_key {
+  type = string
+}