| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869 | module "moose_instance_profile" {  count    = local.is_moose ? 1 : 0  source = "../../../submodules/iam/base_instance_profile"  prefix = "moose-splunk-sh"  aws_partition = var.aws_partition  aws_account_id = var.aws_account_id}data "aws_iam_policy_document" "moose_splunk_sh_policy_doc" {  count    = local.is_moose ? 1 : 0  # Moose splunk SH can assumerole into the C2 and mdr-prod-root-ca accounts to run the ACM audit report  statement {    sid    = "AllowAssumeRole"    effect = "Allow"    actions = [      "sts:AssumeRole"    ]    resources = [      "arn:${var.aws_partition}:iam::*:role/service/run_audit_report_role",      "arn:${ var.aws_partition }:iam::${ var.aws_account_id }:role/service/splunk_apps_s3"    ]  }  # Moose splunk SH can grab the ACM audit reports  statement {    sid       = ""    effect    = "Allow"    resources = ["arn:${var.aws_partition}:s3:::xdr-ca-audit-reports"]    actions = [      "s3:ListBucket",      "s3:ListBucketVersions",    ]  }  statement {    sid       = ""    effect    = "Allow"    resources = ["arn:${var.aws_partition}:s3:::xdr-ca-audit-reports/*"]    actions = [      "s3:GetObject",      "s3:GetObjectVersion",    ]  }}resource "aws_iam_policy" "moose_splunk_sh_policy" {  count    = local.is_moose ? 1 : 0  name        = "moose_splunk_sh"  path        = "/"  policy      = data.aws_iam_policy_document.moose_splunk_sh_policy_doc[count.index].json}resource "aws_iam_role_policy_attachment" "moose_splunk_sh_attach" {  count    = local.is_moose ? 1 : 0  role       = module.moose_instance_profile[count.index].role_id  policy_arn = aws_iam_policy.moose_splunk_sh_policy[count.index].arn}#This policy needs to be create prior to creating the Salt Masterresource "aws_iam_role_policy_attachment" "moose_splunk_sh_policy_attach_binaries" {  count    = local.is_moose ? 1 : 0  role       = module.moose_instance_profile[count.index].role_id  policy_arn = "arn:${var.aws_partition}:iam::${var.aws_account_id}:policy/launchroles/default_instance_s3_binaries"}
 |