AFS
/
xdr-terraform-modules


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121
							#############################
# GitHub Enterprise instance profile
#
# Includes policies for GitHub Enterprise:
#  * Same policies as the default instance profile
resource "aws_iam_instance_profile" "github_instance_profile" {
  name = "xdr-github-instance-profile"
  path = "/instance/"
  role = aws_iam_role.github_instance_role.name
}

resource "aws_iam_role" "github_instance_role" {
  name               = "xdr-github-instance-role"
  path               = "/instance/"
  assume_role_policy = <<EOF
{
    "Version": "2012-10-17",
    "Statement": [
      {
        "Sid": "",
        "Effect": "Allow",
        "Principal": {
          "Service": [
            "ec2.amazonaws.com",
            "ssm.amazonaws.com"
            ]
        },
        "Action": "sts:AssumeRole"
      }
    ]
  }
EOF
}

# These 3 are the default profile attachments:
resource "aws_iam_role_policy_attachment" "github_instance_AmazonEC2RoleforSSM" {
  role       = aws_iam_role.github_instance_role.name
  policy_arn = "arn:${var.aws_partition}:iam::aws:policy/service-role/AmazonEC2RoleforSSM"
}

resource "aws_iam_role_policy_attachment" "github_instance_default_policy_attach" {
  role       = aws_iam_role.github_instance_role.name
  policy_arn = "arn:${var.aws_partition}:iam::${var.aws_account_id}:policy/launchroles/default_instance_tag_read"
}

resource "aws_iam_role_policy_attachment" "github_instance_cloudwatch_policy_attach" {
  role       = aws_iam_role.github_instance_role.name
  policy_arn = "arn:${var.aws_partition}:iam::${var.aws_account_id}:policy/cloudwatch_events"
}

# GitHub Enterprise Specific Policy
resource "aws_iam_policy" "github_instance_policy" {
  name        = "github_instance_policy"
  path        = "/launchroles/"
  description = "This policy allows github-specific functions"
  policy      = data.aws_iam_policy_document.github_instance_policy_doc.json
}

data "aws_iam_policy_document" "github_instance_policy_doc" {
  # Allow using S3 for GH Actions
  statement {
    sid    = "GeneralBucketAccess"
    effect = "Allow"
    actions = [
      "s3:ListAllMyBuckets",
      "s3:HeadBucket",
    ]
    resources = ["*"]
  }

  statement {
    sid    = "S3BucketAccess"
    effect = "Allow"
    actions = [
      "s3:PutObject",
      "s3:GetObject",
      "s3:ListBucketMultipartUploads",
      "s3:ListMultipartUploadParts",
      "s3:AbortMultipartUpload",
      "s3:DeleteObject",
      "s3:ListBuckets",
      #      "s3:GetLifecycleConfiguration",
      #      "s3:DeleteObjectVersion",
      #      "s3:ListBucketVersions",
      #      "s3:GetBucketLogging",
      #      "s3:RestoreObject",
      #      "s3:GetBucketVersioning",
      #      "s3:PutLifecycleConfiguration",
      #      "s3:GetBucketCORS",
      #      "s3:GetBucketLocation",
      #      "s3:GetObjectVersion",
    ]
    resources = [
      "arn:${var.aws_partition}:s3:::xdr-github-enterprise-${var.environment}-github-actions",
      "arn:${var.aws_partition}:s3:::xdr-github-enterprise-${var.environment}-github-actions/*",
    ]
  }

  statement {
    sid    = "KMSKeyAccess"
    effect = "Allow"
    actions = [
      "kms:Decrypt",
      "kms:GenerateDataKeyWithoutPlaintext",
      "kms:Verify",
      "kms:GenerateDataKeyPairWithoutPlaintext",
      "kms:GenerateDataKeyPair",
      "kms:ReEncryptFrom",
      "kms:Encrypt",
      "kms:GenerateDataKey",
      "kms:ReEncryptTo",
      "kms:Sign",
    ]
    resources = ["*"]
  }
}

resource "aws_iam_role_policy_attachment" "github_instance_policy_attach" {
  role       = aws_iam_role.github_instance_role.name
  policy_arn = aws_iam_policy.github_instance_policy.arn
}