Home Esplora Aiuto
Registrati Accedi
AFS
/
xdr-terraform-modules
2
0
Forka 0
File Problemi 0 Pull Requests 0 Wiki
Albero (Tree): 1ce9d85049
Rami (Branch) Tag
xdr-terraform-m...
/
base
/
phantom
/
instance_profile.tf

instance_profile.tf 2.8 KB
Cronologia Originale

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596 
  1. module "instance_profile" {
    2. 

  2.   source = "../../submodules/iam/base_instance_profile"
    3. 

  3.   prefix = "xdr-phantom"
    4. 

  4.   aws_partition = var.aws_partition
    5. 

  5.   aws_account_id = var.aws_account_id
    6. 

  6. }
    7. 

  7. 

  8. # Phantom Specific Policy
    9. 

  9. #resource "aws_iam_policy" "phantom_instance_policy" {
    10. 

  10. #  name        = "phantom_instance_policy"
    11. 

  11. #  path        = "/launchroles/"
    12. 

  12. #  description = "This policy allows phantom-specific functions"
    13. 

  13. #  policy      = data.aws_iam_policy_document.phantom_instance_policy_doc.json
    14. 

  14. #}
    15. 

  15. #
    16. 

  16. #data "aws_iam_policy_document" "phantom_instance_policy_doc" {
    17. 

  17. #  # Allow copying to S3 for frozen
    18. 

  18. #  # Allow use of S3 for SmartStore
    19. 

  19. #  statement {
    20. 

  20. #    sid = "GeneralBucketAccess"
    21. 

  21. #    effect = "Allow"
    22. 

  22. #    actions = [
    23. 

  23. #      "s3:ListAllMyBuckets",
    24. 

  24. #      "s3:HeadBucket",
    25. 

  25. #    ]
    26. 

  26. #    resources = [ "*" ]
    27. 

  27. #  }
    28. 

  28. #
    29. 

  29. #  statement {
    30. 

  30. #    sid = "S3BucketAccess"
    31. 

  31. #    effect = "Allow"
    32. 

  32. #    actions = [
    33. 

  33. #      "s3:GetLifecycleConfiguration",
    34. 

  34. #      "s3:DeleteObjectVersion",
    35. 

  35. #      "s3:ListBucketVersions",
    36. 

  36. #      "s3:GetBucketLogging",
    37. 

  37. #      "s3:RestoreObject",
    38. 

  38. #      "s3:ListBuckets",
    39. 

  39. #      "s3:GetBucketVersioning",
    40. 

  40. #      "s3:PutObject",
    41. 

  41. #      "s3:GetObject",
    42. 

  42. #      "s3:PutLifecycleConfiguration",
    43. 

  43. #      "s3:GetBucketCORS",
    44. 

  44. #      "s3:DeleteObject",
    45. 

  45. #      "s3:GetBucketLocation",
    46. 

  46. #      "s3:GetObjectVersion",
    47. 

  47. #    ]
    48. 

  48. #    resources = [ 
    49. 

  49. #      "arn:${ var.aws_partition }:s3:::xdr-${ var.prefix }-${ var.environment }-splunk-frozen",
    50. 

  50. #      "arn:${ var.aws_partition }:s3:::xdr-${ var.prefix }-${ var.environment }-splunk-frozen/*",
    51. 

  51. #      "arn:${ var.aws_partition }:s3:::xdr-${ var.prefix }-${ var.environment }-splunk-smartstore",
    52. 

  52. #      "arn:${ var.aws_partition }:s3:::xdr-${ var.prefix }-${ var.environment }-splunk-smartstore/*",
    53. 

  53. #    ]
    54. 

  54. #  }
    55. 

  55. #
    56. 

  56. #  statement {
    57. 

  57. #    sid = "S3ReadOnlyBucketAccess"
    58. 

  58. #    effect = "Allow"
    59. 

  59. #    actions = [
    60. 

  60. #      "s3:ListBucketVersions",
    61. 

  61. #      "s3:ListBuckets",
    62. 

  62. #      "s3:GetBucketVersioning",
    63. 

  63. #      "s3:GetObject",
    64. 

  64. #      "s3:GetBucketCORS",
    65. 

  65. #      "s3:GetBucketLocation",
    66. 

  66. #      "s3:GetObjectVersion",
    67. 

  67. #    ]
    68. 

  68. #    resources = [ 
    69. 

  69. #      "arn:${ var.aws_partition }:s3:::xdr-${ var.prefix }-${ var.environment }-splunk-apps",
    70. 

  70. #      "arn:${ var.aws_partition }:s3:::xdr-${ var.prefix }-${ var.environment }-splunk-apps/*",
    71. 

  71. #    ]
    72. 

  72. #  }
    73. 

  73. #
    74. 

  74. #  statement {
    75. 

  75. #    sid = "KMSKeyAccess"
    76. 

  76. #    effect = "Allow"
    77. 

  77. #    actions = [
    78. 

  78. #      "kms:Decrypt",
    79. 

  79. #      "kms:GenerateDataKeyWithoutPlaintext",
    80. 

  80. #      "kms:Verify",
    81. 

  81. #      "kms:GenerateDataKeyPairWithoutPlaintext",
    82. 

  82. #      "kms:GenerateDataKeyPair",
    83. 

  83. #      "kms:ReEncryptFrom",
    84. 

  84. #      "kms:Encrypt",
    85. 

  85. #      "kms:GenerateDataKey",
    86. 

  86. #      "kms:ReEncryptTo",
    87. 

  87. #      "kms:Sign",
    88. 

  88. #    ]
    89. 

  89. #    resources = [ "*" ]
    90. 

  90. #  }      
    91. 

  91. #}
    92. 

  92. #
    93. 

  93. #resource "aws_iam_role_policy_attachment" "phantom_instance_policy_attach" {
    94. 

  94. #  role       = module.instance_profile.role_id
    95. 

  95. #  policy_arn = aws_iam_policy.phantom_instance_policy.arn
    96. 

  96. #}
    97.