123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596 |
- module "instance_profile" {
- source = "../../submodules/iam/base_instance_profile"
- prefix = "xdr-phantom"
- aws_partition = var.aws_partition
- aws_account_id = var.aws_account_id
- }
- # Phantom Specific Policy
- #resource "aws_iam_policy" "phantom_instance_policy" {
- # name = "phantom_instance_policy"
- # path = "/launchroles/"
- # description = "This policy allows phantom-specific functions"
- # policy = data.aws_iam_policy_document.phantom_instance_policy_doc.json
- #}
- #
- #data "aws_iam_policy_document" "phantom_instance_policy_doc" {
- # # Allow copying to S3 for frozen
- # # Allow use of S3 for SmartStore
- # statement {
- # sid = "GeneralBucketAccess"
- # effect = "Allow"
- # actions = [
- # "s3:ListAllMyBuckets",
- # "s3:HeadBucket",
- # ]
- # resources = [ "*" ]
- # }
- #
- # statement {
- # sid = "S3BucketAccess"
- # effect = "Allow"
- # actions = [
- # "s3:GetLifecycleConfiguration",
- # "s3:DeleteObjectVersion",
- # "s3:ListBucketVersions",
- # "s3:GetBucketLogging",
- # "s3:RestoreObject",
- # "s3:ListBuckets",
- # "s3:GetBucketVersioning",
- # "s3:PutObject",
- # "s3:GetObject",
- # "s3:PutLifecycleConfiguration",
- # "s3:GetBucketCORS",
- # "s3:DeleteObject",
- # "s3:GetBucketLocation",
- # "s3:GetObjectVersion",
- # ]
- # resources = [
- # "arn:${ var.aws_partition }:s3:::xdr-${ var.prefix }-${ var.environment }-splunk-frozen",
- # "arn:${ var.aws_partition }:s3:::xdr-${ var.prefix }-${ var.environment }-splunk-frozen/*",
- # "arn:${ var.aws_partition }:s3:::xdr-${ var.prefix }-${ var.environment }-splunk-smartstore",
- # "arn:${ var.aws_partition }:s3:::xdr-${ var.prefix }-${ var.environment }-splunk-smartstore/*",
- # ]
- # }
- #
- # statement {
- # sid = "S3ReadOnlyBucketAccess"
- # effect = "Allow"
- # actions = [
- # "s3:ListBucketVersions",
- # "s3:ListBuckets",
- # "s3:GetBucketVersioning",
- # "s3:GetObject",
- # "s3:GetBucketCORS",
- # "s3:GetBucketLocation",
- # "s3:GetObjectVersion",
- # ]
- # resources = [
- # "arn:${ var.aws_partition }:s3:::xdr-${ var.prefix }-${ var.environment }-splunk-apps",
- # "arn:${ var.aws_partition }:s3:::xdr-${ var.prefix }-${ var.environment }-splunk-apps/*",
- # ]
- # }
- #
- # statement {
- # sid = "KMSKeyAccess"
- # effect = "Allow"
- # actions = [
- # "kms:Decrypt",
- # "kms:GenerateDataKeyWithoutPlaintext",
- # "kms:Verify",
- # "kms:GenerateDataKeyPairWithoutPlaintext",
- # "kms:GenerateDataKeyPair",
- # "kms:ReEncryptFrom",
- # "kms:Encrypt",
- # "kms:GenerateDataKey",
- # "kms:ReEncryptTo",
- # "kms:Sign",
- # ]
- # resources = [ "*" ]
- # }
- #}
- #
- #resource "aws_iam_role_policy_attachment" "phantom_instance_policy_attach" {
- # role = module.instance_profile.role_id
- # policy_arn = aws_iam_policy.phantom_instance_policy.arn
- #}
|