AFS
/
xdr-terraform-modules


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150
							resource "aws_iam_instance_profile" "vault_instance_profile" {
  name     = "vault-instance-profile"
  role     = aws_iam_role.vault.name
}

resource "aws_iam_role" "vault" {
  name     = "vault-instance-role"

  assume_role_policy = <<EOF
{   
    "Version": "2012-10-17",
    "Statement": [
      { 
        "Sid": "",
        "Effect": "Allow",
        "Principal": {
          "Service": [
            "ec2.amazonaws.com",
            "ssm.amazonaws.com"
            ]
        },
        "Action": "sts:AssumeRole"
      }
    ]
  }
EOF
}

#-------------------------------
# KMS Policy
#-------------------------------

data "aws_iam_policy_document" "vault_kms_key_policy" {
  statement {
    sid    = "KMSAutoUnseal"
    effect = "Allow"

    actions = [
      "kms:Encrypt",
      "kms:Decrypt",
      "kms:DescribeKey",
    ]

    resources = [
      aws_kms_key.vault.arn,
    ]
  }

  statement {
    sid    = "Tags"
    effect = "Allow"

    actions = [
      "ec2:DescribeTags",
      "ec2:DescribeInstances"
    ]
    resources = [
      "*"
    ]
  }
}

resource "aws_iam_policy" "vault_kms_key_policy" {
  name     = "vault_kms"
  path     = "/"
  policy   = data.aws_iam_policy_document.vault_kms_key_policy.json
}

resource "aws_iam_role_policy_attachment" "vault_kms" {
  role       = aws_iam_role.vault.name
  policy_arn = aws_iam_policy.vault_kms_key_policy.arn
}

resource "aws_iam_role_policy_attachment" "AmazonEC2RoleforSSM" {
  role       = aws_iam_role.vault.name
  policy_arn = "arn:aws-us-gov:iam::aws:policy/service-role/AmazonEC2RoleforSSM"
}

#------------------------------
# DynamoDB 
#------------------------------

data "aws_iam_policy_document" "vault_dynamodb_policy" {
  statement {
    sid    = "AllowVaultCommunicationtoDynamoDB"
    effect = "Allow"

    actions = [
      "dynamodb:DescribeLimits",
      "dynamodb:DescribeTimeToLive",
      "dynamodb:ListTagsOfResource",
      "dynamodb:DescribeReservedCapacityOfferings",
      "dynamodb:DescribeReservedCapacity",
      "dynamodb:ListTables",
      "dynamodb:BatchGetItem",
      "dynamodb:BatchWriteItem",
      "dynamodb:CreateTable",
      "dynamodb:DeleteItem",
      "dynamodb:GetItem",
      "dynamodb:GetRecords",
      "dynamodb:PutItem",
      "dynamodb:Query",
      "dynamodb:UpdateItem",
      "dynamodb:Scan",
      "dynamodb:DescribeTable",
    ]

    resources = [aws_dynamodb_table.vault.arn]
  }
}

resource "aws_iam_policy" "vault_dynamodb_policy" {
  name     = "vault_dynamodb"
  path     = "/"
  policy   = data.aws_iam_policy_document.vault_dynamodb_policy.json
}

resource "aws_iam_role_policy_attachment" "vault_dynamodb" {
  role       = aws_iam_role.vault.name
  policy_arn = aws_iam_policy.vault_dynamodb_policy.arn
}

# ---------------------------------------------------------------------------------------------------------------------
# IAM Policy for EC2 AppRole Authentication 
# ---------------------------------------------------------------------------------------------------------------------

data "aws_iam_policy_document" "vault_approle" {
  statement {
    sid    = "AllowVaultIAMMetaData"
    effect = "Allow"

    actions = [ 
        "iam:GetInstanceProfile",
        "iam:GetRole"
    ]   

    resources = ["*"]
  }
}

resource "aws_iam_policy" "vault_approle_policy" {
  name     = "vault_approle"
  path     = "/" 
  policy   = data.aws_iam_policy_document.vault_approle.json
}

resource "aws_iam_role_policy_attachment" "vault_approle" {
  role       = aws_iam_role.vault.name
  policy_arn = aws_iam_policy.vault_approle_policy.arn
}