AFS
/
xdr-terraform-modules


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111
							resource "aws_iam_role" "phantom_s3_role" {
  name                  = "phantom_s3"
  path                  = "/service/"
  force_detach_policies = true # causes "DeleteConflict" if not present

  # the extra_trusted_salt variable allows the addition of additional
  # trusted sources, such as the dev salt master (for dev environments)
  # and developer users.
  assume_role_policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:${var.aws_partition}:iam::${var.aws_account_id}:role/instance/xdr-phantom-instance-role"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}
EOF

  tags = merge(local.standard_tags, var.tags)
}

resource "aws_iam_role_policy_attachment" "phantom_s3_policy_attach" {
  role       = aws_iam_role.phantom_s3_role.name
  policy_arn = aws_iam_policy.phantom_s3_policy.arn
}

resource "aws_iam_policy" "phantom_s3_policy" {
  name        = "phantom_s3_policy"
  path        = "/service/"
  description = "Policy which allows phantom to read/write to the S3 bucket"
  policy      = data.aws_iam_policy_document.phantom_s3_policy_doc.json
}

data "aws_iam_policy_document" "phantom_s3_policy_doc" {
  statement {
    sid    = "GeneralBucketAccess"
    effect = "Allow"
    actions = [
      "s3:ListAllMyBuckets",
    ]
    resources = ["*"]
  }

  statement {
    sid    = "S3BucketAccess"
    effect = "Allow"
    actions = [
      "s3:GetLifecycleConfiguration",
      "s3:DeleteObjectVersion",
      "s3:ListBucketVersions",
      "s3:GetBucketLogging",
      "s3:RestoreObject",
      "s3:ListBucket",
      "s3:GetBucketVersioning",
      "s3:PutObject",
      "s3:GetObject",
      "s3:PutLifecycleConfiguration",
      "s3:GetBucketCORS",
      "s3:DeleteObject",
      "s3:GetBucketLocation",
      "s3:GetObjectVersion",
    ]
    # tfsec:ignore:aws-iam-no-policy-wildcards Allows use by the entire account
    resources = [
      aws_s3_bucket.bucket.arn,
      "${aws_s3_bucket.bucket.arn}/*",
    ]
  }

  statement {
    sid    = "S3ReadOnlyBucketAccess"
    effect = "Allow"
    actions = [
      "s3:ListBucketVersions",
      "s3:ListBucket",
      "s3:GetBucketVersioning",
      "s3:GetObject",
      "s3:GetBucketCORS",
      "s3:GetBucketLocation",
      "s3:GetObjectVersion",
    ]
    # tfsec:ignore:aws-iam-no-policy-wildcards Allows use by the entire account
    resources = [
      aws_s3_bucket.bucket.arn,
      "${aws_s3_bucket.bucket.arn}/*",
    ]
  }

  statement {
    sid    = "KMSKeyAccess"
    effect = "Allow"
    actions = [
      "kms:Decrypt",
      "kms:GenerateDataKeyWithoutPlaintext",
      "kms:Verify",
      "kms:GenerateDataKeyPairWithoutPlaintext",
      "kms:GenerateDataKeyPair",
      "kms:ReEncryptFrom",
      "kms:Encrypt",
      "kms:GenerateDataKey",
      "kms:ReEncryptTo",
      "kms:Sign",
    ]
    resources = [aws_kms_key.bucketkey.arn]
  }
}