AFS
/
xdr-terraform-modules


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121
							#############################
# Indexer instance profile
#
# Includes policies for the indexers:
#  * Same policies as the default instance profile
resource "aws_iam_instance_profile" "indexer_instance_profile" {
  name = "xdr-indexer-instance-profile"
  path = "/instance/"
  role = aws_iam_role.indexer_instance_role.name
}

resource "aws_iam_role"  "indexer_instance_role" {
  name = "xdr-indexer-instance-role"
  path = "/instance/"
  assume_role_policy = <<EOF
{
    "Version": "2012-10-17",
    "Statement": [
      {
        "Sid": "",
        "Effect": "Allow",
        "Principal": {
          "Service": [
            "ec2.amazonaws.com",
            "ssm.amazonaws.com"
            ]
        },
        "Action": "sts:AssumeRole"
      }
    ]
  }
EOF
}

# These 3 are the default profile attachments:
resource "aws_iam_role_policy_attachment" "indexer_instance_AmazonEC2RoleforSSM" {
  role       = aws_iam_role.indexer_instance_role.name
  policy_arn = "arn:${var.aws_partition}:iam::aws:policy/service-role/AmazonEC2RoleforSSM"
}

resource "aws_iam_role_policy_attachment" "indexer_instance_default_policy_attach" {
  role       = aws_iam_role.indexer_instance_role.name
  policy_arn = "arn:${ var.aws_partition }:iam::${ var.aws_account_id }:policy/launchroles/default_instance_tag_read"
}

resource "aws_iam_role_policy_attachment" "indexer_instance_cloudwatch_policy_attach" {
  role       = aws_iam_role.indexer_instance_role.name
  policy_arn = "arn:${ var.aws_partition }:iam::${ var.aws_account_id }:policy/cloudwatch_events"
}

# Indexer Specific Policy
resource "aws_iam_policy" "indexer_instance_policy" {
  name        = "indexer_instance_policy"
  path        = "/launchroles/"
  description = "This policy allows indexer-specific functions"
  policy      = data.aws_iam_policy_document.indexer_instance_policy_doc.json
}

data "aws_iam_policy_document" "indexer_instance_policy_doc" {
  # Allow copying to S3 for frozen
  # Allow use of S3 for SmartStore
  statement {
    sid = "GeneralBucketAccess"
    effect = "Allow"
    actions = [
      "s3:ListAllMyBuckets",
      "s3:HeadBucket",
    ]
    resources = [ "*" ]
  }

  statement {
    sid = "S3BucketAccess"
    effect = "Allow"
    actions = [
      "s3:GetLifecycleConfiguration",
      "s3:DeleteObjectVersion",
      "s3:ListBucketVersions",
      "s3:GetBucketLogging",
      "s3:RestoreObject",
      "s3:ListBuckets",
      "s3:GetBucketVersioning",
      "s3:PutObject",
      "s3:GetObject",
      "s3:PutLifecycleConfiguration",
      "s3:GetBucketCORS",
      "s3:DeleteObject",
      "s3:GetBucketLocation",
      "s3:GetObjectVersion",
    ]
    resources = [ 
      "arn:${ var.aws_partition }:s3:::xdr-${ var.prefix }-${ var.environment }-splunk-frozen",
      "arn:${ var.aws_partition }:s3:::xdr-${ var.prefix }-${ var.environment }-splunk-frozen/*",
      "arn:${ var.aws_partition }:s3:::xdr-${ var.prefix }-${ var.environment }-splunk-smartstore",
      "arn:${ var.aws_partition }:s3:::xdr-${ var.prefix }-${ var.environment }-splunk-smartstore/*",
    ]
  }

  statement {
    sid = "KMSKeyAccess"
    effect = "Allow"
    actions = [
      "kms:Decrypt",
      "kms:GenerateDataKeyWithoutPlaintext",
      "kms:Verify",
      "kms:GenerateDataKeyPairWithoutPlaintext",
      "kms:GenerateDataKeyPair",
      "kms:ReEncryptFrom",
      "kms:Encrypt",
      "kms:GenerateDataKey",
      "kms:ReEncryptTo",
      "kms:Sign",
    ]
    resources = [ "*" ]
  }      
}

resource "aws_iam_role_policy_attachment" "indexer_instance_policy_attach" {
  role       = aws_iam_role.indexer_instance_role.name
  policy_arn = aws_iam_policy.indexer_instance_policy.arn
}