Sākums Izpētīt Palīdzība
Reģistrēties Pierakstīties
AFS
/
xdr-terraform-modules
2
0
Atdalīts 0
Faili Problēmas 0 Izmaiņu pieprasījumi 0 Vikivietne
Koks: 415a177371
Atzari Tagi
xdr-terraform-m...
/
base
/
salt_master
/
iam.tf

iam.tf 2.2 KB
Vēsture Neapstrādāts

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485 
  1. #############################
    2. 

  2. # Salt Master instance profile
    3. 

  3. #
    4. 

  4. # Salt Master got needs for some sweet sweet passwords
    5. 

  5. 

  6. resource "aws_iam_instance_profile" "salt_master_instance_profile" {
    7. 

  7.   name     = "salt-master-instance-profile"
    8. 

  8.   role     = aws_iam_role.salt_master_instance_role.name
    9. 

  9. }
    10. 

  10. 

  11. resource "aws_iam_role" "salt_master_instance_role" {
    12. 

  12.   name     = "salt-master-instance-role"
    13. 

  13.   assume_role_policy = <<EOF
    14. 

  14. {   
    15. 

  15.     "Version": "2012-10-17",
    16. 

  16.     "Statement": [
    17. 

  17.       {   
    18. 

  18.         "Sid": "", 
    19. 

  19.         "Effect": "Allow",
    20. 

  20.         "Principal": {
    21. 

  21.           "Service": [
    22. 

  22.             "ec2.amazonaws.com",
    23. 

  23.             "ssm.amazonaws.com"
    24. 

  24.             ]
    25. 

  25.         },
    26. 

  26.         "Action": "sts:AssumeRole"
    27. 

  27.       }
    28. 

  28.     ]
    29. 

  29.   }
    30. 

  30. EOF
    31. 

  31. }
    32. 

  32. 

  33. data "aws_iam_policy_document" "salt_master_policy_doc" {
    34. 

  34.   statement {
    35. 

  35.     sid    = "AllowSaltSecretsCommunication"
    36. 

  36.     effect = "Allow"
    37. 

  37. 

  38.     actions = [
    39. 

  39.       "secretsmanager:GetResourcePolicy",
    40. 

  40.       "secretsmanager:GetSecretValue",
    41. 

  41.       "secretsmanager:DescribeSecret",
    42. 

  42.       "secretsmanager:ListSecretVersionIds"
    43. 

  43.     ]
    44. 

  44. 

  45.     resources = [
    46. 

  46.       "arn:${var.aws_partition}:secretsmanager:*:*:secret:saltmaster/*"
    47. 

  47.     ]
    48. 

  48.   }
    49. 

  49. 

  50.   statement {
    51. 

  51.     sid    = "AllowAssumeRole"
    52. 

  52.     effect = "Allow"
    53. 

  53. 

  54.     actions = [
    55. 

  55.       "sts:AssumeRole"
    56. 

  56.     ]
    57. 

  57. 

  58.     resources = [
    59. 

  59.       "arn:${var.aws_partition}:iam::*:role/service/salt-master-inventory-role"
    60. 

  60.     ]
    61. 

  61.   }
    62. 

  62. }
    63. 

  63. 

  64. resource "aws_iam_policy" "salt_master_policy" {
    65. 

  65.   name        = "salt_master_sm"
    66. 

  66.   path        = "/"
    67. 

  67.   policy      = data.aws_iam_policy_document.salt_master_policy_doc.json
    68. 

  68. }
    69. 

  69. 

  70. resource "aws_iam_role_policy_attachment" "salt_master_sm_attach" {
    71. 

  71.   role       = aws_iam_role.salt_master_instance_role.name
    72. 

  72.   policy_arn = aws_iam_policy.salt_master_policy.arn
    73. 

  73. }
    74. 

  74. 

  75. resource "aws_iam_role_policy_attachment" "salt_master_AmazonEC2RoleforSSM" {
    76. 

  76.   role       = aws_iam_role.salt_master_instance_role.name
    77. 

  77.   policy_arn = "arn:${var.aws_partition}:iam::aws:policy/service-role/AmazonEC2RoleforSSM"
    78. 

  78. 

  79. }
    80. 

  80. 

  81. #This policy needs to be create prior to creating the Salt Master
    82. 

  82. resource "aws_iam_role_policy_attachment" "salt_master_policy_attach" {
    83. 

  83.   role       = aws_iam_role.salt_master_instance_role.name
    84. 

  84.   policy_arn = "arn:${var.aws_partition}:iam::${var.aws_account_id}:policy/launchroles/default_instance_tag_read"
    85. 

  85. }
    86.