AFS
/
xdr-terraform-modules


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128
							locals {
  account_arns = [
    for account in var.account_list:
      "arn:${var.aws_partition}:iam::${account}:root"
  ]
}

output other {
  value = local.account_arns
}

module "shared_ami_key" {
  source = "../../submodules/kms/ami-key"

  name = "shared_ami_key"
  alias = "alias/shared_ami_key"
  description = "Key for encrypting the AMIs to be shared with other accounts."
  tags = merge(var.standard_tags, var.tags)
  key_admin_arns = [ ]
  key_user_arns = [ ]
  #key_attacher_arns = local.account_arns
  key_attacher_arns = [ ]
  standard_tags = var.standard_tags
  aws_account_id = var.aws_account_id
  aws_partition = var.aws_partition
  remote_account_arns = local.account_arns
}

resource "aws_s3_bucket" "xdr-shared-amis" {
  bucket = var.ami_bucket_name
  acl  = "private"
  tags = merge(var.standard_tags, var.tags)

  server_side_encryption_configuration {
    rule {
      apply_server_side_encryption_by_default {
        kms_master_key_id = module.shared_ami_key.key_arn
        sse_algorithm     = "aws:kms"
      }
    }
  }
}

resource "aws_iam_role" "vmimport" {
  name = "vmimport"
  description = "Required role for importing AMIs from S3"
  assume_role_policy = <<EOF
{
   "Version": "2012-10-17",
   "Statement": [
    {
     "Effect": "Allow",
     "Principal": { "Service": "vmie.amazonaws.com" },
     "Action": "sts:AssumeRole",
     "Condition": {
      "StringEquals":{
         "sts:Externalid": "vmimport"
      }
     }
    }
   ]
}
EOF
}

resource "aws_iam_role_policy" "vmimport" {
  name = "vmimport"
  role = aws_iam_role.vmimport.id
  policy = <<EOF
{
   "Version":"2012-10-17",
   "Statement":[
    {
     "Sid": "AllowAccesstoImportsBucket", 
     "Effect": "Allow",
     "Action": [
      "s3:GetBucketLocation",
      "s3:GetObject",
      "s3:ListBucket" 
     ],
     "Resource": [
      "${aws_s3_bucket.xdr-shared-amis.arn}",
      "${aws_s3_bucket.xdr-shared-amis.arn}/*"
     ]
    },
    {
     "Sid": "AllowAccesstoExportsBucket", 
     "Effect": "Allow",
     "Action": [
      "s3:GetBucketLocation",
      "s3:GetObject",
      "s3:ListBucket",
      "s3:PutObject",
      "s3:GetBucketAcl"
     ],
     "Resource": [
      "${aws_s3_bucket.xdr-shared-amis.arn}",
      "${aws_s3_bucket.xdr-shared-amis.arn}/*"
     ]
    },
    {
     "Sid": "AllowAccesstodoImportExportActions",
     "Effect": "Allow",
     "Action": [
      "ec2:ModifySnapshotAttribute",
      "ec2:CopySnapshot",
      "ec2:RegisterImage",
      "ec2:Describe*"
     ],
     "Resource": "*"
    },
    {
      "Sid": "AllowAccesstotheKMSkey",
      "Effect": "Allow",
      "Action": [
        "kms:CreateGrant",
        "kms:Decrypt",
        "kms:DescribeKey",
        "kms:Encrypt",
        "kms:GenerateDataKey*",
        "kms:ReEncrypt*"
      ],
      "Resource": "${module.shared_ami_key.key_arn}"
    }
   ]
}
EOF
}