| 1234567891011121314151617181920212223242526272829303132333435363738394041424344454647 |
- # Creates an IAM role so that splunk can trigger creation of audit reports
- resource "aws_iam_role" "run_audit_report_role" {
- provider = aws.common # COMMON SERVICES
- name = "run_audit_report_role"
- path = "/service/"
- assume_role_policy = jsonencode(
- {
- "Version" : "2012-10-17",
- "Statement" : [
- {
- "Effect" : "Allow",
- "Principal" : {
- "AWS" : "arn:${var.aws_partition}:iam::${var.c2_accounts[var.aws_partition]}:role/instance/moose-splunk-sh-instance-role"
- },
- "Action" : "sts:AssumeRole"
- }
- ]
- })
- tags = merge(local.standard_tags, var.tags)
- }
- data "aws_iam_policy_document" "run_audit_report_policy_doc" {
- statement {
- sid = ""
- effect = "Allow"
- resources = ["*"]
- actions = [
- "acm-pca:CreateCertificateAuthorityAuditReport"
- ]
- }
- }
- resource "aws_iam_policy" "run_audit_report_policy" {
- provider = aws.common # COMMON SERVICES
- name = "run_audit_report_policy"
- path = "/"
- policy = data.aws_iam_policy_document.run_audit_report_policy_doc.json
- }
- resource "aws_iam_role_policy_attachment" "run_audit_report_policy_attach" {
- provider = aws.common # COMMON SERVICES
- role = aws_iam_role.run_audit_report_role.name
- policy_arn = aws_iam_policy.run_audit_report_policy.arn
- }
|
