AFS
/
xdr-terraform-modules


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135
							locals {
  registries = [
    "portal_server",
    "django_nginx",
  ]
}

data "aws_vpc_endpoint_service" "ecr_api_endpoint" {
  service = "ecr.api"
}

data "aws_vpc_endpoint_service" "ecr_dkr_endpoint" {
  service = "ecr.dkr"
}

resource "aws_iam_instance_profile" "portal_server_instance_profile" {
  name = "portal_server-instance-profile"
  role = aws_iam_role.portal_server.name
}

resource "aws_iam_role" "portal_server" {
  name = "portal-instance-role"

  assume_role_policy = <<EOF
{   
    "Version": "2012-10-17",
    "Statement": [
      {   
        "Sid": "", 
        "Effect": "Allow",
        "Principal": {
          "Service": [
            "ec2.amazonaws.com",
            "ssm.amazonaws.com"
            ]
        },
        "Action": "sts:AssumeRole"
      }
    ]
  }
EOF
}

data "aws_iam_policy_document" "portal_server_ecr_policy" {
  statement {
    actions = [
      "ecr:GetAuthorizationToken",
    ]

    resources = ["*"]
  }

  statement {
    sid    = "AllowCommunicationECR"
    effect = "Allow"

    actions = [
      "ecr:BatchCheckLayerAvailability",
      "ecr:GetDownloadUrlForLayer",
      "ecr:GetRepositoryPolicy",
      "ecr:DescribeRepositories",
      "ecr:ListImages",
      "ecr:DescribeImages",
      "ecr:BatchGetImage",
      "ecr:InitiateLayerUpload",
      "ecr:UploadLayerPart",
      "ecr:CompleteLayerUpload",
      "ecr:PutImage"
    ]

    resources = [
      "arn:${var.aws_partition}:ecr:${var.aws_region}:${var.common_services_account}:repository/portal_server",
      "arn:${var.aws_partition}:ecr:${var.aws_region}:${var.common_services_account}:repository/django_nginx"
    ]
  }

  statement {
    sid    = "Tags"
    effect = "Allow"

    actions = [
      "ec2:DescribeTags",
      "ec2:DescribeInstances"
    ]
    resources = [
      "*"
    ]
  }
}

resource "aws_iam_policy" "portal_server_ecr_policy" {
  name   = "portal_server_ecr"
  path   = "/"
  policy = data.aws_iam_policy_document.portal_server_ecr_policy.json
}

resource "aws_iam_role_policy_attachment" "portal_server_ecr" {
  role       = aws_iam_role.portal_server.name
  policy_arn = aws_iam_policy.portal_server_ecr_policy.arn
}

data "aws_iam_policy" "default_instance_policy_s3_binaries" {
  name        = "default_instance_s3_binaries"
  path_prefix = "/launchroles/"
}

resource "aws_iam_role_policy_attachment" "portal_server_s3_binaries" {
  role       = aws_iam_role.portal_server.name
  policy_arn = data.aws_iam_policy.default_instance_policy_s3_binaries.arn
}

# Assume Role Policy -- Needed for S3 Bucket Access in Cross-Accounts
data "aws_iam_policy_document" "portal_server_assumerole" {
  statement {
    actions = [
      "sts:AssumeRole"
    ]

    resources = [
      "arn:${var.aws_partition}:iam::*:role/service/xdr-${var.environment}-portal-shared-artifacts",
      "arn:${var.aws_partition}:iam::*:role/service/xdr-${var.environment}-*-portal-customer-artifacts",
    ]
  }
}

resource "aws_iam_policy" "portal_server_assumerole_policy" {
  name   = "portal_server_assumerole"
  path   = "/launchroles/"
  policy = data.aws_iam_policy_document.portal_server_assumerole.json
}

resource "aws_iam_role_policy_attachment" "portal_server_assumerole" {
  role       = aws_iam_role.portal_server.name
  policy_arn = aws_iam_policy.portal_server_assumerole_policy.arn
}