Sākums Izpētīt Palīdzība
Reģistrēties Pierakstīties
AFS
/
xdr-terraform-modules
2
0
Atdalīts 0
Faili Problēmas 0 Izmaiņu pieprasījumi 0 Vikivietne
Koks: 4ee9b9bff1
Atzari Tagi
xdr-terraform-m...
/
base
/
phantom
/
instance_profile.tf

instance_profile.tf 4.0 KB
Vēsture Neapstrādāts

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134 
  1. resource "aws_iam_instance_profile" "phantom_instance_profile" {
    2. 

  2.   name = "xdr-phantom-instance-profile"
    3. 

  3.   path = "/instance/"
    4. 

  4.   role = aws_iam_role.phantom_instance_role.name
    5. 

  5. }
    6. 

  6. 

  7. resource "aws_iam_role"  "phantom_instance_role" {
    8. 

  8.   name = "xdr-phantom-instance-role"
    9. 

  9.   path = "/instance/"
    10. 

  10.   assume_role_policy = <<EOF
    11. 

  11. {
    12. 

  12.     "Version": "2012-10-17",
    13. 

  13.     "Statement": [
    14. 

  14.       {
    15. 

  15.         "Sid": "",
    16. 

  16.         "Effect": "Allow",
    17. 

  17.         "Principal": {
    18. 

  18.           "Service": [
    19. 

  19.             "ec2.amazonaws.com",
    20. 

  20.             "ssm.amazonaws.com"
    21. 

  21.             ]
    22. 

  22.         },
    23. 

  23.         "Action": "sts:AssumeRole"
    24. 

  24.       }
    25. 

  25.     ]
    26. 

  26.   }
    27. 

  27. EOF
    28. 

  28. }
    29. 

  29. 

  30. # These 3 are the default profile attachments:
    31. 

  31. resource "aws_iam_role_policy_attachment" "phantom_instance_AmazonEC2RoleforSSM" {
    32. 

  32.   role       = aws_iam_role.phantom_instance_role.name
    33. 

  33.   policy_arn = "arn:${var.aws_partition}:iam::aws:policy/service-role/AmazonEC2RoleforSSM"
    34. 

  34. }
    35. 

  35. 

  36. resource "aws_iam_role_policy_attachment" "phantom_instance_default_policy_attach" {
    37. 

  37.   role       = aws_iam_role.phantom_instance_role.name
    38. 

  38.   policy_arn = "arn:${ var.aws_partition }:iam::${ var.aws_account_id }:policy/launchroles/default_instance_tag_read"
    39. 

  39. }
    40. 

  40. 

  41. resource "aws_iam_role_policy_attachment" "phantom_instance_cloudwatch_policy_attach" {
    42. 

  42.   role       = aws_iam_role.phantom_instance_role.name
    43. 

  43.   policy_arn = "arn:${ var.aws_partition }:iam::${ var.aws_account_id }:policy/cloudwatch_events"
    44. 

  44. }
    45. 

  45. 

  46. # Phantom Specific Policy
    47. 

  47. #resource "aws_iam_policy" "phantom_instance_policy" {
    48. 

  48. #  name        = "phantom_instance_policy"
    49. 

  49. #  path        = "/launchroles/"
    50. 

  50. #  description = "This policy allows phantom-specific functions"
    51. 

  51. #  policy      = data.aws_iam_policy_document.phantom_instance_policy_doc.json
    52. 

  52. #}
    53. 

  53. #
    54. 

  54. #data "aws_iam_policy_document" "phantom_instance_policy_doc" {
    55. 

  55. #  # Allow copying to S3 for frozen
    56. 

  56. #  # Allow use of S3 for SmartStore
    57. 

  57. #  statement {
    58. 

  58. #    sid = "GeneralBucketAccess"
    59. 

  59. #    effect = "Allow"
    60. 

  60. #    actions = [
    61. 

  61. #      "s3:ListAllMyBuckets",
    62. 

  62. #      "s3:HeadBucket",
    63. 

  63. #    ]
    64. 

  64. #    resources = [ "*" ]
    65. 

  65. #  }
    66. 

  66. #
    67. 

  67. #  statement {
    68. 

  68. #    sid = "S3BucketAccess"
    69. 

  69. #    effect = "Allow"
    70. 

  70. #    actions = [
    71. 

  71. #      "s3:GetLifecycleConfiguration",
    72. 

  72. #      "s3:DeleteObjectVersion",
    73. 

  73. #      "s3:ListBucketVersions",
    74. 

  74. #      "s3:GetBucketLogging",
    75. 

  75. #      "s3:RestoreObject",
    76. 

  76. #      "s3:ListBuckets",
    77. 

  77. #      "s3:GetBucketVersioning",
    78. 

  78. #      "s3:PutObject",
    79. 

  79. #      "s3:GetObject",
    80. 

  80. #      "s3:PutLifecycleConfiguration",
    81. 

  81. #      "s3:GetBucketCORS",
    82. 

  82. #      "s3:DeleteObject",
    83. 

  83. #      "s3:GetBucketLocation",
    84. 

  84. #      "s3:GetObjectVersion",
    85. 

  85. #    ]
    86. 

  86. #    resources = [ 
    87. 

  87. #      "arn:${ var.aws_partition }:s3:::xdr-${ var.prefix }-${ var.environment }-splunk-frozen",
    88. 

  88. #      "arn:${ var.aws_partition }:s3:::xdr-${ var.prefix }-${ var.environment }-splunk-frozen/*",
    89. 

  89. #      "arn:${ var.aws_partition }:s3:::xdr-${ var.prefix }-${ var.environment }-splunk-smartstore",
    90. 

  90. #      "arn:${ var.aws_partition }:s3:::xdr-${ var.prefix }-${ var.environment }-splunk-smartstore/*",
    91. 

  91. #    ]
    92. 

  92. #  }
    93. 

  93. #
    94. 

  94. #  statement {
    95. 

  95. #    sid = "S3ReadOnlyBucketAccess"
    96. 

  96. #    effect = "Allow"
    97. 

  97. #    actions = [
    98. 

  98. #      "s3:ListBucketVersions",
    99. 

  99. #      "s3:ListBuckets",
    100. 

  100. #      "s3:GetBucketVersioning",
    101. 

  101. #      "s3:GetObject",
    102. 

  102. #      "s3:GetBucketCORS",
    103. 

  103. #      "s3:GetBucketLocation",
    104. 

  104. #      "s3:GetObjectVersion",
    105. 

  105. #    ]
    106. 

  106. #    resources = [ 
    107. 

  107. #      "arn:${ var.aws_partition }:s3:::xdr-${ var.prefix }-${ var.environment }-splunk-apps",
    108. 

  108. #      "arn:${ var.aws_partition }:s3:::xdr-${ var.prefix }-${ var.environment }-splunk-apps/*",
    109. 

  109. #    ]
    110. 

  110. #  }
    111. 

  111. #
    112. 

  112. #  statement {
    113. 

  113. #    sid = "KMSKeyAccess"
    114. 

  114. #    effect = "Allow"
    115. 

  115. #    actions = [
    116. 

  116. #      "kms:Decrypt",
    117. 

  117. #      "kms:GenerateDataKeyWithoutPlaintext",
    118. 

  118. #      "kms:Verify",
    119. 

  119. #      "kms:GenerateDataKeyPairWithoutPlaintext",
    120. 

  120. #      "kms:GenerateDataKeyPair",
    121. 

  121. #      "kms:ReEncryptFrom",
    122. 

  122. #      "kms:Encrypt",
    123. 

  123. #      "kms:GenerateDataKey",
    124. 

  124. #      "kms:ReEncryptTo",
    125. 

  125. #      "kms:Sign",
    126. 

  126. #    ]
    127. 

  127. #    resources = [ "*" ]
    128. 

  128. #  }      
    129. 

  129. #}
    130. 

  130. #
    131. 

  131. #resource "aws_iam_role_policy_attachment" "phantom_instance_policy_attach" {
    132. 

  132. #  role       = aws_iam_role.phantom_instance_role.name
    133. 

  133. #  policy_arn = aws_iam_policy.phantom_instance_policy.arn
    134. 

  134. #}
    135.