Domů Procházet Nápověda
Registrovat se Přihlásit se
AFS
/
xdr-terraform-modules
2
0
Rozštěpit 0
Soubory Úkoly 0 Pull Requesty 0 Wiki
Strom: 5582348da1
Větve Značky
xdr-terraform-m...
/
base
/
splunk_servers
/
searchhead
/
iam_moose_sh_instance_profile.tf

iam_moose_sh_instance_profile.tf 2.0 KB
Historie Surový

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869 
  1. module "moose_instance_profile" {
    2. 

  2.   count    = local.is_moose ? 1 : 0
    3. 

  3.   source = "../../../submodules/iam/base_instance_profile"
    4. 

  4.   prefix = "moose-splunk-sh"
    5. 

  5.   aws_partition = var.aws_partition
    6. 

  6.   aws_account_id = var.aws_account_id
    7. 

  7. }
    8. 

  8. 

  9. data "aws_iam_policy_document" "moose_splunk_sh_policy_doc" {
    10. 

  10.   count    = local.is_moose ? 1 : 0
    11. 

  11. 

  12.   # Moose splunk SH can assumerole into the C2 and mdr-prod-root-ca accounts to run the ACM audit report
    13. 

  13.   statement {
    14. 

  14.     sid    = "AllowAssumeRole"
    15. 

  15.     effect = "Allow"
    16. 

  16. 

  17.     actions = [
    18. 

  18.       "sts:AssumeRole"
    19. 

  19.     ]
    20. 

  20. 

  21.     resources = [
    22. 

  22.       "arn:${var.aws_partition}:iam::*:role/service/run_audit_report_role",
    23. 

  23.       "arn:${ var.aws_partition }:iam::${ var.aws_account_id }:role/service/splunk_apps_s3"
    24. 

  24.     ]
    25. 

  25.   }
    26. 

  26. 

  27.   # Moose splunk SH can grab the ACM audit reports
    28. 

  28.   statement {
    29. 

  29.     sid       = ""
    30. 

  30.     effect    = "Allow"
    31. 

  31.     resources = ["arn:${var.aws_partition}:s3:::xdr-ca-audit-reports"]
    32. 

  32. 

  33.     actions = [
    34. 

  34.       "s3:ListBucket",
    35. 

  35.       "s3:ListBucketVersions",
    36. 

  36.     ]
    37. 

  37.   }
    38. 

  38. 

  39.   statement {
    40. 

  40.     sid       = ""
    41. 

  41.     effect    = "Allow"
    42. 

  42.     resources = ["arn:${var.aws_partition}:s3:::xdr-ca-audit-reports/*"]
    43. 

  43. 

  44.     actions = [
    45. 

  45.       "s3:GetObject",
    46. 

  46.       "s3:GetObjectVersion",
    47. 

  47.     ]
    48. 

  48.   }
    49. 

  49. }
    50. 

  50. 

  51. resource "aws_iam_policy" "moose_splunk_sh_policy" {
    52. 

  52.   count    = local.is_moose ? 1 : 0
    53. 

  53.   name        = "moose_splunk_sh"
    54. 

  54.   path        = "/"
    55. 

  55.   policy      = data.aws_iam_policy_document.moose_splunk_sh_policy_doc[count.index].json
    56. 

  56. }
    57. 

  57. 

  58. resource "aws_iam_role_policy_attachment" "moose_splunk_sh_attach" {
    59. 

  59.   count    = local.is_moose ? 1 : 0
    60. 

  60.   role       = module.moose_instance_profile[count.index].role_id
    61. 

  61.   policy_arn = aws_iam_policy.moose_splunk_sh_policy[count.index].arn
    62. 

  62. }
    63. 

  63. 

  64. #This policy needs to be create prior to creating the Salt Master
    65. 

  65. resource "aws_iam_role_policy_attachment" "moose_splunk_sh_policy_attach_binaries" {
    66. 

  66.   count    = local.is_moose ? 1 : 0
    67. 

  67.   role       = module.moose_instance_profile[count.index].role_id
    68. 

  68.   policy_arn = "arn:${var.aws_partition}:iam::${var.aws_account_id}:policy/launchroles/default_instance_s3_binaries"
    69. 

  69. }
    70.