| 1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495 |
- module "instance_profile" {
- source = "../../submodules/iam/base_instance_profile"
- prefix = "xdr-phantom"
- aws_partition = var.aws_partition
- aws_account_id = var.aws_account_id
- }
- # Phantom Specific Policy
- #resource "aws_iam_policy" "phantom_instance_policy" {
- # name = "phantom_instance_policy"
- # path = "/launchroles/"
- # description = "This policy allows phantom-specific functions"
- # policy = data.aws_iam_policy_document.phantom_instance_policy_doc.json
- #}
- #
- #data "aws_iam_policy_document" "phantom_instance_policy_doc" {
- # # Allow copying to S3 for frozen
- # # Allow use of S3 for SmartStore
- # statement {
- # sid = "GeneralBucketAccess"
- # effect = "Allow"
- # actions = [
- # "s3:ListAllMyBuckets",
- # ]
- # resources = [ "*" ]
- # }
- #
- # statement {
- # sid = "S3BucketAccess"
- # effect = "Allow"
- # actions = [
- # "s3:GetLifecycleConfiguration",
- # "s3:DeleteObjectVersion",
- # "s3:ListBucketVersions",
- # "s3:GetBucketLogging",
- # "s3:RestoreObject",
- # "s3:ListBucket",
- # "s3:GetBucketVersioning",
- # "s3:PutObject",
- # "s3:GetObject",
- # "s3:PutLifecycleConfiguration",
- # "s3:GetBucketCORS",
- # "s3:DeleteObject",
- # "s3:GetBucketLocation",
- # "s3:GetObjectVersion",
- # ]
- # resources = [
- # "arn:${ var.aws_partition }:s3:::xdr-${ var.prefix }-${ var.environment }-splunk-frozen",
- # "arn:${ var.aws_partition }:s3:::xdr-${ var.prefix }-${ var.environment }-splunk-frozen/*",
- # "arn:${ var.aws_partition }:s3:::xdr-${ var.prefix }-${ var.environment }-splunk-smartstore",
- # "arn:${ var.aws_partition }:s3:::xdr-${ var.prefix }-${ var.environment }-splunk-smartstore/*",
- # ]
- # }
- #
- # statement {
- # sid = "S3ReadOnlyBucketAccess"
- # effect = "Allow"
- # actions = [
- # "s3:ListBucketVersions",
- # "s3:ListBucket",
- # "s3:GetBucketVersioning",
- # "s3:GetObject",
- # "s3:GetBucketCORS",
- # "s3:GetBucketLocation",
- # "s3:GetObjectVersion",
- # ]
- # resources = [
- # "arn:${ var.aws_partition }:s3:::xdr-${ var.prefix }-${ var.environment }-splunk-apps",
- # "arn:${ var.aws_partition }:s3:::xdr-${ var.prefix }-${ var.environment }-splunk-apps/*",
- # ]
- # }
- #
- # statement {
- # sid = "KMSKeyAccess"
- # effect = "Allow"
- # actions = [
- # "kms:Decrypt",
- # "kms:GenerateDataKeyWithoutPlaintext",
- # "kms:Verify",
- # "kms:GenerateDataKeyPairWithoutPlaintext",
- # "kms:GenerateDataKeyPair",
- # "kms:ReEncryptFrom",
- # "kms:Encrypt",
- # "kms:GenerateDataKey",
- # "kms:ReEncryptTo",
- # "kms:Sign",
- # ]
- # resources = [ "*" ]
- # }
- #}
- #
- #resource "aws_iam_role_policy_attachment" "phantom_instance_policy_attach" {
- # role = module.instance_profile.role_id
- # policy_arn = aws_iam_policy.phantom_instance_policy.arn
- #}
|
