Начало Каталог Помощ
Регистрация Вход
AFS
/
xdr-terraform-modules
2
0
Разклонения 0
Файлове Задачи 0 Заявки за сливане 0 Уики
ИН на ревизия: 67c98b7677
Клонове Маркери
xdr-terraform-m...
/
submodules
/
iam
/
standard_iam_policies
/
policy-mdr_terraformer.tf

policy-mdr_terraformer.tf 2.8 KB
История Директен файл

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475 
  1. #------------------------------------------------------------------------------------------
    2. 

  2. # A variant on PowerUserAccess that isn't so damn generous with sts:assumeRole
    3. 

  3. #------------------------------------------------------------------------------------------
    4. 

  4. data "aws_iam_policy_document" "mdr_terraformer" {
    5. 

  5.   statement {
    6. 

  6.     sid    = "AllowEverythingButAssumeRoleAndPassRole"
    7. 

  7.     effect = "Allow"
    8. 

  8.     not_actions = [
    9. 

  9.       "sts:AssumeRole",
    10. 

  10.       "iam:PassRole",
    11. 

  11.     ]
    12. 

  12.     resources = [
    13. 

  13.       "*"
    14. 

  14.     ]
    15. 

  15.   }
    16. 

  16.   statement {
    17. 

  17.     sid    = "AllowPassRoleForSpecificRoleTypes"
    18. 

  18.     effect = "Allow"
    19. 

  19.     actions = [
    20. 

  20.       "iam:PassRole",
    21. 

  21.     ]
    22. 

  22.     # tfsec:ignore:aws-iam-no-policy-wildcards - baseline this setting first. Lockdown after baselining IAM permissions
    23. 

  23.     resources = [
    24. 

  24.       "arn:${local.aws_partition}:iam::${local.aws_account}:role/instance/*",
    25. 

  25.       "arn:${local.aws_partition}:iam::${local.aws_account}:role/lambda/*",
    26. 

  26.       "arn:${local.aws_partition}:iam::${local.aws_account}:role/aws_services/*",
    27. 

  27.       "arn:${local.aws_partition}:iam::${local.aws_account}:role/fargate/*",
    28. 

  28.     ]
    29. 

  29.   }
    30. 

  30. 

  31.   statement {
    32. 

  32.     sid    = "AllowPassRoleForLegacyAccountRoles"
    33. 

  33.     effect = "Allow"
    34. 

  34.     actions = [
    35. 

  35.       "iam:PassRole",
    36. 

  36.     ]
    37. 

  37. 

  38.     resources = [
    39. 

  39.       "arn:${local.aws_partition}:iam::${local.aws_account}:role/vault-instance-role",
    40. 

  40.       "arn:${local.aws_partition}:iam::${local.aws_account}:role/splunk-aws-instance-role",
    41. 

  41.       "arn:${local.aws_partition}:iam::${local.aws_account}:role/salt-master-instance-role",
    42. 

  42.       "arn:${local.aws_partition}:iam::${local.aws_account}:role/portal-instance-role",
    43. 

  43.       "arn:${local.aws_partition}:iam::${local.aws_account}:role/portal-data-sync-lambda-role",
    44. 

  44.       "arn:${local.aws_partition}:iam::${local.aws_account}:role/msoc-default-instance-role",
    45. 

  45.       "arn:${local.aws_partition}:iam::${local.aws_account}:role/ecsFargateTaskExecutionRole",
    46. 

  46.       "arn:${local.aws_partition}:iam::${local.aws_account}:role/dlm-lifecycle-role",
    47. 

  47.       "arn:${local.aws_partition}:iam::${local.aws_account}:role/codebuild_role",
    48. 

  48.     ]
    49. 

  49.   }
    50. 

  50. 

  51.   statement {
    52. 

  52.     sid    = "AssumeThisRoleInOtherAccounts"
    53. 

  53.     effect = "Allow"
    54. 

  54.     actions = [
    55. 

  55.       "sts:AssumeRole"
    56. 

  56.     ]
    57. 

  57.     # tfsec:ignore:aws-iam-no-policy-wildcards - baseline this setting first. Lockdown after baselining IAM permissions
    58. 

  58.     resources = [
    59. 

  59.       "arn:${local.aws_partition}:iam::*:role/user/mdr_terraformer",
    60. 

  60. 

  61.       # These two are the legacy roles in the older AWS accounts. 
    62. 

  62.       # Adding them in the hope we'll be able to get AssumeRole from
    63. 

  63.       # one central place to everything...
    64. 

  64.       "arn:${local.aws_partition}:iam::*:role/mdr_powerusers",
    65. 

  65.       "arn:${local.aws_partition}:iam::*:role/mdr_iam_admins",
    66. 

  66.     ]
    67. 

  67.   }
    68. 

  68. }
    69. 

  69. 

  70. resource "aws_iam_policy" "mdr_terraformer" {
    71. 

  71.   name   = "mdr_terraformer"
    72. 

  72.   path   = "/user/"
    73. 

  73.   policy = data.aws_iam_policy_document.mdr_terraformer.json
    74. 

  74. }
    75. 

  75.