AFS
/
xdr-terraform-modules


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129
							locals {
  account_arns = [
    for account in var.account_list:
      "arn:${var.aws_partition}:iam::${account}:root"
  ]
  terraformer_arns = [
    for account in var.account_list:
      "arn:${var.aws_partition}:iam::${account}:role/user/mdr_terraformer"
  ]

  all_keys = concat([ module.shared_ami_key.key_arn ], var.vmimport_extra_keys)

  buckets = [
    for bucket in concat([ aws_s3_bucket.xdr-shared-amis.arn ], var.vmimport_extra_buckets):
      bucket
  ]
  bucket_contents = [
    for bucket in concat([ aws_s3_bucket.xdr-shared-amis.arn ], var.vmimport_extra_buckets):
      "${bucket}/*"
  ]
  bucket_resources = concat(local.buckets, local.bucket_contents)
}

output other {
  value = local.account_arns
}

module "shared_ami_key" {
  source = "../../submodules/kms/ami-key"

  name = "shared_ami_key"
  alias = "alias/shared_ami_key"
  description = "Key for encrypting the AMIs to be shared with other accounts."
  tags = merge(var.standard_tags, var.tags)
  key_admin_arns = [ ]
  key_user_arns = [ ]
  #key_attacher_arns = local.account_arns
  key_attacher_arns = local.terraformer_arns
  #key_attacher_arns = [ ]
  standard_tags = var.standard_tags
  aws_account_id = var.aws_account_id
  aws_partition = var.aws_partition
  remote_account_arns = local.account_arns
}

resource "aws_s3_bucket" "xdr-shared-amis" {
  bucket = var.ami_bucket_name
  acl  = "private"
  tags = merge(var.standard_tags, var.tags)

  server_side_encryption_configuration {
    rule {
      apply_server_side_encryption_by_default {
        kms_master_key_id = module.shared_ami_key.key_arn
        sse_algorithm     = "aws:kms"
      }
    }
  }
}

resource "aws_iam_role" "vmimport" {
  name = "vmimport"
  description = "Required role for importing AMIs from S3"
  assume_role_policy = <<EOF
{
   "Version": "2012-10-17",
   "Statement": [
    {
     "Effect": "Allow",
     "Principal": { "Service": "vmie.amazonaws.com" },
     "Action": "sts:AssumeRole",
     "Condition": {
      "StringEquals":{
         "sts:Externalid": "vmimport"
      }
     }
    }
   ]
}
EOF
}

resource "aws_iam_role_policy" "vmimport" {
  name = "vmimport"
  role = aws_iam_role.vmimport.id
  policy = <<EOF
{
  "Version":"2012-10-17",
  "Statement": [
    {
     "Sid": "AllowAccesstoImportsBucket", 
     "Effect": "Allow",
     "Action": [
      "s3:GetBucketLocation",
      "s3:GetObject",
      "s3:GetBucketAcl",
      "s3:ListBucket", 
      "s3:PutObject"
     ],
     "Resource": ${jsonencode(local.bucket_resources)}
    },
    {
      "Sid": "AllowAccesstodoImportExportActions",
      "Effect": "Allow",
      "Action": [
        "ec2:ModifySnapshotAttribute",
        "ec2:CopySnapshot",
        "ec2:RegisterImage",
        "ec2:Describe*"
      ],
      "Resource": "*"
    },
    {
      "Sid": "AllowAccesstotheKMSkey",
      "Effect": "Allow",
      "Action": [
        "kms:CreateGrant",
        "kms:Decrypt",
        "kms:DescribeKey",
        "kms:Encrypt",
        "kms:GenerateDataKey*",
        "kms:ReEncrypt*"
      ],
      "Resource": ${jsonencode(local.all_keys)}
    }
  ]
}
EOF
}