xdr-terraform-modules/base/CA_Infrastructure/subordinate_CAs/iam_splunk_sh.tf

# Creates an IAM role so that splunk can trigger creation of audit reports
resource "aws_iam_role" "run_audit_report_role" {
  provider = aws.common # COMMON SERVICES
  name     = "run_audit_report_role"
  path     = "/service/"

  assume_role_policy = jsonencode(
    {
      "Version" : "2012-10-17",
      "Statement" : [
        {
          "Effect" : "Allow",
          "Principal" : {
            "AWS" : "arn:${var.aws_partition}:iam::${var.c2_accounts[var.aws_partition]}:role/instance/moose-splunk-sh-instance-role"
          },
          "Action" : "sts:AssumeRole"
        }
      ]
  })

  tags = merge(local.standard_tags, var.tags)
}

# tfsec:ignore:aws-iam-no-policy-wildcards Allows use by the entire account
data "aws_iam_policy_document" "run_audit_report_policy_doc" {
	# checkov:skip=CKV_AWS_111: see tfsec aws-iam-no-policy-wildcard ignore comment
  statement {
    sid       = ""
    effect    = "Allow"
    resources = ["*"]

    actions = [
      "acm-pca:CreateCertificateAuthorityAuditReport"
    ]
  }
}

resource "aws_iam_policy" "run_audit_report_policy" {
  provider = aws.common # COMMON SERVICES
  name     = "run_audit_report_policy"
  path     = "/"
  policy   = data.aws_iam_policy_document.run_audit_report_policy_doc.json
}

resource "aws_iam_role_policy_attachment" "run_audit_report_policy_attach" {
  provider   = aws.common # COMMON SERVICES
  role       = aws_iam_role.run_audit_report_role.name
  policy_arn = aws_iam_policy.run_audit_report_policy.arn
}