| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152 |
- module "instance_profile" {
- source = "../../submodules/iam/base_instance_profile"
- prefix = "vault"
- aws_partition = var.aws_partition
- aws_account_id = var.aws_account_id
- }
- #resource "aws_iam_instance_profile" "vault_instance_profile" {
- # name = "vault-instance-profile"
- # role = aws_iam_role.vault.name
- #}
- #
- #resource "aws_iam_role" "vault" {
- # name = "vault-instance-role"
- #
- # assume_role_policy = <<EOF
- #{
- # "Version": "2012-10-17",
- # "Statement": [
- # {
- # "Sid": "",
- # "Effect": "Allow",
- # "Principal": {
- # "Service": [
- # "ec2.amazonaws.com",
- # "ssm.amazonaws.com"
- # ]
- # },
- # "Action": "sts:AssumeRole"
- # }
- # ]
- # }
- #EOF
- #}
- #-------------------------------
- # KMS Policy
- #-------------------------------
- data "aws_iam_policy_document" "vault_kms_key_policy" {
- statement {
- sid = "KMSAutoUnseal"
- effect = "Allow"
- actions = [
- "kms:Encrypt",
- "kms:Decrypt",
- "kms:DescribeKey",
- ]
- resources = [
- aws_kms_key.vault.arn,
- ]
- }
- statement {
- sid = "Tags"
- effect = "Allow"
- actions = [
- "ec2:DescribeTags",
- "ec2:DescribeInstances"
- ]
- resources = [
- "*"
- ]
- }
- }
- resource "aws_iam_policy" "vault_kms_key_policy" {
- name = "vault_kms"
- path = "/"
- policy = data.aws_iam_policy_document.vault_kms_key_policy.json
- }
- resource "aws_iam_role_policy_attachment" "vault_kms" {
- role = module.instance_profile.role_id
- policy_arn = aws_iam_policy.vault_kms_key_policy.arn
- }
- #------------------------------
- # DynamoDB
- #------------------------------
- data "aws_iam_policy_document" "vault_dynamodb_policy" {
- statement {
- sid = "AllowVaultCommunicationtoDynamoDB"
- effect = "Allow"
- actions = [
- "dynamodb:DescribeLimits",
- "dynamodb:DescribeTimeToLive",
- "dynamodb:ListTagsOfResource",
- "dynamodb:DescribeReservedCapacityOfferings",
- "dynamodb:DescribeReservedCapacity",
- "dynamodb:ListTables",
- "dynamodb:BatchGetItem",
- "dynamodb:BatchWriteItem",
- "dynamodb:CreateTable",
- "dynamodb:DeleteItem",
- "dynamodb:GetItem",
- "dynamodb:GetRecords",
- "dynamodb:PutItem",
- "dynamodb:Query",
- "dynamodb:UpdateItem",
- "dynamodb:Scan",
- "dynamodb:DescribeTable",
- ]
- resources = [aws_dynamodb_table.vault.arn]
- }
- }
- resource "aws_iam_policy" "vault_dynamodb_policy" {
- name = "vault_dynamodb"
- path = "/"
- policy = data.aws_iam_policy_document.vault_dynamodb_policy.json
- }
- resource "aws_iam_role_policy_attachment" "vault_dynamodb" {
- role = module.instance_profile.role_id
- policy_arn = aws_iam_policy.vault_dynamodb_policy.arn
- }
- # ---------------------------------------------------------------------------------------------------------------------
- # IAM Policy for EC2 AppRole Authentication
- # ---------------------------------------------------------------------------------------------------------------------
- data "aws_iam_policy_document" "vault_approle" {
- statement {
- sid = "AllowVaultIAMMetaData"
- effect = "Allow"
- actions = [
- "iam:GetInstanceProfile",
- "iam:GetRole"
- ]
- # tfsec:ignore:aws-iam-no-policy-wildcards Allows use by the entire account
- resources = ["*"]
- }
- }
- resource "aws_iam_policy" "vault_approle_policy" {
- name = "vault_approle"
- path = "/"
- policy = data.aws_iam_policy_document.vault_approle.json
- }
- resource "aws_iam_role_policy_attachment" "vault_approle" {
- role = module.instance_profile.role_id
- policy_arn = aws_iam_policy.vault_approle_policy.arn
- }
|
