| 12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970 |
- # VMRay gets access to read/write to its backup bucket and use its s3 key
- module "instance_profile" {
- source = "../../submodules/iam/base_instance_profile"
- prefix = "xdr-vmray"
- aws_partition = var.aws_partition
- aws_account_id = var.aws_account_id
- }
- // S3 is used for backups
- data "aws_iam_policy_document" "policy_auth_s3" {
- statement {
- sid = ""
- effect = "Allow"
- resources = [aws_s3_bucket.storage.arn]
- actions = [
- "s3:ListBucket",
- "s3:ListBucketVersions",
- ]
- }
- statement {
- sid = ""
- effect = "Allow"
- resources = ["${aws_s3_bucket.storage.arn}/*"]
- actions = [
- "s3:PutObject",
- "s3:GetObject",
- "s3:GetObjectVersion",
- ]
- }
- }
- resource "aws_iam_policy" "auth_s3" {
- name = "xdr-vmray-auth-s3"
- policy = data.aws_iam_policy_document.policy_auth_s3.json
- }
- resource "aws_iam_role_policy_attachment" "attach_auth_s3" {
- role = module.instance_profile.role_id
- policy_arn = aws_iam_policy.auth_s3.arn
- }
- // Allow use of the key
- data "aws_iam_policy_document" "policy_kms" {
- statement {
- sid = "AllowKMSUse"
- effect = "Allow"
- resources = [aws_kms_key.s3.arn]
- actions = [
- "kms:Encrypt",
- "kms:Decrypt",
- "kms:ReEncrypt*",
- "kms:GenerateDataKey*",
- "kms:DescribeKey"
- ]
- }
- }
- resource "aws_iam_policy" "auth_kms" {
- name = "xdr-vmray-kms"
- policy = data.aws_iam_policy_document.policy_kms.json
- }
- resource "aws_iam_role_policy_attachment" "attach_kms" {
- role = module.instance_profile.role_id
- policy_arn = aws_iam_policy.auth_kms.arn
- }
|
