xdr-terraform-modules/base/account_standards/iam.tf

# IAM Roles in All Accounts


#############################
# Default instance profile
#
# Basic profile to allow basic things
resource "aws_iam_instance_profile" "default_instance_profile" {
  name = "msoc-default-instance-profile"
  role = aws_iam_role.default_instance_role.name
}

data "aws_iam_policy_document" "default_instance_role" {
  statement {
    sid     = "AssumeRoleAnywhere"
    effect  = "Allow"
    actions = ["sts:AssumeRole"]

    principals {
      type = "Service"

      identifiers = [
        "ec2.amazonaws.com",
        "ssm.amazonaws.com",
      ]
    }
  }
}

resource "aws_iam_role" "default_instance_role" {
  name               = "msoc-default-instance-role"
  assume_role_policy = data.aws_iam_policy_document.default_instance_role.json
}

data "aws_iam_policy_document" "default_instance_policy_doc" {
  statement {
    effect  = "Allow"
    actions = [
      "ec2:DescribeTags"
    ]
    # tfsec:ignore:aws-iam-no-policy-wildcards - baseline this setting first. We use wildcards in policies
    resources = [
      "*"
    ]
  }
}

resource "aws_iam_policy" "default_instance_policy" {
  name        = "default_instance_tag_read"
  path        = "/launchroles/"
  description = "This policy allows a EC2 server to read tags"
  policy      = data.aws_iam_policy_document.default_instance_policy_doc.json
}

data "aws_iam_policy_document" "default_instance_policy_s3_binaries_doc" {
  statement {
    sid       = "AccessTheBucketItself"
    effect    = "Allow"
    resources = ["arn:${var.aws_partition}:s3:::${var.binaries_bucket}"]

    actions = [
      "s3:ListBucket",
      "s3:GetBucketLocation",
    ]
  }

  statement {
    sid       = "GetFromTheBucket"
    effect    = "Allow"
    # tfsec:ignore:aws-iam-no-policy-wildcards - baseline this setting first. We use wildcards in policies
    resources = ["arn:${var.aws_partition}:s3:::${var.binaries_bucket}/*"]

    actions = [
      "s3:GetObject",
      "s3:GetObjectAcl",
    ]
  }

  statement {
    sid    = "UseTheKey"
    effect = "Allow"
    resources = [
      "arn:${var.aws_partition}:kms:${var.aws_region}:${var.common_services_account}:${local.binaries_key}"
    ]
    actions = [
      "kms:Decrypt",
      "kms:DescribeKey"
    ]
  }
}

resource "aws_iam_policy" "default_instance_policy_s3_binaries" {
  name        = "default_instance_s3_binaries"
  path        = "/launchroles/"
  description = "This policy allows a EC2 server to read from the s3 binaries bucket"
  policy      = data.aws_iam_policy_document.default_instance_policy_s3_binaries_doc.json
}

resource "aws_iam_role_policy_attachment" "default_instance_AmazonEC2RoleforSSM" {
  role       = aws_iam_role.default_instance_role.name
  policy_arn = "arn:${var.aws_partition}:iam::aws:policy/service-role/AmazonEC2RoleforSSM"
}

resource "aws_iam_role_policy_attachment" "default_instance_default_policy_attach" {
  role       = aws_iam_role.default_instance_role.name
  policy_arn = aws_iam_policy.default_instance_policy.arn
}

resource "aws_iam_role_policy_attachment" "default_instance_s3_policy_attach" {
  role       = aws_iam_role.default_instance_role.name
  policy_arn = aws_iam_policy.default_instance_policy_s3_binaries.arn
}

resource "aws_iam_role_policy_attachment" "default_instance_cloudwatch_policy_attach" {
  role       = aws_iam_role.default_instance_role.name
  policy_arn = aws_iam_policy.cloudwatch_events.arn
}


##########################
# cloudwatch events
data "aws_iam_policy_document" "cloudwatch_events" {
	# checkov:skip=CKV_AWS_111: see tfsec ignore - we use wildcards
  statement {
    sid = "1"
    actions = [
      "events:PutRule"
    ]
    # tfsec:ignore:aws-iam-no-policy-wildcards - baseline this setting first. We use wildcards in policies
    resources = ["*"]
  }
}

resource "aws_iam_policy" "cloudwatch_events" {
  name        = "cloudwatch_events"
  description = "Creation of cloudwatch events"
  policy      = data.aws_iam_policy_document.cloudwatch_events.json
}

##########################
# dlm_lifecycle
#
# This is to setup the needed IAM role and premissions for the AWS feature Data Lifecycle Manager (DLM) lifecycle policy so we can have it do "backups" on our EBS
# Docs can be found here https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/snapshot-lifecycle.html
# Chris Lynch 1/25/2019

resource "aws_iam_role" "dlm_lifecycle_role" {
  name = "dlm-lifecycle-role"

  assume_role_policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": "sts:AssumeRole",
      "Principal": {
        "Service": "dlm.amazonaws.com"
      },
      "Effect": "Allow",
      "Sid": ""
    }
  ]
}
EOF
}

resource "aws_iam_role_policy" "dlm_lifecycle" {
  name   = "dlm-lifecycle-policy"
  role   = aws_iam_role.dlm_lifecycle_role.id
  policy = <<EOF
{
   "Version": "2012-10-17",
   "Statement": [
      {
         "Effect": "Allow",
         "Action": [
            "ec2:CreateSnapshot",
            "ec2:DeleteSnapshot",
            "ec2:DescribeVolumes",
            "ec2:DescribeSnapshots",
            "ec2:DescribeImages",
            "ec2:DescribeInstances",
            "ec2:DescribeImageAttribute"
         ],
         "Resource": "*"
      },
      {
         "Effect": "Allow",
         "Action": [
            "ec2:CreateTags"
         ],
         "Resource": [
           "arn:${var.aws_partition}:ec2:*::snapshot/*",
           "arn:${var.aws_partition}:ec2:*::image/*"
         ]
      },
      {
         "Effect": "Allow",
         "Action": "ec2:DeleteSnapshot",
         "Resource": "arn:${var.aws_partition}:ec2:*::snapshot/*"
      },
      {
         "Effect": "Allow",
         "Action": [
            "ec2:ResetImageAttribute",
            "ec2:DeregisterImage",
            "ec2:CreateImage",
            "ec2:CopyImage",
            "ec2:ModifyImageAttribute"
         ],
         "Resource": "*"
      },
      {
         "Effect": "Allow",
         "Action": [
            "kms:ReEncrypt*",
            "kms:GenerateDataKey*",
            "kms:Encrypt",
            "kms:DescribeKey",
            "kms:Decrypt",
            "kms:Create*"
         ],
         "Resource": "*"
      }
   ]
}
EOF
}

##########################
# moose
# 
# See https://docs.splunk.com/Documentation/AddOns/released/AWS/ConfigureAWSpermissions
locals {
  trusted_principals_govcloud = [
    "arn:${var.aws_partition}:iam::${local.c2_account}:role/instance/moose-hf",
    "arn:${var.aws_partition}:iam::${local.c2_account}:user/instance/moose-hf"
  ]
  trusted_principals_commercial = [
    "arn:${var.aws_partition}:iam::${var.legacy_account}:role/splunk-aws-instance-role",
    "arn:${var.aws_partition}:iam::${local.c2_account}:user/instance/moose-hf",
  ]
  trusted_principals = var.aws_partition == "aws" ? local.trusted_principals_commercial : local.trusted_principals_govcloud
}

data "aws_iam_policy_document" "splunk_addon_for_aws_assume_role" {
  statement {
    sid     = ""
    effect  = "Allow"
    actions = ["sts:AssumeRole"]

    principals {
      type        = "AWS"
      identifiers = local.trusted_principals
    }
  }
}

resource "aws_iam_role" "splunk_addon_for_aws" {
  name = "splunk-addon-for-aws"
  path = "/instance/"

  assume_role_policy = data.aws_iam_policy_document.splunk_addon_for_aws_assume_role.json
}

data "aws_iam_policy_document" "policy" {
  # checkov:skip=CKV_AWS_107: IAM policies does not allow credentials exposure for ECR
  # checkov:skip=CKV_AWS_108: no data exfiltration allowed; resource constraints implemented
  # checkov:skip=CKV_AWS_111: see tfsec aws-iam-no-policy-wildcard ignore comment
  # tfsec:ignore:aws-iam-no-policy-wildcards Allows use by the entire account
  statement {
    sid       = ""
    effect    = "Allow"
    resources = ["*"]
    actions   = [
      "sqs:GetQueueAttributes",
      "sqs:ListQueues",
      "sqs:ReceiveMessage",
      "sqs:GetQueueUrl",
      "sqs:SendMessage",
      "sqs:DeleteMessage",
      "s3:ListBucket",
      "s3:GetObject",
      "s3:GetBucketLocation",
      "s3:ListAllMyBuckets",
      "s3:GetBucketTagging",
      "s3:GetAccelerateConfiguration",
      "s3:GetBucketLogging",
      "s3:GetLifecycleConfiguration",
      "s3:GetBucketCORS",
      "config:DeliverConfigSnapshot",
      "config:DescribeConfigRules",
      "config:DescribeConfigRuleEvaluationStatus",
      "config:GetComplianceDetailsByConfigRule",
      "config:GetComplianceSummaryByConfigRule",
      "iam:GetUser",
      "iam:ListUsers",
      "iam:GetAccountPasswordPolicy",
      "iam:ListAccessKeys",
      "iam:GetAccessKeyLastUsed",
      "autoscaling:Describe*",
      "cloudwatch:Describe*",
      "cloudwatch:Get*",
      "cloudwatch:List*",
      "sns:Get*",
      "sns:List*",
      "sns:Publish",
      "logs:DescribeLogGroups",
      "logs:DescribeLogStreams",
      "logs:GetLogEvents",
      "ec2:DescribeInstances",
      "ec2:DescribeReservedInstances",
      "ec2:DescribeSnapshots",
      "ec2:DescribeRegions",
      "ec2:DescribeKeyPairs",
      "ec2:DescribeNetworkAcls",
      "ec2:DescribeSecurityGroups",
      "ec2:DescribeSubnets",
      "ec2:DescribeVolumes",
      "ec2:DescribeVpcs",
      "ec2:DescribeImages",
      "ec2:DescribeAddresses",
      "lambda:ListFunctions",
      "rds:DescribeDBInstances",
      "cloudfront:ListDistributions",
      "elasticloadbalancing:DescribeLoadBalancers",
      "elasticloadbalancing:DescribeInstanceHealth",
      "elasticloadbalancing:DescribeTags",
      "elasticloadbalancing:DescribeTargetGroups",
      "elasticloadbalancing:DescribeTargetHealth",
      "elasticloadbalancing:DescribeListeners",
      "inspector:Describe*",
      "inspector:List*",
      "kinesis:Get*",
      "kinesis:DescribeStream",
      "kinesis:ListStreams",
      "kms:Decrypt",
      "sts:AssumeRole",
    ]
  }
}

resource "aws_iam_role_policy" "splunk_addon_for_aws" {
  name   = "splunk-addon-for-aws"
  role   = aws_iam_role.splunk_addon_for_aws.id
  policy = data.aws_iam_policy_document.policy.json
}

## Service Linked Role - For GitHub Runners and Others
resource "aws_iam_service_linked_role" "spot" {
  aws_service_name = "spot.amazonaws.com"
}