Ana Sayfa Keşfet Yardım
Üye Ol Giriş Yap
AFS
/
xdr-terraform-modules
2
0
Çatalla 0
Dosyalar Sorunlar 0 Değişiklik İstekleri 0 Wiki
Ağaç: 82b8d76a53
Dallar Biçim İmleri
xdr-terraform-m...
/
base
/
customer_portal_lambda
/
iam.tf

iam.tf 1.8 KB
Geçmiş Ham

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475 
  1. # tfsec:ignore:aws-iam-no-policy-wildcards - baseline this setting first. We use wildcards in policies
    2. 

  2. data "aws_iam_policy_document" "policy_portal_data_sync_lambda" {
    3. 

  3. 	# checkov:skip=CKV_AWS_111: see tfsec aws-iam-no-policy-wildcard ignore comment
    4. 

  4.   statement {
    5. 

  5.     effect  = "Allow"
    6. 

  6.     actions = [
    7. 

  7.       "ec2:CreateNetworkInterface",
    8. 

  8.       "logs:CreateLogStream",
    9. 

  9.       "ec2:DescribeNetworkInterfaces",
    10. 

  10.       "logs:DescribeLogStreams",
    11. 

  11.       "ec2:DeleteNetworkInterface",
    12. 

  12.       "logs:PutRetentionPolicy",
    13. 

  13.       "logs:CreateLogGroup",
    14. 

  14.       "logs:PutLogEvents",
    15. 

  15.       "sqs:ListQueues"
    16. 

  16.     ]
    17. 

  17.     resources = ["*"]
    18. 

  18.   }
    19. 

  19. 

  20.   # tfsec:ignore:aws-iam-no-policy-wildcards - baseline this setting first. We use wildcards in policies
    21. 

  21.   statement {
    22. 

  22.     effect  = "Allow"
    23. 

  23.     actions = [
    24. 

  24.       "sqs:*",
    25. 

  25.     ]
    26. 

  26.     resources = [
    27. 

  27.       aws_sqs_queue.sqs_queue.arn,
    28. 

  28.       aws_sqs_queue.sqs_queue_dlq.arn
    29. 

  29.     ]
    30. 

  30.   }
    31. 

  31. 

  32.   statement {
    33. 

  33.     effect = "Allow"
    34. 

  34.     actions = [
    35. 

  35.       "kms:GenerateDataKey",
    36. 

  36.       "kms:Decrypt"
    37. 

  37.     ]
    38. 

  38.     resources = [
    39. 

  39.       aws_kms_key.sqs_key.arn
    40. 

  40.     ]
    41. 

  41.   }
    42. 

  42. }
    43. 

  43. 

  44. resource "aws_iam_policy" "policy_portal_data_sync_lambda" {
    45. 

  45.   name        = "policy_portal_data_sync_lambda"
    46. 

  46.   path        = "/"
    47. 

  47.   policy      = data.aws_iam_policy_document.policy_portal_data_sync_lambda.json
    48. 

  48.   description = "IAM policy for portal_data_sync_lambda"
    49. 

  49. }
    50. 

  50. 

  51. resource "aws_iam_role" "portal_lambda_role" {
    52. 

  52.   name               = "portal-data-sync-lambda-role"
    53. 

  53.   assume_role_policy = <<EOF
    54. 

  54. {
    55. 

  55. "Version": "2012-10-17",
    56. 

  56. "Statement": [
    57. 

  57.     { 
    58. 

  58.     "Sid": "",
    59. 

  59.     "Effect": "Allow",
    60. 

  60.     "Principal": {
    61. 

  61.         "Service": [
    62. 

  62.         "lambda.amazonaws.com"
    63. 

  63.         ]
    64. 

  64.     },
    65. 

  65.     "Action": "sts:AssumeRole"
    66. 

  66.     }
    67. 

  67. ]
    68. 

  68. }
    69. 

  69. EOF
    70. 

  70. }
    71. 

  71. 

  72. resource "aws_iam_role_policy_attachment" "lambda_role" {
    73. 

  73.   role       = aws_iam_role.portal_lambda_role.name
    74. 

  74.   policy_arn = aws_iam_policy.policy_portal_data_sync_lambda.arn
    75. 

  75. }
    76.