Página Principal Explorar Ajuda
Registe-se Iniciar Sessão
AFS
/
xdr-terraform-modules
2
0
Fork 0
Ficheiros Problemas 0 Pull Requests 0 Wiki
Árvore: 82b8d76a53
Ramos Etiquetas
xdr-terraform-m...
/
base
/
splunk_servers
/
indexer_cluster
/
instance_profile_indexers.tf

instance_profile_indexers.tf 2.6 KB
Histórico Em bruto

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192 
  1. module "instance_profile" {
    2. 

  2.   source         = "../../../submodules/iam/base_instance_profile"
    3. 

  3.   prefix         = "xdr-idx"
    4. 

  4.   aws_partition  = var.aws_partition
    5. 

  5.   aws_account_id = var.aws_account_id
    6. 

  6. }
    7. 

  7. 

  8. # Indexer Specific Policy
    9. 

  9. resource "aws_iam_policy" "instance_policy_idx" {
    10. 

  10.   name        = "idx_instance_policy"
    11. 

  11.   path        = "/launchroles/"
    12. 

  12.   description = "This policy allows indexer-specific functions"
    13. 

  13.   policy      = data.aws_iam_policy_document.instance_policy_doc_idx.json
    14. 

  14. }
    15. 

  15. 

  16. data "aws_iam_policy_document" "instance_policy_doc_idx" {
    17. 

  17.   # checkov:skip=CKV_AWS_111: see tfsec aws-iam-no-policy-wildcard ignore comment
    18. 

  18.   # Allow copying to S3 for frozen
    19. 

  19.   # Allow use of S3 for SmartStore
    20. 

  20.   statement {
    21. 

  21.     sid    = "GeneralBucketAccess"
    22. 

  22.     effect = "Allow"
    23. 

  23.     actions = [
    24. 

  24.       "s3:ListAllMyBuckets",
    25. 

  25.     ]
    26. 

  26.     resources = ["*"]
    27. 

  27.   }
    28. 

  28. 

  29.   statement {
    30. 

  30.     sid    = "S3BucketAccess"
    31. 

  31.     effect = "Allow"
    32. 

  32.     actions = [
    33. 

  33.       "s3:GetLifecycleConfiguration",
    34. 

  34.       "s3:DeleteObjectVersion",
    35. 

  35.       "s3:ListBucketVersions",
    36. 

  36.       "s3:GetBucketLogging",
    37. 

  37.       "s3:RestoreObject",
    38. 

  38.       "s3:ListBucket",
    39. 

  39.       "s3:GetBucketVersioning",
    40. 

  40.       "s3:PutObject",
    41. 

  41.       "s3:GetObject",
    42. 

  42.       "s3:PutLifecycleConfiguration",
    43. 

  43.       "s3:GetBucketCORS",
    44. 

  44.       "s3:DeleteObject",
    45. 

  45.       "s3:GetBucketLocation",
    46. 

  46.       "s3:GetObjectVersion",
    47. 

  47.     ]
    48. 

  48.     resources = [
    49. 

  49.       "arn:${var.aws_partition}:s3:::xdr-${var.prefix}-${var.environment}-splunk-frozen",
    50. 

  50.       "arn:${var.aws_partition}:s3:::xdr-${var.prefix}-${var.environment}-splunk-frozen/*",
    51. 

  51.       "arn:${var.aws_partition}:s3:::xdr-${var.prefix}-${var.environment}-splunk-smartstore",
    52. 

  52.       "arn:${var.aws_partition}:s3:::xdr-${var.prefix}-${var.environment}-splunk-smartstore/*",
    53. 

  53.     ]
    54. 

  54.   }
    55. 

  55. 

  56.   statement {
    57. 

  57.     sid    = "KMSKeyAccess"
    58. 

  58.     effect = "Allow"
    59. 

  59.     actions = [
    60. 

  60.       "kms:Decrypt",
    61. 

  61.       "kms:GenerateDataKeyWithoutPlaintext",
    62. 

  62.       "kms:Verify",
    63. 

  63.       "kms:GenerateDataKeyPairWithoutPlaintext",
    64. 

  64.       "kms:GenerateDataKeyPair",
    65. 

  65.       "kms:ReEncryptFrom",
    66. 

  66.       "kms:Encrypt",
    67. 

  67.       "kms:GenerateDataKey",
    68. 

  68.       "kms:ReEncryptTo",
    69. 

  69.       "kms:Sign",
    70. 

  70.     ]
    71. 

  71.     # tfsec:ignore:aws-iam-no-policy-wildcards Allows use by the entire account
    72. 

  72.     resources = ["*"]
    73. 

  73.   }
    74. 

  74. 

  75.   statement {
    76. 

  76.     sid    = "AllowAssumeRoleToSplunkApps"
    77. 

  77.     effect = "Allow"
    78. 

  78. 

  79.     actions = [
    80. 

  80.       "sts:AssumeRole"
    81. 

  81.     ]
    82. 

  82. 

  83.     resources = [
    84. 

  84.       "arn:${var.aws_partition}:iam::${var.aws_account_id}:role/service/splunk-apps-s3"
    85. 

  85.     ]
    86. 

  86.   }
    87. 

  87. }
    88. 

  88. 

  89. resource "aws_iam_role_policy_attachment" "indexer_instance_policy_attach_idx" {
    90. 

  90.   role       = module.instance_profile.role_id
    91. 

  91.   policy_arn = aws_iam_policy.instance_policy_idx.arn
    92. 

  92. }
    93.