| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122 | # the 'splunk-addon-for-aws' role is created in all accounts via# the base/account_standards module.## Then, there is an instance profile (for use in the partition holding moose)# and a user account (for use in the partion _not_ holding moose) that# with keys for moose.## That instance profile/user is allowed to assumerole into the# 'splunk-addon-for-aws' role in the other accounts.####################### Access keys## For rotation purposes, there are two of these. Delete the oldest one, # add a new one (with a higher version number), and then update the output## Possible futue improvement:# We could specify a pgp_key attribute, and then the secret will be encrypted# in both the state file and in the output. If we used the salt PGP key,# no user would ever have to see the secret key.resource "aws_iam_access_key" "moose-hf-v0" {  user = aws_iam_user.moose-hf.name}resource "aws_iam_access_key" "moose-hf-v1" {  user = aws_iam_user.moose-hf.name}output access_keys {  value = {    "current" = {       "aws_access_key_id": aws_iam_access_key.moose-hf-v1.id      "aws_secret_access_key": aws_iam_access_key.moose-hf-v1.secret    },    "previous" = {      "aws_access_key_id": aws_iam_access_key.moose-hf-v0.id      "aws_secret_access_key": aws_iam_access_key.moose-hf-v0.secret    }  }}####################### The policy is attached to both the user and the instance profileresource "aws_iam_policy" "moose-hf" {  name        = "moose-hf"  path        = "/instance/"  description = "Policy to allow the moose HF to assume roles"  policy = <<EOF{  "Version": "2012-10-17",  "Statement": [    {      "Effect": "Allow",      "Action": "sts:AssumeRole",      "Resource": "*"    }  ]}EOF}####################### The instance profileresource "aws_iam_instance_profile" "moose-hf" {  name = "moose-hf"  role = aws_iam_role.moose-hf.name}resource "aws_iam_role" "moose-hf" {  name = "moose-hf"  path = "/instance/"  assume_role_policy = <<EOF{    "Version": "2012-10-17",    "Statement": [        {            "Action": "sts:AssumeRole",            "Principal": {               "Service": "ec2.amazonaws.com"            },            "Effect": "Allow",            "Sid": ""        }    ]}EOF}resource "aws_iam_role_policy_attachment" "moose-hf" {  role       = aws_iam_role.moose-hf.name  policy_arn = aws_iam_policy.moose-hf.arn}####################### the user## Note: CIS requires that policies _NOT_ be directly attached to a user. Users must# be members of groups, and those groups can have policies.resource "aws_iam_user" "moose-hf" {  name = "moose-hf"  path = "/instance/"  tags = merge(var.standard_tags, var.tags)}resource "aws_iam_group" "moose-hf" {  name = "moose-hf"  path = "/instance/"}resource "aws_iam_user_group_membership" "moose-hf" {  user = aws_iam_user.moose-hf.name  groups = [ aws_iam_group.moose-hf.name ]}resource "aws_iam_group_policy_attachment" "moose-hf-group" {  group      = aws_iam_group.moose-hf.name  policy_arn = aws_iam_policy.moose-hf.arn}
 |