Accueil Explorer Aide
S'inscrire Connexion
AFS
/
xdr-terraform-modules
2
0
Fork 0
Fichiers Tickets 0 Pull Requests 0 Wiki
Aborescence: 98ccc5c2b8
Branches Tags
xdr-terraform-m...
/
base
/
splunk_servers
/
indexer_cluster
/
instance_profile_indexers.tf

instance_profile_indexers.tf 2.5 KB
Historique Raw

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091 
  1. module "instance_profile" {
    2. 

  2.   source         = "../../../submodules/iam/base_instance_profile"
    3. 

  3.   prefix         = "xdr-idx"
    4. 

  4.   aws_partition  = var.aws_partition
    5. 

  5.   aws_account_id = var.aws_account_id
    6. 

  6. }
    7. 

  7. 

  8. # Indexer Specific Policy
    9. 

  9. resource "aws_iam_policy" "instance_policy_idx" {
    10. 

  10.   name        = "idx_instance_policy"
    11. 

  11.   path        = "/launchroles/"
    12. 

  12.   description = "This policy allows indexer-specific functions"
    13. 

  13.   policy      = data.aws_iam_policy_document.instance_policy_doc_idx.json
    14. 

  14. }
    15. 

  15. 

  16. data "aws_iam_policy_document" "instance_policy_doc_idx" {
    17. 

  17.   # Allow copying to S3 for frozen
    18. 

  18.   # Allow use of S3 for SmartStore
    19. 

  19.   statement {
    20. 

  20.     sid    = "GeneralBucketAccess"
    21. 

  21.     effect = "Allow"
    22. 

  22.     actions = [
    23. 

  23.       "s3:ListAllMyBuckets",
    24. 

  24.     ]
    25. 

  25.     resources = ["*"]
    26. 

  26.   }
    27. 

  27. 

  28.   statement {
    29. 

  29.     sid    = "S3BucketAccess"
    30. 

  30.     effect = "Allow"
    31. 

  31.     actions = [
    32. 

  32.       "s3:GetLifecycleConfiguration",
    33. 

  33.       "s3:DeleteObjectVersion",
    34. 

  34.       "s3:ListBucketVersions",
    35. 

  35.       "s3:GetBucketLogging",
    36. 

  36.       "s3:RestoreObject",
    37. 

  37.       "s3:ListBucket",
    38. 

  38.       "s3:GetBucketVersioning",
    39. 

  39.       "s3:PutObject",
    40. 

  40.       "s3:GetObject",
    41. 

  41.       "s3:PutLifecycleConfiguration",
    42. 

  42.       "s3:GetBucketCORS",
    43. 

  43.       "s3:DeleteObject",
    44. 

  44.       "s3:GetBucketLocation",
    45. 

  45.       "s3:GetObjectVersion",
    46. 

  46.     ]
    47. 

  47.     resources = [
    48. 

  48.       "arn:${var.aws_partition}:s3:::xdr-${var.prefix}-${var.environment}-splunk-frozen",
    49. 

  49.       "arn:${var.aws_partition}:s3:::xdr-${var.prefix}-${var.environment}-splunk-frozen/*",
    50. 

  50.       "arn:${var.aws_partition}:s3:::xdr-${var.prefix}-${var.environment}-splunk-smartstore",
    51. 

  51.       "arn:${var.aws_partition}:s3:::xdr-${var.prefix}-${var.environment}-splunk-smartstore/*",
    52. 

  52.     ]
    53. 

  53.   }
    54. 

  54. 

  55.   statement {
    56. 

  56.     sid    = "KMSKeyAccess"
    57. 

  57.     effect = "Allow"
    58. 

  58.     actions = [
    59. 

  59.       "kms:Decrypt",
    60. 

  60.       "kms:GenerateDataKeyWithoutPlaintext",
    61. 

  61.       "kms:Verify",
    62. 

  62.       "kms:GenerateDataKeyPairWithoutPlaintext",
    63. 

  63.       "kms:GenerateDataKeyPair",
    64. 

  64.       "kms:ReEncryptFrom",
    65. 

  65.       "kms:Encrypt",
    66. 

  66.       "kms:GenerateDataKey",
    67. 

  67.       "kms:ReEncryptTo",
    68. 

  68.       "kms:Sign",
    69. 

  69.     ]
    70. 

  70.     # tfsec:ignore:aws-iam-no-policy-wildcards Allows use by the entire account
    71. 

  71.     resources = ["*"]
    72. 

  72.   }
    73. 

  73. 

  74.   statement {
    75. 

  75.     sid    = "AllowAssumeRoleToSplunkApps"
    76. 

  76.     effect = "Allow"
    77. 

  77. 

  78.     actions = [
    79. 

  79.       "sts:AssumeRole"
    80. 

  80.     ]
    81. 

  81. 

  82.     resources = [
    83. 

  83.       "arn:${var.aws_partition}:iam::${var.aws_account_id}:role/service/splunk-apps-s3"
    84. 

  84.     ]
    85. 

  85.   }
    86. 

  86. }
    87. 

  87. 

  88. resource "aws_iam_role_policy_attachment" "indexer_instance_policy_attach_idx" {
    89. 

  89.   role       = module.instance_profile.role_id
    90. 

  90.   policy_arn = aws_iam_policy.instance_policy_idx.arn
    91. 

  91. }
    92.