| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172 |
- # VMRay gets access to read/write to its backup bucket and use its s3 key
- module "instance_profile" {
- source = "../../submodules/iam/base_instance_profile"
- prefix = "xdr-vmray"
- aws_partition = var.aws_partition
- aws_account_id = var.aws_account_id
- }
- // S3 is used for backups
- data "aws_iam_policy_document" "policy_auth_s3" {
- statement {
- sid = ""
- effect = "Allow"
- resources = [aws_s3_bucket.storage.arn]
- actions = [
- "s3:ListBucket",
- "s3:ListBucketVersions",
- ]
- }
- # tfsec:ignore:aws-iam-no-policy-wildcards Allows use by the entire account
- statement {
- sid = ""
- effect = "Allow"
- resources = ["${aws_s3_bucket.storage.arn}/*"]
- actions = [
- "s3:PutObject",
- "s3:GetObject",
- "s3:GetObjectVersion",
- ]
- }
- }
- resource "aws_iam_policy" "auth_s3" {
- name = "xdr-vmray-auth-s3"
- policy = data.aws_iam_policy_document.policy_auth_s3.json
- }
- resource "aws_iam_role_policy_attachment" "attach_auth_s3" {
- role = module.instance_profile.role_id
- policy_arn = aws_iam_policy.auth_s3.arn
- }
- // Allow use of the key
- # tfsec:ignore:aws-iam-no-policy-wildcards Allows use by the entire account
- data "aws_iam_policy_document" "policy_kms" {
- statement {
- sid = "AllowKMSUse"
- effect = "Allow"
- resources = [aws_kms_key.s3.arn]
- actions = [
- "kms:Encrypt",
- "kms:Decrypt",
- "kms:ReEncrypt*",
- "kms:GenerateDataKey*",
- "kms:DescribeKey"
- ]
- }
- }
- resource "aws_iam_policy" "auth_kms" {
- name = "xdr-vmray-kms"
- policy = data.aws_iam_policy_document.policy_kms.json
- }
- resource "aws_iam_role_policy_attachment" "attach_kms" {
- role = module.instance_profile.role_id
- policy_arn = aws_iam_policy.auth_kms.arn
- }
|
