AFS
/
xdr-terraform-modules


			
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145
							# IAM Roles in All Accounts


#############################
# Default instance profile
#
# Basic profile to allow basic things
resource "aws_iam_instance_profile" "default_instance_profile" {
  name  = "msoc-default-instance-profile"
  role = aws_iam_role.default_instance_role.name
}

resource "aws_iam_role"  "default_instance_role" {
  name = "msoc-default-instance-role"
  assume_role_policy = <<EOF
{
    "Version": "2012-10-17",
    "Statement": [
      {
        "Sid": "",
        "Effect": "Allow",
        "Principal": {
          "Service": [
            "ec2.amazonaws.com",
            "ssm.amazonaws.com"
            ]
        },
        "Action": "sts:AssumeRole"
      }
    ]
  }
EOF
}

data "aws_iam_policy_document" "default_instance_policy_doc" {
  statement {
    effect = "Allow"
    actions = [
        "ec2:DescribeTags"
    ]

    resources = [
      "*"
    ]
  }
}


resource "aws_iam_policy" "default_instance_policy" {
  name        = "default_instance_tag_read"
  path        = "/launchroles/"
  description = "This policy allows a EC2 server to read tags"
  policy      = data.aws_iam_policy_document.default_instance_policy_doc.json
}

resource "aws_iam_role_policy_attachment" "default_instance_AmazonEC2RoleforSSM" {
  role       = aws_iam_role.default_instance_role.name
  policy_arn = "arn:${var.aws_partition}:iam::aws:policy/service-role/AmazonEC2RoleforSSM"
}

resource "aws_iam_role_policy_attachment" "default_instance_default_policy_attach" {
  role       = aws_iam_role.default_instance_role.name
  policy_arn = aws_iam_policy.default_instance_policy.arn
}

resource "aws_iam_role_policy_attachment" "default_instance_cloudwatch_policy_attach" {
  role       = aws_iam_role.default_instance_role.name
  policy_arn = aws_iam_policy.cloudwatch_events.arn
}


##########################
# cloudwatch events
data "aws_iam_policy_document" "cloudwatch_events" {
  statement {
    sid = "1"
    actions = [
      "events:PutRule"
    ]

    resources = [ "*" ]
  }
}

resource "aws_iam_policy" "cloudwatch_events" {
  name        = "cloudwatch_events"
  description = "Creation of cloudwatch events"
  policy      = data.aws_iam_policy_document.cloudwatch_events.json
}

##########################
# dlm_lifecycle
#
# This is to setup the needed IAM role and premissions for the AWS feature Data Lifecycle Manager (DLM) lifecycle policy so we can have it do "backups" on our EBS
# Docs can be found here https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/snapshot-lifecycle.html
# Chris Lynch 1/25/2019

resource "aws_iam_role" "dlm_lifecycle_role" {
  name = "dlm-lifecycle-role"

  assume_role_policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": "sts:AssumeRole",
      "Principal": {
        "Service": "dlm.amazonaws.com"
      },
      "Effect": "Allow",
      "Sid": ""
    }
  ]
}
EOF
}

resource "aws_iam_role_policy" "dlm_lifecycle" {
  name = "dlm-lifecycle-policy"
  role = aws_iam_role.dlm_lifecycle_role.id
  policy = <<EOF
{
   "Version": "2012-10-17",
   "Statement": [
      {
         "Effect": "Allow",
         "Action": [
            "ec2:CreateSnapshot",
            "ec2:DeleteSnapshot",
            "ec2:DescribeVolumes",
            "ec2:DescribeSnapshots"
         ],
         "Resource": "*"
      },
      {
         "Effect": "Allow",
         "Action": [
            "ec2:CreateTags"
         ],
         "Resource": "arn:${var.aws_partition}:ec2:*::snapshot/*"
      }
   ]
}
EOF
}