xdr-terraform-modules/base/teleport-single-instance/iam.tf

resource "aws_iam_instance_profile" "teleport" {
  name = "${var.instance_name}-role"
  role = aws_iam_role.auth.name
  #depends_on = [aws_iam_role_policy.auth_ssm]
}

// Teleport instance profile and roles
resource "aws_iam_role" "auth" {
  name = "${var.instance_name}-role"
  path = "/instance/"

  assume_role_policy = <<EOF
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {"Service": "ec2.amazonaws.com"},
            "Action": "sts:AssumeRole"
        }
    ]
}
EOF

}

# FTD: No ssm in our deployment
#resource "aws_iam_role_policy" "ssm" {
#  name = "${var.instance_name}-teleport-ssm"
#  role = aws_iam_role.auth.id
#
#  policy = <<EOF
#{
#    "Version": "2012-10-17",
#    "Statement": [
#        {
#            "Effect": "Allow",
#            "Action": [
#                "ssm:DescribeParameters",
#                "ssm:GetParameters",
#                "ssm:GetParametersByPath",
#                "ssm:GetParameter",
#                "ssm:PutParameter",
#                "ssm:DeleteParameter"
#            ],
#            "Resource": "arn:${var.aws_partition}:ssm:${var.aws_region}:${var.aws_account_id}:parameter/teleport/${var.instance_name}/*"
#        },
#        {
#         "Effect":"Allow",
#         "Action":[
#            "kms:Decrypt"
#         ],
#         "Resource":[
#            "arn:${var.aws_partition}:kms:${var.aws_region}:${var.aws_account_id}:key/${data.aws_kms_alias.ssm.target_key_id}"
#         ]
#      }
#    ]
#}
#EOF
#
#}

resource "aws_iam_role_policy_attachment" "teleport_singleinstance_AmazonEC2RoleforSSM" {
  role       = aws_iam_role.auth.name
  policy_arn = "arn:${var.aws_partition}:iam::aws:policy/service-role/AmazonEC2RoleforSSM"
}

resource "aws_iam_role_policy_attachment" "teleport_singleinstance_policy_attach_tag_read" {
  role       = aws_iam_role.auth.name
  policy_arn = "arn:${var.aws_partition}:iam::${var.aws_account_id}:policy/launchroles/default_instance_tag_read"
}

resource "aws_iam_role_policy_attachment" "teleport_singleinstance_policy_attach_cloudwatch" {
  role       = aws_iam_role.auth.name
  policy_arn = "arn:${var.aws_partition}:iam::${var.aws_account_id}:policy/cloudwatch_events"
}

resource "aws_iam_role_policy_attachment" "teleport_singleinstance_policy_attach_binaries" {
  role       = aws_iam_role.auth.name
  policy_arn = "arn:${var.aws_partition}:iam::${var.aws_account_id}:policy/launchroles/default_instance_s3_binaries"
}

// Auth server uses DynamoDB as a backend, and this is to allow read/write from the dynamo tables
data "aws_iam_policy_document" "policy_auth_dynamo" {
  statement {
    sid       = "AllActionsOnTeleportDB"
    effect    = "Allow"
    resources = ["arn:${var.aws_partition}:dynamodb:${var.aws_region}:${var.aws_account_id}:table/${aws_dynamodb_table.teleport.name}"]
    # tfsec:ignore:aws-iam-no-policy-wildcards Allows use by the entire account
    actions   = ["dynamodb:*"]
  }

  statement {
    sid       = "AllActionsOnTeleportEventsDB"
    effect    = "Allow"
    resources = ["arn:${var.aws_partition}:dynamodb:${var.aws_region}:${var.aws_account_id}:table/${aws_dynamodb_table.teleport_events.name}"]
    # tfsec:ignore:aws-iam-no-policy-wildcards Allows use by the entire account
    actions   = ["dynamodb:*"]
  }

  statement {
    sid       = "AllActionsOnTeleportEventsIndexDB"
    effect    = "Allow"
    resources = ["arn:${var.aws_partition}:dynamodb:${var.aws_region}:${var.aws_account_id}:table/${aws_dynamodb_table.teleport_events.name}/index/*"]
    # tfsec:ignore:aws-iam-no-policy-wildcards Allows use by the entire account
    actions   = ["dynamodb:*"]
  }

  statement {
    sid       = "AllActionsOnTeleportStreamsDB"
    effect    = "Allow"
    resources = ["arn:${var.aws_partition}:dynamodb:${var.aws_region}:${var.aws_account_id}:table/${aws_dynamodb_table.teleport.name}/stream/*"]
    # tfsec:ignore:aws-iam-no-policy-wildcards Allows use by the entire account
    actions   = ["dynamodb:*"]
  }
}

resource "aws_iam_policy" "auth_dynamo" {
  name   = "${var.instance_name}-auth-dynamo"
  policy = data.aws_iam_policy_document.policy_auth_dynamo.json
}

resource "aws_iam_role_policy_attachment" "attach_auth_dynamo" {
  role       = aws_iam_role.auth.name
  policy_arn = aws_iam_policy.auth_dynamo.arn
}

// Allow auth servers to update locks
data "aws_iam_policy_document" "policy_auth_locks" {
  statement {
    sid       = "AllActionsOnLocks"
    effect    = "Allow"
    resources = ["arn:${var.aws_partition}:dynamodb:${var.aws_region}:${var.aws_account_id}:table/${aws_dynamodb_table.locks.name}"]
    # tfsec:ignore:aws-iam-no-policy-wildcards Allows use by the entire account
    actions   = ["dynamodb:*"]
  }
}

resource "aws_iam_policy" "auth_locks" {
  name   = "${var.instance_name}-auth-locks"
  policy = data.aws_iam_policy_document.policy_auth_locks.json
}

resource "aws_iam_role_policy_attachment" "attach_auth_locks" {
  role       = aws_iam_role.auth.name
  policy_arn = aws_iam_policy.auth_locks.arn
}

// S3 is used for letsencrypt, auth servers request certificates from letsencrypt
// and publish to S3 encrypted bucket. SSM is not used, because certificates and private keys
// are too big for SSM.
data "aws_iam_policy_document" "policy_auth_s3" {
  statement {
    sid       = ""
    effect    = "Allow"
    resources = ["arn:${var.aws_partition}:s3:::${aws_s3_bucket.storage.bucket}"]

    actions = [
      "s3:ListBucket",
      "s3:ListBucketVersions",
    ]
  }

  statement {
    sid       = ""
    effect    = "Allow"
    resources = ["arn:${var.aws_partition}:s3:::${aws_s3_bucket.storage.bucket}/*"]

    actions = [
      "s3:PutObject",
      "s3:GetObject",
      "s3:GetObjectVersion",
    ]
  }
}

resource "aws_iam_policy" "auth_s3" {
  name   = "${var.instance_name}-auth-s3"
  policy = data.aws_iam_policy_document.policy_auth_s3.json
}

resource "aws_iam_role_policy_attachment" "attach_auth_s3" {
  role       = aws_iam_role.auth.name
  policy_arn = aws_iam_policy.auth_s3.arn
}

// Allow use of the key
# tfsec:ignore:aws-iam-no-policy-wildcards Allows use by the entire account
data "aws_iam_policy_document" "policy_kms" {
  statement {
    sid       = "AllowKMSUse"
    effect    = "Allow"
    resources = [aws_kms_key.s3.arn]

    actions = [
      "kms:Encrypt",
      "kms:Decrypt",
      "kms:ReEncrypt*",
      "kms:GenerateDataKey*",
      "kms:DescribeKey"
    ]
  }
}

resource "aws_iam_policy" "auth_kms" {
  name   = "${var.instance_name}-kms"
  policy = data.aws_iam_policy_document.policy_kms.json
}

resource "aws_iam_role_policy_attachment" "attach_kms" {
  role       = aws_iam_role.auth.name
  policy_arn = aws_iam_policy.auth_kms.arn
}

// FTD: This is for letsencrypt, which we don't (presently) use.
// Auth server uses route53 to get certs for domain, this allows
// read/write operations from the zone.
#resource "aws_iam_role_policy" "auth_route53" {
#  name = "${var.instance_name}-auth-route53"
#  role = aws_iam_role.auth.id
#
#  policy = <<EOF
#{
#    "Version": "2012-10-17",
#    "Id": "certbot-dns-route53 policy",
#    "Statement": [
#        {
#            "Effect": "Allow",
#            "Action": [
#                "route53:ListHostedZones",
#                "route53:GetChange"
#            ],
#            "Resource": [
#                "*"
#            ]
#        },
#        {
#            "Effect" : "Allow",
#            "Action" : [
#                "route53:ChangeResourceRecordSets"
#            ],
#            "Resource" : [
#                "arn:${var.aws_partition}:route53:::hostedzone/${data.aws_route53_zone.proxy.zone_id}"
#            ]
#        }
#    ]
#}
#EOF
#
#}