| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112 | resource "aws_iam_role" "phantom_s3_role" {  name                  = "phantom_s3"  path                  = "/service/"  force_detach_policies = true # causes "DeleteConflict" if not present  # the extra_trusted_salt variable allows the addition of additional  # trusted sources, such as the dev salt master (for dev environments)  # and developer users.  assume_role_policy = <<EOF{  "Version": "2012-10-17",  "Statement": [    {      "Effect": "Allow",      "Principal": {        "AWS": "arn:${var.aws_partition}:iam::${var.aws_account_id}:role/instance/xdr-phantom-instance-role"      },      "Action": "sts:AssumeRole"    }  ]}EOF  tags = merge(var.standard_tags, var.tags)}resource "aws_iam_role_policy_attachment" "phantom_s3_policy_attach" {  role       = aws_iam_role.phantom_s3_role.name  policy_arn = aws_iam_policy.phantom_s3_policy.arn}resource "aws_iam_policy" "phantom_s3_policy" {  name        = "phantom_s3_policy"  path        = "/service/"  description = "Policy which allows phantom to read/write to the S3 bucket"  policy      = data.aws_iam_policy_document.phantom_s3_policy_doc.json}data "aws_iam_policy_document" "phantom_s3_policy_doc" {  statement {    sid    = "GeneralBucketAccess"    effect = "Allow"    actions = [      "s3:ListAllMyBuckets",      "s3:HeadBucket",    ]    resources = ["*"]  }  statement {    sid    = "S3BucketAccess"    effect = "Allow"    actions = [      "s3:GetLifecycleConfiguration",      "s3:DeleteObjectVersion",      "s3:ListBucketVersions",      "s3:GetBucketLogging",      "s3:RestoreObject",      "s3:ListBuckets",      "s3:ListObjects",      "s3:ListObjectsV2",      "s3:GetBucketVersioning",      "s3:PutObject",      "s3:GetObject",      "s3:PutLifecycleConfiguration",      "s3:GetBucketCORS",      "s3:DeleteObject",      "s3:GetBucketLocation",      "s3:GetObjectVersion",    ]    resources = [      aws_s3_bucket.bucket.arn,      "${aws_s3_bucket.bucket.arn}/*",    ]  }  statement {    sid    = "S3ReadOnlyBucketAccess"    effect = "Allow"    actions = [      "s3:ListBucketVersions",      "s3:ListBuckets",      "s3:GetBucketVersioning",      "s3:GetObject",      "s3:GetBucketCORS",      "s3:GetBucketLocation",      "s3:GetObjectVersion",    ]    resources = [      aws_s3_bucket.bucket.arn,      "${aws_s3_bucket.bucket.arn}/*",    ]  }  statement {    sid    = "KMSKeyAccess"    effect = "Allow"    actions = [      "kms:Decrypt",      "kms:GenerateDataKeyWithoutPlaintext",      "kms:Verify",      "kms:GenerateDataKeyPairWithoutPlaintext",      "kms:GenerateDataKeyPair",      "kms:ReEncryptFrom",      "kms:Encrypt",      "kms:GenerateDataKey",      "kms:ReEncryptTo",      "kms:Sign",    ]    resources = [aws_kms_key.bucketkey.arn]  }}
 |