AFS
/
xdr-terraform-modules


			
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177
							resource "aws_iam_role" "codebuild_splunk_apps_role" {
  name     = "codebuild_splunk_apps_role"
  path     = "/aws_services/"

  assume_role_policy = <<EOF
{
    "Version": "2012-10-17",
    "Statement": [
      {
        "Effect": "Allow",
        "Principal": {
          "Service": [
            "codebuild.amazonaws.com"
            ]
        },
        "Action": "sts:AssumeRole"
      }
    ]
  }
EOF
}

resource "aws_iam_role_policy_attachment" "codebuild_splunk_apps_role_policy_attach" {
  role       = aws_iam_role.codebuild_splunk_apps_role.name
  policy_arn = aws_iam_policy.codebuild_splunk_apps_policy.arn
}

# Some things about this policy I'm not perfectly sure about, like
# should the account number be hardcoded?  Also, it reads like we'll have to
# update it each time we have a new repository added to codecommit - that
# or we'll need to authorize the codebuild role to be able to pull from any 
# codecommit repo.  Which may be fine?
resource "aws_iam_policy" "codebuild_splunk_apps_policy" {
  name        = "codebuild_splunk_apps_policy"
  description = "Policy for AWS codebuild to build and store artifacts"
  path     = "/aws_services/"

  policy = <<EOF
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Resource": [
                "arn:${var.aws_partition}:logs:${var.aws_region}:${var.aws_account_id}:log-group:/aws/codebuild/*"
            ],
            "Action": [
                "logs:CreateLogGroup",
                "logs:CreateLogStream",
                "logs:PutLogEvents"
            ]
        },
        {
            "Effect": "Allow",
            "Resource": [
                "arn:${var.aws_partition}:s3:::codepipeline-${var.aws_region}-*"
            ],
            "Action": [
                "s3:PutObject",
                "s3:GetObject",
                "s3:GetObjectVersion"
            ]
        },
        {
            "Effect": "Allow",
            "Resource": [
                "arn:${var.aws_partition}:codecommit:${var.aws_region}:${var.aws_account_id}:*"
            ],
            "Action": [
                "codecommit:GitPull"
            ]
        },
        {
            "Effect": "Allow",
            "Resource": [
                "arn:${var.aws_partition}:s3:::xdr-${var.splunk_prefix}-${var.environment}-splunk-apps/*",
                "arn:${var.aws_partition}:s3:::*"
            ],
            "Action": [
                "s3:PutObject",
                "s3:GetObject*",
                "s3:ListBucket"
            ]
        },
        {
            "Sid": "WriteToECR",
            "Effect": "Allow",
            "Resource": [
                "*"
            ],
            "Action": [
              "ecr:GetAuthorizationToken",
              "ecr:BatchCheckLayerAvailability",
              "ecr:CompleteLayerUpload",
              "ecr:GetAuthorizationToken",
              "ecr:InitiateLayerUpload",
              "ecr:PutImage",
              "ecr:UploadLayerPart"
            ]
        },
        {
            "Sid": "PullFromECR",
            "Effect": "Allow",
            "Resource": [
                "*"
            ],
            "Action": [
              "ecr:GetDownloadUrlForLayer",
              "ecr:BatchGetImage",
              "ecr:BatchCheckLayerAvailability"
            ]
        }
    ]
}
EOF
}

# !!!!!     RETAINED FOR FUTURE USE   !!!!!
# Defines an IAM user that can only download ECR images, intended for
# use in POP nodes where we need containers, but won't necessarily have
# EC2 instance role credentials.  Maybe one day this goes to vault, I
# hope.   It would be nice.

# data "aws_iam_policy_document" "ecr_policy_pop" {
#   statement {
#     sid       = "AllowECRReadOnly"
#     effect    = "Allow"

#     actions   = [
#       "ecr:GetAuthorizationToken",
#       "ecr:BatchCheckLayerAvailability",
#       "ecr:GetDownloadUrlForLayer",
#       "ecr:GetRepositoryPolicy",
#       "ecr:DescribeRepositories",
#       "ecr:ListImages",
#       "ecr:DescribeImages",
#       "ecr:BatchGetImage"
#     ]
    
#     resources = [
#       "*"
#     ]

#   }
# }

# resource "aws_iam_policy" "ecr_policy_pop" {
#   name   = "ecr_policy_pop"
#   path   = "/"
#   policy = "${data.aws_iam_policy_document.ecr_policy_pop.json}"
# }

# resource "aws_iam_user" "pop_service_account" {
#   name = "svc-mdrpop"
#   path = "/service/"
# }

# resource "aws_iam_user_policy_attachment" "pop_service_account_1" {
#   user       = "${aws_iam_user.pop_service_account.name}"
#   policy_arn = "${aws_iam_policy.ecr_policy_pop.arn}"
# }


# resource "aws_iam_access_key" "pop_service_account" {
#   user    = "${aws_iam_user.pop_service_account.name}"
#   pgp_key = "${file("../00-organizations-and-iam/duane_waddle.pgp")}"
# }

# output "pop_service_account_key_id" {
#   value = "${aws_iam_access_key.pop_service_account.id}"
# }

# output "pop_service_account_secret" {
#   value = "${aws_iam_access_key.pop_service_account.encrypted_secret}"
# }

# !!!!!    END OF RETAINED FOR FUTURE USE   !!!!!