AFS
/
xdr-terraform-modules


			
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203
							#----------------------------------------------------------------------------
# Policies
#----------------------------------------------------------------------------

#Admins
data "vault_policy_document" "admins" {
  rule {
    path         = "*"
    capabilities = ["create", "read", "update", "delete", "list", "sudo"]
    description  = "allow all on permissions"
  }
}

resource "vault_policy" "admins" {
  name   = "admins"
  policy = data.vault_policy_document.admins.hcl
}

#Clu Legacy
data "vault_policy_document" "clu" {
  rule {
    path         = "jenkins*"
    capabilities = ["read","list"]
    description  = "clu read write on jenkins - legacy"
  }
}

resource "vault_policy" "clu" {
  name   = "clu"
  policy = data.vault_policy_document.clu.hcl
}

#This access is for Feed Management/engineers. 
data "vault_policy_document" "engineers" {
  rule {
    path         = "onboarding*"
    capabilities = ["create", "read", "update", "delete", "list", "sudo"]
    description  = "engineers/Feed Management"
  }
}

resource "vault_policy" "engineers" {
  name   = "engineers"
  policy = data.vault_policy_document.engineers.hcl
}

#This access is for Phantom Admins. 
data "vault_policy_document" "phantom" {
  rule {
    path         = "phantom*"
    capabilities = ["create", "read", "update", "delete", "list", "sudo"]
    description  = "Phantom"
  }
  rule {
    path         = "onboarding*"
    capabilities = ["create", "read", "update", "delete", "list", "sudo"]
    description  = "onboarding"
  }
  rule {
    path         = "portal*"
    capabilities = ["create", "read", "update", "delete", "list", "sudo"]
    description  = "Portal"
  }
}

resource "vault_policy" "phantom" {
  name   = "phantom"
  policy = data.vault_policy_document.phantom.hcl
}

#portal
data "vault_policy_document" "portal" {
  rule {
    path         = "portal*"
    capabilities = ["create", "read", "update", "delete", "list", "sudo"]
    description  = "Portal"
  }
}

resource "vault_policy" "portal" {
  name   = "portal"
  policy = data.vault_policy_document.portal.hcl
}

#threatq
data "vault_policy_document" "threatq" {
  rule {
    path         = "threatq-lambda*"
    capabilities = ["create", "read", "update", "delete", "list", "sudo"]
    description  = "threatq-lambda"
  }
}

resource "vault_policy" "threatq" {
  name   = "threatq"
  policy = data.vault_policy_document.threatq.hcl
}

#salt-master should be able to only create tokens
data "vault_policy_document" "salt-master" {
  rule {
    path         = "auth/*"
    capabilities = ["read", "list", "sudo", "create", "update", "delete"]
    description  = "salt-master"
  }
}

resource "vault_policy" "salt-master" {
  name   = "salt-master"
  policy = data.vault_policy_document.salt-master.hcl
}


#restrict salt-minions to only list secrets here - saltstack/minions
#allow all minions access to this shared pillar data.
data "vault_policy_document" "minions" {
  rule {
    path         = "salt/*"
    capabilities = ["list"]
    description  = "minions"
  }
  rule {
    path         = "salt/pillar_data"
    capabilities = ["read"]
    description  = "minions"
  }
}

resource "vault_policy" "minions" {
  name   = "saltstack/minions"
  policy = data.vault_policy_document.minions.hcl
}


#restrict sensu salt-minion to only list secrets here - saltstack/minions
#Policy must be named: saltstack/minion/<minion-id>
# e.g. saltstack/minion/sensu.pvt.xdrtest.accenturefederalcyber.com
data "vault_policy_document" "sensu-minion" {
  rule {
    path         = "salt/*"
    capabilities = ["list"]
    description  = "sensu-minion"
  }
  rule {
    path         = "salt/minions/sensu.${var.dns_info["private"]["zone"]}/*"
    capabilities = ["read"]
    description  = "sensu-minion"

  }
}

resource "vault_policy" "sensu-minion" {
  name   = "saltstack/minion/sensu.${var.dns_info["private"]["zone"]}"
  policy = data.vault_policy_document.sensu-minion.hcl
}

#Temp for GC Transition. Remove when Legacy Sensu is termianted. 
data "vault_policy_document" "sensu-minion-legacy" {
  rule {
    path         = "salt/*"
    capabilities = ["list"]
    description  = "sensu-minion-legacy"
  }
  rule {
    path         = "salt/minions/sensu.msoc.defpoint.local"
    capabilities = ["read"]
    description  = "sensu-minion-legacy"

  }
}

resource "vault_policy" "sensu-minion-legacy" {
  name   = "saltstack/minion/sensu.msoc.defpoint.local"
  policy = data.vault_policy_document.sensu-minion-legacy.hcl
}


data "vault_policy_document" "soc" {
  rule {
    path         = "soc*"
    capabilities = ["create", "read", "update", "delete", "list", "sudo"]
    description  = "soc"
  }
}

resource "vault_policy" "soc" {
  name   = "soc"
  policy = data.vault_policy_document.soc.hcl
}


data "vault_policy_document" "read-only" {
  rule {
    path         = "/nothing/*"
    capabilities = ["read", "list"]
    description  = "No permissions"
  }
}

resource "vault_policy" "read-only" {
  name   = "read-only"
  policy = data.vault_policy_document.read-only.hcl
}