AFS
/
xdr-terraform-modules


			
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347
							# IAM Roles in All Accounts


#############################
# Default instance profile
#
# Basic profile to allow basic things
resource "aws_iam_instance_profile" "default_instance_profile" {
  name  = "msoc-default-instance-profile"
  role = aws_iam_role.default_instance_role.name
}

resource "aws_iam_role"  "default_instance_role" {
  name = "msoc-default-instance-role"
  assume_role_policy = <<EOF
{
    "Version": "2012-10-17",
    "Statement": [
      {
        "Sid": "AssumeRoleAnywhere",
        "Effect": "Allow",
        "Principal": {
          "Service": [
            "ec2.amazonaws.com",
            "ssm.amazonaws.com"
            ]
        },
        "Action": "sts:AssumeRole"
      }
    ]
  }
EOF
}

data "aws_iam_policy_document" "default_instance_policy_doc" {
  statement {
    effect = "Allow"
    actions = [
        "ec2:DescribeTags"
    ]

    resources = [
      "*"
    ]
  }
}

resource "aws_iam_policy" "default_instance_policy" {
  name        = "default_instance_tag_read"
  path        = "/launchroles/"
  description = "This policy allows a EC2 server to read tags"
  policy      = data.aws_iam_policy_document.default_instance_policy_doc.json
}

data "aws_iam_policy_document" "default_instance_policy_s3_binaries_doc" {
  statement {
    sid       = "AccessTheBucketItself"
    effect    = "Allow"
    resources = ["arn:${var.aws_partition}:s3:::${var.binaries_bucket}"]

    actions = [
      "s3:ListBucket",
      "s3:GetBucketLocation",
    ]
  }

  statement {
    sid       = "GetFromTheBucket"
    effect    = "Allow"
    resources = ["arn:${var.aws_partition}:s3:::${var.binaries_bucket}/*"]

    actions = [
      "s3:GetObject",
      "s3:GetObjectAcl",
    ]
  }

  statement {
    sid       = "UseTheKey"
    effect    = "Allow"
    resources = [
      "arn:${var.aws_partition}:kms:${var.aws_region}:${var.common_services_account}:${var.binaries_key}"
    ]
    actions = [
      "kms:Decrypt",
      "kms:DescribeKey"
    ]
  }
}

resource "aws_iam_policy" "default_instance_policy_s3_binaries" {
  name        = "default_instance_s3_binaries"
  path        = "/launchroles/"
  description = "This policy allows a EC2 server to read from the s3 binaries bucket"
  policy      = data.aws_iam_policy_document.default_instance_policy_s3_binaries_doc.json
}

resource "aws_iam_role_policy_attachment" "default_instance_AmazonEC2RoleforSSM" {
  role       = aws_iam_role.default_instance_role.name
  policy_arn = "arn:${var.aws_partition}:iam::aws:policy/service-role/AmazonEC2RoleforSSM"
}

resource "aws_iam_role_policy_attachment" "default_instance_default_policy_attach" {
  role       = aws_iam_role.default_instance_role.name
  policy_arn = aws_iam_policy.default_instance_policy.arn
}

resource "aws_iam_role_policy_attachment" "default_instance_s3_policy_attach" {
  role       = aws_iam_role.default_instance_role.name
  policy_arn = aws_iam_policy.default_instance_policy_s3_binaries.arn
}

resource "aws_iam_role_policy_attachment" "default_instance_cloudwatch_policy_attach" {
  role       = aws_iam_role.default_instance_role.name
  policy_arn = aws_iam_policy.cloudwatch_events.arn
}


##########################
# cloudwatch events
data "aws_iam_policy_document" "cloudwatch_events" {
  statement {
    sid = "1"
    actions = [
      "events:PutRule"
    ]

    resources = [ "*" ]
  }
}

resource "aws_iam_policy" "cloudwatch_events" {
  name        = "cloudwatch_events"
  description = "Creation of cloudwatch events"
  policy      = data.aws_iam_policy_document.cloudwatch_events.json
}

##########################
# dlm_lifecycle
#
# This is to setup the needed IAM role and premissions for the AWS feature Data Lifecycle Manager (DLM) lifecycle policy so we can have it do "backups" on our EBS
# Docs can be found here https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/snapshot-lifecycle.html
# Chris Lynch 1/25/2019

resource "aws_iam_role" "dlm_lifecycle_role" {
  name = "dlm-lifecycle-role"

  assume_role_policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": "sts:AssumeRole",
      "Principal": {
        "Service": "dlm.amazonaws.com"
      },
      "Effect": "Allow",
      "Sid": ""
    }
  ]
}
EOF
}

resource "aws_iam_role_policy" "dlm_lifecycle" {
  name = "dlm-lifecycle-policy"
  role = aws_iam_role.dlm_lifecycle_role.id
  policy = <<EOF
{
   "Version": "2012-10-17",
   "Statement": [
      {
         "Effect": "Allow",
         "Action": [
            "ec2:CreateSnapshot",
            "ec2:DeleteSnapshot",
            "ec2:DescribeVolumes",
            "ec2:DescribeSnapshots",
            "ec2:DescribeImages",
            "ec2:DescribeInstances",
            "ec2:DescribeImageAttribute"
         ],
         "Resource": "*"
      },
      {
         "Effect": "Allow",
         "Action": [
            "ec2:CreateTags"
         ],
         "Resource": [
           "arn:${var.aws_partition}:ec2:*::snapshot/*",
           "arn:${var.aws_partition}:ec2:*::image/*"
         ]
      },
      {
         "Effect": "Allow",
         "Action": "ec2:DeleteSnapshot",
         "Resource": "arn:${var.aws_partition}:ec2:*::snapshot/*"
      },
      {
         "Effect": "Allow",
         "Action": [
            "ec2:ResetImageAttribute",
            "ec2:DeregisterImage",
            "ec2:CreateImage",
            "ec2:CopyImage",
            "ec2:ModifyImageAttribute"
         ],
         "Resource": "*"
      },
      {
         "Effect": "Allow",
         "Action": [
            "kms:ReEncrypt*",
            "kms:GenerateDataKey*",
            "kms:Encrypt",
            "kms:DescribeKey",
            "kms:Decrypt",
            "kms:Create*"
         ],
         "Resource": "*"
      }
   ]
}
EOF
}

##########################
# moose
# 
# See https://docs.splunk.com/Documentation/AddOns/released/AWS/ConfigureAWSpermissions
locals {
  trusted_principals_govcloud   = [
    "arn:${var.aws_partition}:iam::${local.c2_account}:role/instance/moose-hf",
    "arn:${var.aws_partition}:iam::${local.c2_account}:user/instance/moose-hf"
  ]
  trusted_principals_commercial = [ 
    "arn:${var.aws_partition}:iam::${var.legacy_account}:role/splunk-aws-instance-role",
    "arn:${var.aws_partition}:iam::${local.c2_account}:user/instance/moose-hf",
  ]
  trusted_principals = var.aws_partition == "aws" ? local.trusted_principals_commercial : local.trusted_principals_govcloud
}


resource "aws_iam_role" "splunk_addon_for_aws" {
  name = "splunk-addon-for-aws"
  path = "/instance/"

  assume_role_policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "AWS": ${jsonencode(local.trusted_principals)}
      },
      "Action": "sts:AssumeRole"
    }
  ]
}
EOF
}

resource "aws_iam_role_policy" "splunk_addon_for_aws" {
  name = "splunk-addon-for-aws"
  role = aws_iam_role.splunk_addon_for_aws.id
  policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "sqs:GetQueueAttributes",
        "sqs:ListQueues",
        "sqs:ReceiveMessage",
        "sqs:GetQueueUrl",
        "sqs:SendMessage",
        "sqs:DeleteMessage",
        "s3:ListBucket",
        "s3:GetObject",
        "s3:GetBucketLocation",
        "s3:ListAllMyBuckets",
        "s3:GetBucketTagging", 
        "s3:GetAccelerateConfiguration", 
        "s3:GetBucketLogging", 
        "s3:GetLifecycleConfiguration", 
        "s3:GetBucketCORS",
        "config:DeliverConfigSnapshot",
        "config:DescribeConfigRules",
        "config:DescribeConfigRuleEvaluationStatus",
        "config:GetComplianceDetailsByConfigRule",
        "config:GetComplianceSummaryByConfigRule",
        "iam:GetUser",
        "iam:ListUsers",
        "iam:GetAccountPasswordPolicy",
        "iam:ListAccessKeys",
        "iam:GetAccessKeyLastUsed", 
        "autoscaling:Describe*",
        "cloudwatch:Describe*",
        "cloudwatch:Get*",
        "cloudwatch:List*",
        "sns:Get*",
        "sns:List*",
        "sns:Publish",
        "logs:DescribeLogGroups",
        "logs:DescribeLogStreams",
        "logs:GetLogEvents",
        "ec2:DescribeInstances",
        "ec2:DescribeReservedInstances",
        "ec2:DescribeSnapshots",
        "ec2:DescribeRegions",
        "ec2:DescribeKeyPairs",
        "ec2:DescribeNetworkAcls",
        "ec2:DescribeSecurityGroups",
        "ec2:DescribeSubnets",
        "ec2:DescribeVolumes",
        "ec2:DescribeVpcs",
        "ec2:DescribeImages",
        "ec2:DescribeAddresses",
        "lambda:ListFunctions",
        "rds:DescribeDBInstances",
        "cloudfront:ListDistributions",
        "elasticloadbalancing:DescribeLoadBalancers",
        "elasticloadbalancing:DescribeInstanceHealth",
        "elasticloadbalancing:DescribeTags",
        "elasticloadbalancing:DescribeTargetGroups",
        "elasticloadbalancing:DescribeTargetHealth",
        "elasticloadbalancing:DescribeListeners",
        "inspector:Describe*",
        "inspector:List*",
        "kinesis:Get*",
        "kinesis:DescribeStream",
        "kinesis:ListStreams",
        "kms:Decrypt",
        "sts:AssumeRole"
      ],
      "Resource": [
        "*"
      ]
    }
  ]
}
EOF
}