|
|
@@ -1,21 +1,32 @@
|
|
|
+#Allowed: arn:aws:iam::*:role/fcm/fcm-analysis-EbsEncryptionByDefault
|
|
|
+#Actual: arn:aws:iam::082012130604:role/fcm/fcm-analysis-EbsEncryptionByDefault
|
|
|
+#
|
|
|
+#Role trust: arn:aws:iam::082012130604:role/fcm/fcm-lambda-analysis-EbsEncryptionByDefault
|
|
|
+#Actual: arn:aws:iam::082012130604:role/fcm/fcm-lambda-analysis-EbsEncryptionByDefault
|
|
|
+
|
|
|
+# All Accounts Role
|
|
|
resource "aws_iam_role" "fcm-analysis-EbsEncryptionByDefault" {
|
|
|
name = "fcm-analysis-EbsEncryptionByDefault"
|
|
|
+ path = "/fcm/"
|
|
|
+ description = "FCM role for EbsEncryptionByDefault Enforcement Analysis"
|
|
|
|
|
|
- assume_role_policy = <<ASSUMEROLEDOC
|
|
|
+ assume_role_policy = <<DOC1
|
|
|
{
|
|
|
"Version": "2012-10-17",
|
|
|
"Statement": [
|
|
|
{
|
|
|
"Action": "sts:AssumeRole",
|
|
|
"Principal": {
|
|
|
- "Service": "lambda.amazonaws.com"
|
|
|
+ "AWS": [
|
|
|
+ "${aws_iam_role.fcm-lambda-analysis-EbsEncryptionByDefault.arn}"
|
|
|
+ ]
|
|
|
},
|
|
|
"Effect": "Allow",
|
|
|
"Sid": ""
|
|
|
}
|
|
|
]
|
|
|
}
|
|
|
-ASSUMEROLEDOC
|
|
|
+DOC1
|
|
|
}
|
|
|
|
|
|
resource "aws_iam_policy" "fcm-analysis-EbsEncryptionByDefault" {
|
|
|
@@ -23,37 +34,12 @@ resource "aws_iam_policy" "fcm-analysis-EbsEncryptionByDefault" {
|
|
|
path = "/fcm/"
|
|
|
description = "FCM policy for EbsEncryptionByDefault Enforcement Analysis"
|
|
|
|
|
|
- policy = <<POLICYDOC
|
|
|
+ policy = <<DOC2
|
|
|
{
|
|
|
"Version": "2012-10-17",
|
|
|
"Statement": [
|
|
|
- {
|
|
|
- "Effect": "Allow",
|
|
|
- "Action": "logs:CreateLogGroup",
|
|
|
- "Resource": "arn:aws:logs:us-east-2:082012130604:log-group:*"
|
|
|
- },
|
|
|
- {
|
|
|
- "Effect": "Allow",
|
|
|
- "Action": [
|
|
|
- "logs:CreateLogStream",
|
|
|
- "logs:PutLogEvents"
|
|
|
- ],
|
|
|
- "Resource": "arn:aws:logs:us-east-2:082012130604:log-group:/aws/lambda/*"
|
|
|
- },
|
|
|
- {
|
|
|
- "Sid": "FCMRequiredAccess",
|
|
|
- "Effect": "Allow",
|
|
|
- "Action": [
|
|
|
- "kms:Decrypt",
|
|
|
- "kms:GenerateDataKey*",
|
|
|
- "sqs:ReceiveMessage",
|
|
|
- "sqs:DeleteMessage",
|
|
|
- "sqs:GetQueueAttributes"
|
|
|
- ],
|
|
|
- "Resource": "*"
|
|
|
- },
|
|
|
{
|
|
|
- "Sid": "FunctionSpecificAccess",
|
|
|
+ "Sid": "FunctionSpecific",
|
|
|
"Effect": "Allow",
|
|
|
"Action": [
|
|
|
"ec2:GetEbsEncryptionByDefault"
|
|
|
@@ -62,18 +48,77 @@ resource "aws_iam_policy" "fcm-analysis-EbsEncryptionByDefault" {
|
|
|
}
|
|
|
]
|
|
|
}
|
|
|
-POLICYDOC
|
|
|
+DOC2
|
|
|
}
|
|
|
|
|
|
resource "aws_iam_role_policy_attachment" "fcm-analysis-EbsEncryptionByDefault" {
|
|
|
role = "${aws_iam_role.fcm-analysis-EbsEncryptionByDefault.name}"
|
|
|
policy_arn = "${aws_iam_policy.fcm-analysis-EbsEncryptionByDefault.arn}"
|
|
|
}
|
|
|
+### ABOVE needs to be in all accounts.
|
|
|
+
|
|
|
+# Master Account Only:
|
|
|
+resource "aws_iam_role" "fcm-lambda-analysis-EbsEncryptionByDefault" {
|
|
|
+ name = "fcm-lambda-analysis-EbsEncryptionByDefault"
|
|
|
+ path = "/fcm/"
|
|
|
+ description = "FCM policy for EbsEncryptionByDefault Enforcement Analysis Lambda Function"
|
|
|
+
|
|
|
+ assume_role_policy = <<DOC3
|
|
|
+{
|
|
|
+ "Version": "2012-10-17",
|
|
|
+ "Statement": [
|
|
|
+ {
|
|
|
+ "Action": "sts:AssumeRole",
|
|
|
+ "Principal": {
|
|
|
+ "Service": "lambda.amazonaws.com"
|
|
|
+ },
|
|
|
+ "Effect": "Allow",
|
|
|
+ "Sid": ""
|
|
|
+ }
|
|
|
+ ]
|
|
|
+}
|
|
|
+DOC3
|
|
|
+}
|
|
|
+
|
|
|
+resource "aws_iam_policy" "fcm-lambda-analysis-EbsEncryptionByDefault" {
|
|
|
+ name = "fcm-lambda-analysis-EbsEncryptionByDefault"
|
|
|
+ path = "/fcm/"
|
|
|
+ description = "FCM policy the lambda function EbsEncryptionByDefault"
|
|
|
+
|
|
|
+ policy = <<DOC4
|
|
|
+{
|
|
|
+ "Version": "2012-10-17",
|
|
|
+ "Statement": [
|
|
|
+ {
|
|
|
+ "Sid": "AssumeROle",
|
|
|
+ "Effect": "Allow",
|
|
|
+ "Action": [
|
|
|
+ "sts:AssumeRole"
|
|
|
+ ],
|
|
|
+ "Resource": "arn:aws:iam::*:role/fcm/fcm-analysis-EbsEncryptionByDefault"
|
|
|
+ }
|
|
|
+ ]
|
|
|
+}
|
|
|
+DOC4
|
|
|
+}
|
|
|
+
|
|
|
+resource "aws_iam_role_policy_attachment" "fcm-lambda-analysis-EbsEncryptionByDefault" {
|
|
|
+ role = "${aws_iam_role.fcm-lambda-analysis-EbsEncryptionByDefault.name}"
|
|
|
+ policy_arn = "${aws_iam_policy.fcm-lambda-analysis-EbsEncryptionByDefault.arn}"
|
|
|
+}
|
|
|
+
|
|
|
+resource "aws_iam_role_policy_attachment" "fcm-lambda-analysis-EbsEncryptionByDefault-shared" {
|
|
|
+ role = "${aws_iam_role.fcm-lambda-analysis-EbsEncryptionByDefault.name}"
|
|
|
+ policy_arn = "${aws_iam_policy.fcm-lambda-base.arn}"
|
|
|
+}
|
|
|
+
|
|
|
+# End of Roles
|
|
|
|
|
|
+# Function
|
|
|
resource "aws_lambda_function" "fcm-analysis-EbsEncryptionByDefault" {
|
|
|
filename = "fcm-analysis-EbsEncryptionByDefault.zip"
|
|
|
function_name = "fcm-analysis-EbsEncryptionByDefault"
|
|
|
- role = "${aws_iam_role.fcm-analysis-EbsEncryptionByDefault.arn}"
|
|
|
+ role = "${aws_iam_role.fcm-lambda-analysis-EbsEncryptionByDefault.arn}"
|
|
|
handler = "EbsEncryptionByDefault.lambda_handler"
|
|
|
|
|
|
# The filebase64sha256() function is available in Terraform 0.11.12 and later
|
|
|
@@ -92,7 +137,7 @@ resource "aws_lambda_function" "fcm-analysis-EbsEncryptionByDefault" {
|
|
|
}
|
|
|
}
|
|
|
|
|
|
-resource "aws_lambda_event_source_mapping" "example" {
|
|
|
+resource "aws_lambda_event_source_mapping" "fcm-analysis-EbsEncryptionByDefault" {
|
|
|
event_source_arn = "${aws_sqs_queue.fcm-analysis-EbsEncryptionByDefault.arn}"
|
|
|
function_name = "${aws_lambda_function.fcm-analysis-EbsEncryptionByDefault.arn}"
|
|
|
batch_size = 1 # How many messages to process at a time
|
Gogs