AWS
/
FredsCloudMonitor


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150
							#Allowed: arn:aws:iam::*:role/fcm/fcm-analysis-EbsEncryptionByDefault
#Actual:  arn:aws:iam::082012130604:role/fcm/fcm-analysis-EbsEncryptionByDefault
#
#Role trust: arn:aws:iam::082012130604:role/fcm/fcm-lambda-analysis-EbsEncryptionByDefault
#Actual:     arn:aws:iam::082012130604:role/fcm/fcm-lambda-analysis-EbsEncryptionByDefault

# All Accounts Role
resource "aws_iam_role" "fcm-analysis-EbsEncryptionByDefault" {
  name = "fcm-analysis-EbsEncryptionByDefault"
  path        = "/fcm/"
  description = "FCM role for EbsEncryptionByDefault Enforcement Analysis"

  assume_role_policy = <<DOC1
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": "sts:AssumeRole",
      "Principal": {
        "AWS": [
          "${aws_iam_role.fcm-lambda-analysis-EbsEncryptionByDefault.arn}"
        ]
      },
      "Effect": "Allow",
      "Sid": ""
    }
  ]
}
DOC1
}

resource "aws_iam_policy" "fcm-analysis-EbsEncryptionByDefault" {
  name        = "fcm-analysis-EbsEncryptionByDefault"
  path        = "/fcm/"
  description = "FCM policy for EbsEncryptionByDefault Enforcement Analysis"

  policy = <<DOC2
{
    "Version": "2012-10-17",
    "Statement": [
         {
            "Sid": "FunctionSpecific",
            "Effect": "Allow",
            "Action": [
                "ec2:GetEbsEncryptionByDefault"
            ],
            "Resource": "*"
         }
    ]
}
DOC2
}

resource "aws_iam_role_policy_attachment" "fcm-analysis-EbsEncryptionByDefault" {
  role       = "${aws_iam_role.fcm-analysis-EbsEncryptionByDefault.name}"
  policy_arn = "${aws_iam_policy.fcm-analysis-EbsEncryptionByDefault.arn}"
}
### ABOVE needs to be in all accounts.

# Master Account Only:
resource "aws_iam_role" "fcm-lambda-analysis-EbsEncryptionByDefault" {
  name = "fcm-lambda-analysis-EbsEncryptionByDefault"
  path        = "/fcm/"
  description = "FCM policy for EbsEncryptionByDefault Enforcement Analysis Lambda Function"

  assume_role_policy = <<DOC3
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": "sts:AssumeRole",
      "Principal": {
        "Service": "lambda.amazonaws.com"
      },
      "Effect": "Allow",
      "Sid": ""
    }
  ]
}
DOC3
}

resource "aws_iam_policy" "fcm-lambda-analysis-EbsEncryptionByDefault" {
  name        = "fcm-lambda-analysis-EbsEncryptionByDefault"
  path        = "/fcm/"
  description = "FCM policy the lambda function EbsEncryptionByDefault"

  policy = <<DOC4
{
    "Version": "2012-10-17",
    "Statement": [
         {
            "Sid": "AssumeROle",
            "Effect": "Allow",
            "Action": [
                "sts:AssumeRole"
            ],
            "Resource": "arn:aws:iam::*:role/fcm/fcm-analysis-EbsEncryptionByDefault"
         }
    ]
}
DOC4
}

resource "aws_iam_role_policy_attachment" "fcm-lambda-analysis-EbsEncryptionByDefault" {
  role       = "${aws_iam_role.fcm-lambda-analysis-EbsEncryptionByDefault.name}"
  policy_arn = "${aws_iam_policy.fcm-lambda-analysis-EbsEncryptionByDefault.arn}"
}

resource "aws_iam_role_policy_attachment" "fcm-lambda-analysis-EbsEncryptionByDefault-shared" {
  role       = "${aws_iam_role.fcm-lambda-analysis-EbsEncryptionByDefault.name}"
  policy_arn = "${aws_iam_policy.fcm-lambda-base.arn}"
}

# End of Roles

# Function
resource "aws_lambda_function" "fcm-analysis-EbsEncryptionByDefault" {
  filename      = "fcm-analysis-EbsEncryptionByDefault.zip"
  function_name = "fcm-analysis-EbsEncryptionByDefault"
  role          = "${aws_iam_role.fcm-lambda-analysis-EbsEncryptionByDefault.arn}"
  handler       = "EbsEncryptionByDefault.lambda_handler"

  # The filebase64sha256() function is available in Terraform 0.11.12 and later
  # For Terraform 0.11.11 and earlier, use the base64sha256() function and the file() function:
  # source_code_hash = "${base64sha256(file("lambda_function_payload.zip"))}"
  source_code_hash = "${data.archive_file.fcm-analysis-EbsEncryptionByDefault.output_base64sha256}"

  runtime = "python3.7"
  memory_size = 128 # 64MB increments
  timeout = 30 # Seconds

  environment {
    variables = {
      LOGLEVEL = "DEBUG"
    }
  }
}

resource "aws_lambda_event_source_mapping" "fcm-analysis-EbsEncryptionByDefault" {
  event_source_arn = "${aws_sqs_queue.fcm-analysis-EbsEncryptionByDefault.arn}"
  function_name    = "${aws_lambda_function.fcm-analysis-EbsEncryptionByDefault.arn}"
  batch_size = 1 # How many messages to process at a time
}

data "archive_file" "fcm-analysis-EbsEncryptionByDefault" {
    type        = "zip"
    source_dir  = "fcm-analysis-EbsEncryptionByDefault"
    output_path = "fcm-analysis-EbsEncryptionByDefault.zip"
}