-
Notifications
You must be signed in to change notification settings - Fork 81
/
iam.tf
121 lines (105 loc) · 3.21 KB
/
iam.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
# Get the access to the effective Account ID in which Terraform is working.
data "aws_caller_identity" "current" {
}
# Allow the AWS Config role to deliver logs to configured S3 Bucket.
# Derived from IAM Policy document found at https://docs.aws.amazon.com/config/latest/developerguide/s3-bucket-policy.html
data "aws_iam_policy_document" "aws_config_policy" {
statement {
sid = "AWSConfigBucketPermissionsCheck"
effect = "Allow"
actions = [
"s3:GetBucketAcl",
]
resources = [
format("arn:%s:s3:::%s", data.aws_partition.current.partition, var.config_logs_bucket)
]
}
dynamic "statement" {
for_each = var.sns_kms_key_id != null ? [1] : []
content {
sid = "AWSAllowKMSKeyUsage"
effect = "Allow"
actions = [
"kms:Decrypt",
"kms:GenerateDataKey*"
]
resources = [var.sns_kms_key_id]
}
}
dynamic "statement" {
for_each = var.sns_kms_key_id != null ? [1] : []
content {
sid = "AWSAllowSNSPublish"
effect = "Allow"
actions = [
"sns:Publish"
]
resources = [var.config_sns_topic_arn]
}
}
statement {
sid = "AWSConfigBucketExistenceCheck"
effect = "Allow"
actions = [
"s3:ListBucket"
]
resources = [
format("arn:%s:s3:::%s", data.aws_partition.current.partition, var.config_logs_bucket)
]
}
statement {
sid = "AWSConfigBucketDelivery"
effect = "Allow"
actions = ["s3:PutObject"]
resources = [
format("arn:%s:s3:::%s%s%s/AWSLogs/%s/Config/*",
data.aws_partition.current.partition,
var.config_logs_bucket,
var.config_logs_prefix == "" ? "" : "/",
var.config_logs_prefix,
var.enable_multi_account_logs ? "*" : data.aws_caller_identity.current.account_id
)
]
condition {
test = "StringLike"
variable = "s3:x-amz-acl"
values = ["bucket-owner-full-control"]
}
}
}
# Allow IAM policy to assume the role for AWS Config
data "aws_iam_policy_document" "aws-config-role-policy" {
statement {
actions = ["sts:AssumeRole"]
principals {
type = "Service"
identifiers = ["config.amazonaws.com"]
}
effect = "Allow"
}
}
#
# IAM
#
resource "aws_iam_role" "main" {
count = var.enable_config_recorder ? 1 : 0
name = "${var.config_name}-role"
assume_role_policy = data.aws_iam_policy_document.aws-config-role-policy.json
permissions_boundary = var.config_role_permissions_boundary
tags = var.tags
}
resource "aws_iam_role_policy_attachment" "managed-policy" {
count = var.enable_config_recorder ? 1 : 0
role = aws_iam_role.main[count.index].name
policy_arn = format("arn:%s:iam::aws:policy/service-role/AWS_ConfigRole", data.aws_partition.current.partition)
}
resource "aws_iam_policy" "aws-config-policy" {
count = var.enable_config_recorder ? 1 : 0
name = "${var.config_name}-policy"
policy = data.aws_iam_policy_document.aws_config_policy.json
}
resource "aws_iam_role_policy_attachment" "aws-config-policy" {
count = var.enable_config_recorder ? 1 : 0
role = aws_iam_role.main[count.index].name
policy_arn = aws_iam_policy.aws-config-policy[0].arn
}