mirror of
https://github.com/empayre/fleet.git
synced 2024-11-06 17:05:18 +00:00
08b2ab5c18
* update deployment guide and add additional descriptions/comments for terraform resources * add architecture diagram to deployment guide
97 lines
3.1 KiB
HCL
97 lines
3.1 KiB
HCL
data "aws_iam_policy_document" "fleet" {
|
|
statement {
|
|
effect = "Allow"
|
|
actions = ["cloudwatch:PutMetricData"]
|
|
resources = ["*"]
|
|
}
|
|
|
|
// allow fleet application to obtain the database password from secrets manager
|
|
statement {
|
|
effect = "Allow"
|
|
actions = ["secretsmanager:GetSecretValue"]
|
|
resources = [aws_secretsmanager_secret.database_password_secret.arn]
|
|
}
|
|
|
|
// useful when there is a static number of mysql cluster members
|
|
dynamic "statement" {
|
|
for_each = module.aurora_mysql.rds_cluster_instance_dbi_resource_ids
|
|
content {
|
|
effect = "Allow"
|
|
actions = ["rds-db:connect"]
|
|
resources = ["arn:aws:rds-db:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:dbuser:${statement.value}/${var.database_user}"]
|
|
}
|
|
}
|
|
|
|
// allow access to any database via IAM that has the var.database_user user
|
|
// useful when you are autoscaling mysql read replicas dynamically
|
|
statement {
|
|
effect = "Allow"
|
|
actions = ["rds-db:connect"]
|
|
resources = ["arn:aws:rds-db:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:dbuser:*/${var.database_user}"]
|
|
}
|
|
|
|
// allow fleet application to write to kinesis firehose for osquery log destination configuration
|
|
statement {
|
|
effect = "Allow"
|
|
actions = [
|
|
"firehose:DescribeDeliveryStream",
|
|
"firehose:PutRecord",
|
|
"firehose:PutRecordBatch",
|
|
]
|
|
resources = [aws_kinesis_firehose_delivery_stream.osquery_results.arn, aws_kinesis_firehose_delivery_stream.osquery_status.arn]
|
|
}
|
|
|
|
// These actions are required for osquery file carving APIs
|
|
// We use wildcards on these actions for buckets that are single-use.
|
|
statement { #tfsec:ignore:aws-iam-no-policy-wildcards
|
|
effect = "Allow"
|
|
actions = [
|
|
"s3:GetObject*",
|
|
"s3:PutObject*",
|
|
"s3:ListBucket*",
|
|
"s3:ListMultipartUploadParts*",
|
|
"s3:DeleteObject",
|
|
"s3:CreateMultipartUpload",
|
|
"s3:AbortMultipartUpload",
|
|
"s3:ListMultipartUploadParts",
|
|
"s3:GetBucketLocation"
|
|
]
|
|
resources = [
|
|
aws_s3_bucket.osquery-carve.arn,
|
|
"${aws_s3_bucket.osquery-carve.arn}/*"
|
|
]
|
|
}
|
|
}
|
|
|
|
data "aws_iam_policy_document" "assume_role" {
|
|
statement {
|
|
effect = "Allow"
|
|
actions = ["sts:AssumeRole"]
|
|
principals {
|
|
identifiers = ["ecs.amazonaws.com", "ecs-tasks.amazonaws.com"]
|
|
type = "Service"
|
|
}
|
|
}
|
|
}
|
|
|
|
resource "aws_iam_role" "main" {
|
|
name = "fleetdm-role"
|
|
description = "IAM role that Fleet application assumes when running in ECS"
|
|
assume_role_policy = data.aws_iam_policy_document.assume_role.json
|
|
}
|
|
|
|
resource "aws_iam_role_policy_attachment" "role_attachment" {
|
|
policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy"
|
|
role = aws_iam_role.main.name
|
|
}
|
|
|
|
resource "aws_iam_policy" "main" {
|
|
name = "fleet-iam-policy"
|
|
description = "IAM policy that Fleet application uses to define access to AWS resources"
|
|
policy = data.aws_iam_policy_document.fleet.json
|
|
}
|
|
|
|
resource "aws_iam_role_policy_attachment" "attachment" {
|
|
policy_arn = aws_iam_policy.main.arn
|
|
role = aws_iam_role.main.name
|
|
} |