Skip to content

Commit f2ca48f

Browse files
DrizzlyOwlDrizzlyOwl
authored
Merge pull request #2 from dxw/ash/template_file
IAM Policy fixes
2 parents 938c471 + 9b99f7c commit f2ca48f

4 files changed

+63
-77
lines changed

main.tf

+63-15
Original file line numberDiff line numberDiff line change
@@ -9,6 +9,64 @@ locals {
99
bucketname = "${var.namespace}-${var.bucketname}"
1010
}
1111

12+
## Data
13+
14+
data "aws_iam_policy_document" "bucket" {
15+
statement {
16+
effect = "Allow"
17+
18+
principals {
19+
type = "Service"
20+
identifiers = ["cloudtrail.amazonaws.com"]
21+
}
22+
23+
actions = ["s3:GetBucketAcl"]
24+
resources = ["arn:aws:s3:::${local.bucketname}"]
25+
}
26+
27+
statement {
28+
effect = "Allow"
29+
30+
principals {
31+
type = "Service"
32+
identifiers = ["cloudtrail.amazonaws.com"]
33+
}
34+
35+
actions = ["s3:PutObject"]
36+
resources = ["arn:aws:s3:::${local.bucketname}/*"]
37+
38+
condition {
39+
test = "StringEquals"
40+
variable = "s3:x-amz-acl"
41+
values = ["bucket-owner-full-control"]
42+
}
43+
}
44+
}
45+
46+
data "aws_iam_policy_document" "assume_role" {
47+
statement {
48+
effect = "Allow"
49+
sid = ""
50+
51+
principals {
52+
type = "Service"
53+
identifiers = ["cloudtrail.amazonaws.com"]
54+
}
55+
56+
actions = ["sts:AssumeRole"]
57+
}
58+
}
59+
60+
data "aws_iam_policy_document" "logs" {
61+
statement {
62+
effect = "Allow"
63+
actions = ["logs:CreateLogStream", "logs:PutLogEvents"]
64+
resources = [
65+
"${aws_cloudwatch_log_group.cloudtrail.arn}:*"
66+
]
67+
}
68+
}
69+
1270
## Resources
1371

1472
### Implementation
@@ -35,12 +93,7 @@ resource "aws_s3_bucket" "cloudtrail" {
3593

3694
resource "aws_s3_bucket_policy" "cloudtrail_s3_policy" {
3795
bucket = aws_s3_bucket.cloudtrail.id
38-
policy = templatefile(
39-
"${path.module}/policies/cloudtrail_s3_policy.tpl",
40-
{
41-
bucket_name = local.bucketname
42-
}
43-
)
96+
policy = data.aws_iam_policy_document.bucket.json
4497
}
4598

4699
resource "aws_s3_bucket_acl" "cloudtrail_acl" {
@@ -51,18 +104,13 @@ resource "aws_s3_bucket_acl" "cloudtrail_acl" {
51104
resource "aws_iam_role" "cloudtrail_cloudwatch_logs_role" {
52105
name = "${var.namespace}-cloudtrail-cloudwatch-logs"
53106
path = "/"
54-
assume_role_policy = file("${path.module}/policies/cloudtrail_assume_policy.json")
107+
assume_role_policy = data.aws_iam_policy_document.assume_role.json
55108
}
56109

57110
resource "aws_iam_policy" "cloudtrail_cloudwatch_logs_policy" {
58-
name = "${var.namespace}-cloudtrail-cloudwatch-logs"
59-
path = "/"
60-
policy = templatefile(
61-
"${path.module}/policies/cloudtrail_cloudwatch_logs_policy.tpl",
62-
{
63-
cloudwatch_log_group_arn = aws_cloudwatch_log_group.cloudtrail.arn
64-
}
65-
)
111+
name = "${var.namespace}-cloudtrail-cloudwatch-logs"
112+
path = "/"
113+
policy = data.aws_iam_policy_document.logs.json
66114
}
67115

68116
resource "aws_iam_role_policy_attachment" "cloudtrail_cloudwatch_logs_policy_attachment" {

policies/cloudtrail_assume_policy.json

-13
This file was deleted.

policies/cloudtrail_cloudwatch_logs_policy.tpl

-23
This file was deleted.

policies/cloudtrail_s3_policy.tpl

-26
This file was deleted.

0 commit comments

Comments
 (0)