Add IAM role handling

threatstack · Apr 18, 2017 · daa6736 · daa6736
1 parent 7d73890
commit daa6736
Show file tree

Hide file tree

Showing 4 changed files with 189 additions and 0 deletions.
diff --git a/aws_iam_assume_role_policy.tpl b/aws_iam_assume_role_policy.tpl
@@ -0,0 +1,17 @@
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Principal": {
+        "AWS": "arn:aws:iam::${threatstack_account_id}:root"
+      },
+      "Action": "sts:AssumeRole",
+      "Condition": {
+        "StringEquals": {
+          "sts:ExternalId": "${threatstack_external_id}"
+        }
+      }
+    }
+  ]
+}
diff --git a/aws_iam_role_policy.tpl b/aws_iam_role_policy.tpl
@@ -0,0 +1,102 @@
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Action": [
+                "cloudtrail:DescribeTrails",
+                "cloudtrail:GetTrailStatus",
+                "cloudtrail:ListPublicKeys",
+                "cloudtrail:ListTags",
+                "ec2:Describe*",
+                "elasticloadbalancing:DescribeInstanceHealth",
+                "elasticloadbalancing:DescribeListeners",
+                "elasticloadbalancing:DescribeLoadBalancerAttributes",
+                "elasticloadbalancing:DescribeLoadBalancerPolicyTypes",
+                "elasticloadbalancing:DescribeLoadBalancerPolicies",
+                "elasticloadbalancing:DescribeLoadBalancers",
+                "elasticloadbalancing:DescribeRules",
+                "elasticloadbalancing:DescribeSSLPolicies",
+                "elasticloadbalancing:DescribeTags",
+                "elasticloadbalancing:DescribeTargetGroupAttributes",
+                "elasticloadbalancing:DescribeTargetGroups",
+                "elasticloadbalancing:DescribeTargetHealth",
+                "iam:GenerateCredentialReport",
+                "iam:GetAccountPasswordPolicy",
+                "iam:GetCredentialReport",
+                "iam:GetAccountSummary",
+                "iam:ListAttachedUserPolicies",
+                "iam:ListUsers",
+                "kms:GetKeyRotationStatus",
+                "kms:ListKeys",
+                "rds:DescribeAccountAttributes",
+                "rds:DescribeCertificates",
+                "rds:DescribeEngineDefaultClusterParameters",
+                "rds:DescribeEngineDefaultParameters",
+                "rds:DescribeDBClusterParameterGroups",
+                "rds:DescribeDBClusterParameters",
+                "rds:DescribeDBClusterSnapshots",
+                "rds:DescribeDBClusters",
+                "rds:DescribeDBInstances",
+                "rds:DescribeDBLogFiles",
+                "rds:DescribeDBParameterGroups",
+                "rds:DescribeDBParameters",
+                "rds:DescribeDBSecurityGroups",
+                "rds:DescribeDBSnapshotAttributes",
+                "rds:DescribeDBSnapshots",
+                "rds:DescribeDBEngineVersions",
+                "rds:DescribeDBSubnetGroups",
+                "rds:DescribeEventCategories",
+                "rds:DescribeEvents",
+                "rds:DescribeEventSubscriptions",
+                "rds:DescribeOptionGroups",
+                "rds:DescribeOptionGroupOptions",
+                "rds:DescribeOrderableDBInstanceOptions",
+                "rds:DescribePendingMaintenanceActions",
+                "rds:DescribeReservedDBInstances",
+                "rds:DescribeReservedDBInstancesOfferings",
+                "rds:ListTagsForResource",
+                "s3:GetBucketAcl",
+                "s3:GetBucketPolicy",
+                "s3:ListAllMyBuckets",
+                "s3:GetBucketLocation",
+                "s3:GetBucketLogging",
+                "sns:GetEndpointAttributes",
+                "sns:GetPlatformApplicationAttributes",
+                "sns:GetSMSAttributes",
+                "sns:GetSubscriptionAttributes",
+                "sns:GetTopicAttributes",
+                "sns:ListEndpointsByPlatformApplication",
+                "sns:ListPlatformApplications",
+                "sns:ListSubscriptions",
+                "sns:ListSubscriptionsByTopic",
+                "sns:ListTopics"
+            ],
+            "Resource": "*",
+            "Effect": "Allow",
+            "Sid": "ThreatStackPermissions"
+        },
+        {
+            "Action": [
+                "sqs:GetQueueAttributes",
+                "sqs:GetQueueUrl",
+                "sqs:DeleteMessage",
+                "sqs:ListQueues",
+                "sqs:ReceiveMessage"
+            ],
+            "Resource": [
+                "${sqs_queue_arn}"
+            ],
+            "Effect": "Allow"
+        },
+        {
+            "Action": [
+                "s3:Get*",
+                "s3:List*"
+            ],
+            "Resource": [
+                "${s3_resource}"
+            ],
+            "Effect": "Allow"
+        }
+    ]
+}
diff --git a/aws_sqs_queue_policy.tpl b/aws_sqs_queue_policy.tpl
@@ -0,0 +1,18 @@
+{
+	"Id": "TSQueuePolicy",
+	"Version": "2012-10-17",
+	"Statement": [
+		{
+			"Sid": "Allow-TS-SendMessage",
+			"Effect": "Allow",
+			"Principal": "*",
+			"Action": "sqs:SendMessage",
+			"Resource": "*",
+			"Condition": {
+				"ArnEquals": {
+                    "aws:SourceArn": "${sns_arn}"
+                }
+			}
+		}
+	]
+}
diff --git a/main.tf b/main.tf
@@ -1,6 +1,16 @@
 // Setup a default CloudTrail trail.
 
 //Variables
+variable "threatstack_account_id" {
+  type = "string"
+  description = "Threat Stack AWS account ID."
+}
+
+variable "threatstack_external_id" {
+  type = "string"
+  description = "Threat Stack AWS external ID."
+}
+
 variable "aws_account" {
   type = "string"
   description = "Used for naming S3 bucket in tf_example_aws_s3"
@@ -22,6 +32,12 @@ variable "aws_cloudtrail_name" {
   default = "ThreatStackIntegration"
 }
 
+variable "aws_iam_role_name" {
+  type = "string"
+  description = "Threat Stack IAM role Name"
+  default = "ThreatStackIntegration"
+}
+
 variable "aws_sns_topic_name" {
   type = "string"
   description = "Name of SNS topic."
@@ -113,6 +129,22 @@ data "template_file" "aws_sqs_queue_policy" {
   }
 }
 
+data "template_file" "aws_iam_assume_role_policy" {
+  template = "${file("${path.module}/aws_iam_assume_role_policy.tpl")}"
+  vars {
+    threatstack_account_id = "${var.threatstack_account_id}"
+    threatstack_external_id = "${var.threatstack_external_id}"
+  }
+}
+
+data "template_file" "aws_iam_role_policy" {
+  template = "${file("${path.module}/aws_iam_role_policy.tpl")}"
+  vars {
+    sqs_queue_arn = "${aws_sqs_queue.sqs.arn}"
+    s3_resource = "${aws_sqs_queue.sqs.arn}/*"
+  }
+}
+
 
 // Resources
 module "aws_cloudtrail" {
@@ -153,6 +185,18 @@ resource "aws_sns_topic_subscription" "sqs" {
   endpoint = "${aws_sqs_queue.sqs.arn}"
 }
 
+resource "aws_iam_role" "role" {
+  name = "${var.aws_iam_role_name}"
+  assume_role_policy = "${data.template_file.aws_iam_assume_role_policy.rendered}"
+}
+
+resource "aws_iam_role_policy" "role" {
+  name = "${var.aws_iam_role_name}"
+  role = "${aws_iam_role.role.id}"
+
+  policy = "${data.template_file.aws_iam_role_policy.rendered}"
+}
+
 // Outputs
 output "cloudtrail_id" {
   value = "${module.aws_cloudtrail.cloudtrail_id}"
@@ -174,6 +218,14 @@ output "cloudwatch_log_group_arn" {
   value = "${module.aws_cloudtrail.cloudwatch_log_group_arn}"
 }
 
+output "iam_role_name" {
+  value = "${aws_iam_role.role.name}"
+}
+
+output "iam_role_arn" {
+  value = "${aws_iam_role.role.arn}"
+}
+
 output "s3_bucket_id" {
   value = "${module.aws_cloudtrail.s3_bucket_id}"
 }