|
locals { |
|
name = "cloud-custodian" |
|
tags = { |
|
application = local.name |
|
} |
|
} |
|
|
|
# source: https://github.com/cloud-custodian/cloud-custodian/issues/1693 |
|
# command: iam-policy-json-to-terraform < cloud-custodian-iam-policy.json | pbcopy |
|
data "aws_iam_policy_document" "default" { |
|
statement { |
|
sid = "" |
|
effect = "Allow" |
|
resources = ["*"] |
|
|
|
actions = [ |
|
"health:DescribeEvents", |
|
"health:DescribeAffectedEntities", |
|
"health:DescribeEventDetails", |
|
] |
|
} |
|
|
|
statement { |
|
sid = "" |
|
effect = "Allow" |
|
resources = ["*"] |
|
|
|
actions = [ |
|
"lambda:DeleteFunction", |
|
"lambda:GetPolicy", |
|
"lambda:RemovePermission", |
|
"lambda:TagResource", |
|
"lambda:UntagResource", |
|
"lambda:InvokeFunction", |
|
] |
|
} |
|
|
|
statement { |
|
sid = "" |
|
effect = "Allow" |
|
resources = ["*"] |
|
|
|
actions = [ |
|
"cloudtrail:CreateTrail", |
|
"cloudtrail:DescribeTrails", |
|
"cloudtrail:GetEventSelectors", |
|
"cloudtrail:GetTrailStatus", |
|
"config:DescribeDeliveryChannels", |
|
"config:DescribeConfigurationRecorders", |
|
"config:DescribeConfigurationRecorderStatus", |
|
"config:GetResourceConfigHistory", |
|
"support:CreateCase", |
|
"support:DescribeTrustedAdvisorCheckResult", |
|
"support:RefreshTrustedAdvisorCheck", |
|
"shield:CreateSubscription", |
|
"shield:DescribeSubscription", |
|
"shield:DeleteSubscription", |
|
] |
|
} |
|
|
|
statement { |
|
sid = "" |
|
effect = "Allow" |
|
resources = ["*"] |
|
|
|
actions = [ |
|
"ec2:AssociateIamInstanceProfile", |
|
"ec2:AuthorizeSecurityGroupIngress", |
|
"ec2:AuthorizeSecurityGroupEgress", |
|
"ec2:CreateSnapshot", |
|
"ec2:CreateTags", |
|
"ec2:CopySnapshot", |
|
"ec2:CreateSnapshot", |
|
"ec2:DeleteVolume", |
|
"ec2:DeleteNatGateway", |
|
"ec2:DeleteSecurityGroup", |
|
"ec2:DeleteSnapshot", |
|
"ec2:DeleteTags", |
|
"ec2:DeregisterImage", |
|
"ec2:DescribeImages", |
|
"ec2:DescribeInstanceAttribute", |
|
"ec2:DescribeInstances", |
|
"ec2:DescribeInstanceStatus", |
|
"ec2:DescribeFlowLogs", |
|
"ec2:DescribePrefixLists", |
|
"ec2:DescribeRouteTables", |
|
"ec2:DescribeStaleSecurityGroups", |
|
"ec2:DescribeSecurityGroups", |
|
"ec2:DescribeSubnets", |
|
"ec2:DescribeTags", |
|
"ec2:DescribeVolumes", |
|
"ec2:DescribeVpcs", |
|
"ec2:DisassociateIamInstanceProfile", |
|
"ec2:DescribeSnapshotAttribute", |
|
"ec2:DescribeSnapshots", |
|
"ec2:DetachVolume", |
|
"ec2:ModifyVolumeAttribute", |
|
"ec2:ModifyInstanceAttribute", |
|
"ec2:ModifyNetworkInterfaceAttribute", |
|
"ec2:ResetImageAttribute", |
|
"ec2:RevokeSecurityGroupIngress", |
|
"ec2:RevokeSecurityGroupEgress", |
|
"ec2:StartInstances", |
|
"ec2:StopInstances", |
|
"ec2:TerminateInstances", |
|
] |
|
} |
|
|
|
statement { |
|
sid = "" |
|
effect = "Allow" |
|
resources = ["*"] |
|
|
|
actions = [ |
|
"tag:TagResources", |
|
"tag:UntagResources", |
|
] |
|
} |
|
|
|
statement { |
|
sid = "" |
|
effect = "Allow" |
|
resources = ["*"] |
|
|
|
actions = [ |
|
"waf-regional:AssociateWebACL", |
|
"waf-regional:ListResourcesForWebACL", |
|
"waf-regional:ListWebACLs", |
|
] |
|
} |
|
|
|
statement { |
|
sid = "" |
|
effect = "Allow" |
|
resources = ["*"] |
|
|
|
actions = [ |
|
"elasticloadbalancing:AddTags", |
|
"elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", |
|
"elasticloadbalancing:CreateLoadBalancerPolicy", |
|
"elasticloadbalancing:DeleteLoadBalancer", |
|
"elasticloadbalancing:DescribeLoadBalancerAttributes", |
|
"elasticloadbalancing:DescribeLoadBalancerPolicies", |
|
"elasticloadbalancing:DescribeListeners", |
|
"elasticloadbalancing:DescribeTargetGroups", |
|
"elasticloadbalancing:ModifyLoadBalancerAttributes", |
|
"elasticloadbalancing:ModifyListener", |
|
"elasticloadbalancing:RemoveTags", |
|
"elasticloadbalancing:SetLoadBalancerPoliciesOfListener", |
|
] |
|
} |
|
|
|
statement { |
|
sid = "" |
|
effect = "Allow" |
|
resources = ["*"] |
|
|
|
actions = [ |
|
"autoscaling:CreateOrUpdateTags", |
|
"autoscaling:DescribeLaunchConfigurations", |
|
"autoscaling:DeleteAutoScalingGroup", |
|
"autoscaling:DeleteLaunchConfiguration", |
|
"autoscaling:DeleteTags", |
|
"autoscaling:UpdateAutoScalingGroup", |
|
"autoscaling:SuspendProcesses", |
|
"autoscaling:ResumeProcesses", |
|
] |
|
} |
|
|
|
statement { |
|
sid = "" |
|
effect = "Allow" |
|
resources = ["*"] |
|
|
|
actions = [ |
|
"cloudfront:UpdateDistribution", |
|
"cloudfront:GetDistributionConfig", |
|
"cloudfront:GetStreamingDistributionConfig", |
|
"cloudfront:UpdateStreamingDistribution", |
|
"waf:ListWebACLs", |
|
] |
|
} |
|
|
|
statement { |
|
sid = "" |
|
effect = "Allow" |
|
resources = ["*"] |
|
|
|
actions = [ |
|
"cloudwatch:DeleteAlarms", |
|
"cloudwatch:DescribeAlarmsForMetric", |
|
"cloudwatch:GetMetricStatistics", |
|
"cloudWatch:PutMetricData", |
|
"logs:DeleteLogGroup", |
|
"logs:DescribeLogStreams", |
|
"logs:PutRetentionPolicy", |
|
] |
|
} |
|
|
|
statement { |
|
sid = "" |
|
effect = "Allow" |
|
resources = ["*"] |
|
|
|
actions = [ |
|
"dynamodb:DeleteTable", |
|
"dynamodb:ListTagsOfResource", |
|
"dynamodb:TagResource", |
|
"dynamodb:UntagResource", |
|
] |
|
} |
|
|
|
statement { |
|
sid = "" |
|
effect = "Allow" |
|
resources = ["*"] |
|
|
|
actions = [ |
|
"ecr:GetRepositoryPolicy", |
|
"ecr:SetRepositoryPolicy", |
|
] |
|
} |
|
|
|
statement { |
|
sid = "" |
|
effect = "Allow" |
|
resources = ["*"] |
|
|
|
actions = [ |
|
"elasticfilesystem:DeleteFileSystem", |
|
"elasticfilesystem:DeleteMountTarget", |
|
"elasticfilesystem:DescribeMountTargets", |
|
] |
|
} |
|
|
|
statement { |
|
sid = "" |
|
effect = "Allow" |
|
resources = ["*"] |
|
|
|
actions = [ |
|
"elasticache:CreateSnapshot", |
|
"elasticache:ListTagsForResource", |
|
"elasticache:ModifyReplicationGroup", |
|
"elasticache:DeleteCacheCluster", |
|
"elasticache:DeleteReplicationGroup", |
|
"elasticache:DeleteSnapshot", |
|
] |
|
} |
|
|
|
statement { |
|
sid = "" |
|
effect = "Allow" |
|
resources = ["*"] |
|
|
|
actions = [ |
|
"sqs:DeleteQueue", |
|
"sqs:GetQueueAttributes", |
|
"sqs:SetQueueAttributes", |
|
] |
|
} |
|
|
|
statement { |
|
sid = "" |
|
effect = "Allow" |
|
resources = ["*"] |
|
|
|
actions = [ |
|
"sns:GetTopicAttributes", |
|
"sns:SetTopicAttributes", |
|
] |
|
} |
|
|
|
statement { |
|
sid = "" |
|
effect = "Allow" |
|
resources = ["*"] |
|
actions = ["es:DeleteElasticsearchDomain"] |
|
} |
|
|
|
statement { |
|
sid = "" |
|
effect = "Allow" |
|
resources = ["*"] |
|
|
|
actions = [ |
|
"rds:AddTagsToResource", |
|
"rds:CopyDBSnapshot", |
|
"rds:CreateDBSnapshot", |
|
"rds:DeleteDBInstance", |
|
"rds:DeleteDBSnapshot", |
|
"rds:DescribeDBEngineVersions", |
|
"rds:DescribeDBInstances", |
|
"rds:DescribeDBParameters", |
|
"rds:DescribeDBSnapshotAttributes", |
|
"rds:DescribeDBSnapshots", |
|
"rds:ModifyDBCluster", |
|
"rds:ModifyDBInstance", |
|
"rds:ModifyDBParameterGroup", |
|
"rds:RemoveTagsFromResource", |
|
"rds:RebootDBInstance", |
|
] |
|
} |
|
|
|
statement { |
|
sid = "" |
|
effect = "Allow" |
|
resources = ["*"] |
|
|
|
actions = [ |
|
"sts:AssumeRole", |
|
"iam:DeleteAccessKey", |
|
"iam:GenerateCredentialReport", |
|
"iam:GetAccountSummary", |
|
"iam:GetAccountPasswordPolicy", |
|
"iam:GetCredentialReport", |
|
"iam:GetGroup", |
|
"iam:ListAccessKeys", |
|
"iam:ListAccountAliases", |
|
"iam:ListAttachedUserPolicies", |
|
"iam:ListAttachedRolePolicies", |
|
"iam:ListPolicyVersions", |
|
"iam:ListGroupPolicies", |
|
"iam:ListGroupsForUser", |
|
"iam:ListMfaDevices", |
|
"iam:ListPolicies", |
|
"iam:ListRolePolicies", |
|
"iam:ListVirtualMFADevices", |
|
"iam:UpdateAccessKey", |
|
] |
|
} |
|
|
|
statement { |
|
sid = "" |
|
effect = "Allow" |
|
resources = ["*"] |
|
|
|
actions = [ |
|
"s3:DeleteBucketPolicy", |
|
"s3:DeleteBucketWebsite", |
|
"s3:ListAllMyBuckets", |
|
"s3:ListBucket", |
|
"s3:GetBucketPolicy", |
|
"s3:GetObject", |
|
"s3:GetBucketNotification", |
|
"s3:GetBucketPolicy", |
|
"s3:GetInventoryConfiguration", |
|
"s3:PutBucketAcl", |
|
"s3:PutBucketPolicy", |
|
"s3:PutBucketVersioning", |
|
"s3:PutBucketLogging", |
|
"s3:PutBucketNotification", |
|
"s3:PutInventoryConfiguration", |
|
"s3:PutObject", |
|
] |
|
} |
|
|
|
statement { |
|
sid = "" |
|
effect = "Allow" |
|
resources = ["*"] |
|
|
|
actions = [ |
|
"cloudtrail:DescribeTrails", |
|
"cloudtrail:GetEventSelectors", |
|
] |
|
} |
|
} |
|
|
|
data "aws_iam_policy_document" "assume_role_policy" { |
|
statement { |
|
actions = ["sts:AssumeRole"] |
|
|
|
principals { |
|
type = "Service" |
|
identifiers = ["lambda.amazonaws.com"] |
|
} |
|
} |
|
} |
|
|
|
resource "aws_iam_role_policy" "default" { |
|
name = local.name |
|
role = local.name |
|
policy = data.aws_iam_policy_document.default.json |
|
} |
|
|
|
resource "aws_iam_role" "default" { |
|
name = local.name |
|
assume_role_policy = data.aws_iam_policy_document.assume_role_policy.json |
|
tags = local.tags |
|
} |