diff --git a/backups.tf b/backups.tf index 51cb34d..3611529 100644 --- a/backups.tf +++ b/backups.tf @@ -21,6 +21,8 @@ data "aws_iam_policy_document" "jenkins-backup-bucket-policy" { variable = "aws:userId" values = [ "${aws_iam_role.admin-access-role.unique_id}:*", + "${lookup(var.unmanaged_role_ids, "admin-ec2-role")}:*", + "${lookup(var.unmanaged_role_ids, "InfosecSecurityAuditRole")}:*", "${var.aws_account_id}" ] } @@ -50,7 +52,8 @@ data "aws_iam_policy_document" "jenkins-public-backup-bucket-policy" { variable = "aws:userId" values = [ "${aws_iam_role.admin-access-role.unique_id}:*", - "${var.terraform_role_id}:*", + "${lookup(var.unmanaged_role_ids, "admin-ec2-role")}:*", + "${lookup(var.unmanaged_role_ids, "InfosecSecurityAuditRole")}:*", "${var.aws_account_id}" ] } diff --git a/discourse.tf b/discourse.tf index 64678dd..f1a3d6f 100644 --- a/discourse.tf +++ b/discourse.tf @@ -9,6 +9,7 @@ module "discourse-production" { fqdn = "discourse.mozilla-community.org" ssl_certificate = "${lookup(var.ssl_certificates, "community-sites-elb-${var.aws_region}")}" aws_account_id = "${var.aws_account_id}" + InfosecSecurityAuditRole_uid = "${lookup(var.unmanaged_role_ids, "InfosecSecurityAuditRole")}" } module "discourse-staging" { @@ -22,4 +23,5 @@ module "discourse-staging" { fqdn = "discourse.staging.paas.mozilla.community" ssl_certificate = "${lookup(var.ssl_certificates, "community-sites-elb-${var.aws_region}")}" aws_account_id = "${var.aws_account_id}" + InfosecSecurityAuditRole_uid = "${lookup(var.unmanaged_role_ids, "InfosecSecurityAuditRole")}" } diff --git a/modules/discourse/main.tf b/modules/discourse/main.tf index e1076d8..967eea4 100644 --- a/modules/discourse/main.tf +++ b/modules/discourse/main.tf @@ -6,6 +6,7 @@ variable "environment" {} variable "fqdn" {} variable "ssl_certificate" {} variable "aws_account_id" {} +variable "InfosecSecurityAuditRole_uid" {} resource "aws_security_group" "discourse-redis-sg" { name = "discourse-redis-shared-sg" @@ -88,6 +89,32 @@ data "aws_iam_policy_document" "discourse-content-policy" { "${aws_s3_bucket.discourse-content.arn}/*", ] } + + statement { + effect = "Deny" + actions = [ + "s3:*", + ] + + principals { + type = "AWS" + identifiers = ["*"] + } + + condition { + test = "StringNotLike" + variable = "aws:userId" + values = [ + "${var.InfosecSecurityAuditRole_uid}:*", + "${var.aws_account_id}" + ] + } + + resources = [ + "${aws_s3_bucket.discourse-content.arn}", + "${aws_s3_bucket.discourse-content.arn}/*", + ] + } } diff --git a/modules/mesos-cluster/backups.tf b/modules/mesos-cluster/backups.tf index 5005353..0031b69 100644 --- a/modules/mesos-cluster/backups.tf +++ b/modules/mesos-cluster/backups.tf @@ -23,7 +23,8 @@ data "aws_iam_policy_document" "marathon-backup-buckets-policy" { variable = "aws:userId" values = [ "${var.adminaccessrole-uid}:*", - "${var.terraform_role_id}:*", + "${lookup(var.unmanaged_role_ids, "admin-ec2-role")}:*", + "${lookup(var.unmanaged_role_ids, "InfosecSecurityAuditRole")}:*", "${var.aws_account_id}" ] } diff --git a/variables.tf b/variables.tf index b18b0d1..8d2f159 100644 --- a/variables.tf +++ b/variables.tf @@ -43,6 +43,10 @@ variable "ssl_certificates" { } } -variable "terraform_role_id" { - default = "AROAJQQ4P767MJJUWKKVK" # admin-ec2-role AWS role +variable "unmanaged_role_ids" { + type = "map" + default = { + admin-ec2-role = "AROAJQQ4P767MJJUWKKVK" + InfosecSecurityAuditRole = "AROAJHELZZZIXWALL3AVS" + } }