Add Infosec audit role to bucket access
This commit is contained in:
Родитель
224061a69c
Коммит
5fdd1aed76
|
@ -21,6 +21,8 @@ data "aws_iam_policy_document" "jenkins-backup-bucket-policy" {
|
||||||
variable = "aws:userId"
|
variable = "aws:userId"
|
||||||
values = [
|
values = [
|
||||||
"${aws_iam_role.admin-access-role.unique_id}:*",
|
"${aws_iam_role.admin-access-role.unique_id}:*",
|
||||||
|
"${lookup(var.unmanaged_role_ids, "admin-ec2-role")}:*",
|
||||||
|
"${lookup(var.unmanaged_role_ids, "InfosecSecurityAuditRole")}:*",
|
||||||
"${var.aws_account_id}"
|
"${var.aws_account_id}"
|
||||||
]
|
]
|
||||||
}
|
}
|
||||||
|
@ -50,7 +52,8 @@ data "aws_iam_policy_document" "jenkins-public-backup-bucket-policy" {
|
||||||
variable = "aws:userId"
|
variable = "aws:userId"
|
||||||
values = [
|
values = [
|
||||||
"${aws_iam_role.admin-access-role.unique_id}:*",
|
"${aws_iam_role.admin-access-role.unique_id}:*",
|
||||||
"${var.terraform_role_id}:*",
|
"${lookup(var.unmanaged_role_ids, "admin-ec2-role")}:*",
|
||||||
|
"${lookup(var.unmanaged_role_ids, "InfosecSecurityAuditRole")}:*",
|
||||||
"${var.aws_account_id}"
|
"${var.aws_account_id}"
|
||||||
]
|
]
|
||||||
}
|
}
|
||||||
|
|
|
@ -9,6 +9,7 @@ module "discourse-production" {
|
||||||
fqdn = "discourse.mozilla-community.org"
|
fqdn = "discourse.mozilla-community.org"
|
||||||
ssl_certificate = "${lookup(var.ssl_certificates, "community-sites-elb-${var.aws_region}")}"
|
ssl_certificate = "${lookup(var.ssl_certificates, "community-sites-elb-${var.aws_region}")}"
|
||||||
aws_account_id = "${var.aws_account_id}"
|
aws_account_id = "${var.aws_account_id}"
|
||||||
|
InfosecSecurityAuditRole_uid = "${lookup(var.unmanaged_role_ids, "InfosecSecurityAuditRole")}"
|
||||||
}
|
}
|
||||||
|
|
||||||
module "discourse-staging" {
|
module "discourse-staging" {
|
||||||
|
@ -22,4 +23,5 @@ module "discourse-staging" {
|
||||||
fqdn = "discourse.staging.paas.mozilla.community"
|
fqdn = "discourse.staging.paas.mozilla.community"
|
||||||
ssl_certificate = "${lookup(var.ssl_certificates, "community-sites-elb-${var.aws_region}")}"
|
ssl_certificate = "${lookup(var.ssl_certificates, "community-sites-elb-${var.aws_region}")}"
|
||||||
aws_account_id = "${var.aws_account_id}"
|
aws_account_id = "${var.aws_account_id}"
|
||||||
|
InfosecSecurityAuditRole_uid = "${lookup(var.unmanaged_role_ids, "InfosecSecurityAuditRole")}"
|
||||||
}
|
}
|
||||||
|
|
|
@ -6,6 +6,7 @@ variable "environment" {}
|
||||||
variable "fqdn" {}
|
variable "fqdn" {}
|
||||||
variable "ssl_certificate" {}
|
variable "ssl_certificate" {}
|
||||||
variable "aws_account_id" {}
|
variable "aws_account_id" {}
|
||||||
|
variable "InfosecSecurityAuditRole_uid" {}
|
||||||
|
|
||||||
resource "aws_security_group" "discourse-redis-sg" {
|
resource "aws_security_group" "discourse-redis-sg" {
|
||||||
name = "discourse-redis-shared-sg"
|
name = "discourse-redis-shared-sg"
|
||||||
|
@ -88,6 +89,32 @@ data "aws_iam_policy_document" "discourse-content-policy" {
|
||||||
"${aws_s3_bucket.discourse-content.arn}/*",
|
"${aws_s3_bucket.discourse-content.arn}/*",
|
||||||
]
|
]
|
||||||
}
|
}
|
||||||
|
|
||||||
|
statement {
|
||||||
|
effect = "Deny"
|
||||||
|
actions = [
|
||||||
|
"s3:*",
|
||||||
|
]
|
||||||
|
|
||||||
|
principals {
|
||||||
|
type = "AWS"
|
||||||
|
identifiers = ["*"]
|
||||||
|
}
|
||||||
|
|
||||||
|
condition {
|
||||||
|
test = "StringNotLike"
|
||||||
|
variable = "aws:userId"
|
||||||
|
values = [
|
||||||
|
"${var.InfosecSecurityAuditRole_uid}:*",
|
||||||
|
"${var.aws_account_id}"
|
||||||
|
]
|
||||||
|
}
|
||||||
|
|
||||||
|
resources = [
|
||||||
|
"${aws_s3_bucket.discourse-content.arn}",
|
||||||
|
"${aws_s3_bucket.discourse-content.arn}/*",
|
||||||
|
]
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -23,7 +23,8 @@ data "aws_iam_policy_document" "marathon-backup-buckets-policy" {
|
||||||
variable = "aws:userId"
|
variable = "aws:userId"
|
||||||
values = [
|
values = [
|
||||||
"${var.adminaccessrole-uid}:*",
|
"${var.adminaccessrole-uid}:*",
|
||||||
"${var.terraform_role_id}:*",
|
"${lookup(var.unmanaged_role_ids, "admin-ec2-role")}:*",
|
||||||
|
"${lookup(var.unmanaged_role_ids, "InfosecSecurityAuditRole")}:*",
|
||||||
"${var.aws_account_id}"
|
"${var.aws_account_id}"
|
||||||
]
|
]
|
||||||
}
|
}
|
||||||
|
|
|
@ -43,6 +43,10 @@ variable "ssl_certificates" {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
variable "terraform_role_id" {
|
variable "unmanaged_role_ids" {
|
||||||
default = "AROAJQQ4P767MJJUWKKVK" # admin-ec2-role AWS role
|
type = "map"
|
||||||
|
default = {
|
||||||
|
admin-ec2-role = "AROAJQQ4P767MJJUWKKVK"
|
||||||
|
InfosecSecurityAuditRole = "AROAJHELZZZIXWALL3AVS"
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
Загрузка…
Ссылка в новой задаче