Add Infosec audit role to bucket access

This commit is contained in:
Yousef Alam 2017-05-24 12:37:03 +01:00
Родитель 224061a69c
Коммит 5fdd1aed76
Не найден ключ, соответствующий данной подписи
Идентификатор ключа GPG: 10B7403F339660D9
5 изменённых файлов: 41 добавлений и 4 удалений

Просмотреть файл

@ -21,6 +21,8 @@ data "aws_iam_policy_document" "jenkins-backup-bucket-policy" {
variable = "aws:userId" variable = "aws:userId"
values = [ values = [
"${aws_iam_role.admin-access-role.unique_id}:*", "${aws_iam_role.admin-access-role.unique_id}:*",
"${lookup(var.unmanaged_role_ids, "admin-ec2-role")}:*",
"${lookup(var.unmanaged_role_ids, "InfosecSecurityAuditRole")}:*",
"${var.aws_account_id}" "${var.aws_account_id}"
] ]
} }
@ -50,7 +52,8 @@ data "aws_iam_policy_document" "jenkins-public-backup-bucket-policy" {
variable = "aws:userId" variable = "aws:userId"
values = [ values = [
"${aws_iam_role.admin-access-role.unique_id}:*", "${aws_iam_role.admin-access-role.unique_id}:*",
"${var.terraform_role_id}:*", "${lookup(var.unmanaged_role_ids, "admin-ec2-role")}:*",
"${lookup(var.unmanaged_role_ids, "InfosecSecurityAuditRole")}:*",
"${var.aws_account_id}" "${var.aws_account_id}"
] ]
} }

Просмотреть файл

@ -9,6 +9,7 @@ module "discourse-production" {
fqdn = "discourse.mozilla-community.org" fqdn = "discourse.mozilla-community.org"
ssl_certificate = "${lookup(var.ssl_certificates, "community-sites-elb-${var.aws_region}")}" ssl_certificate = "${lookup(var.ssl_certificates, "community-sites-elb-${var.aws_region}")}"
aws_account_id = "${var.aws_account_id}" aws_account_id = "${var.aws_account_id}"
InfosecSecurityAuditRole_uid = "${lookup(var.unmanaged_role_ids, "InfosecSecurityAuditRole")}"
} }
module "discourse-staging" { module "discourse-staging" {
@ -22,4 +23,5 @@ module "discourse-staging" {
fqdn = "discourse.staging.paas.mozilla.community" fqdn = "discourse.staging.paas.mozilla.community"
ssl_certificate = "${lookup(var.ssl_certificates, "community-sites-elb-${var.aws_region}")}" ssl_certificate = "${lookup(var.ssl_certificates, "community-sites-elb-${var.aws_region}")}"
aws_account_id = "${var.aws_account_id}" aws_account_id = "${var.aws_account_id}"
InfosecSecurityAuditRole_uid = "${lookup(var.unmanaged_role_ids, "InfosecSecurityAuditRole")}"
} }

Просмотреть файл

@ -6,6 +6,7 @@ variable "environment" {}
variable "fqdn" {} variable "fqdn" {}
variable "ssl_certificate" {} variable "ssl_certificate" {}
variable "aws_account_id" {} variable "aws_account_id" {}
variable "InfosecSecurityAuditRole_uid" {}
resource "aws_security_group" "discourse-redis-sg" { resource "aws_security_group" "discourse-redis-sg" {
name = "discourse-redis-shared-sg" name = "discourse-redis-shared-sg"
@ -88,6 +89,32 @@ data "aws_iam_policy_document" "discourse-content-policy" {
"${aws_s3_bucket.discourse-content.arn}/*", "${aws_s3_bucket.discourse-content.arn}/*",
] ]
} }
statement {
effect = "Deny"
actions = [
"s3:*",
]
principals {
type = "AWS"
identifiers = ["*"]
}
condition {
test = "StringNotLike"
variable = "aws:userId"
values = [
"${var.InfosecSecurityAuditRole_uid}:*",
"${var.aws_account_id}"
]
}
resources = [
"${aws_s3_bucket.discourse-content.arn}",
"${aws_s3_bucket.discourse-content.arn}/*",
]
}
} }

Просмотреть файл

@ -23,7 +23,8 @@ data "aws_iam_policy_document" "marathon-backup-buckets-policy" {
variable = "aws:userId" variable = "aws:userId"
values = [ values = [
"${var.adminaccessrole-uid}:*", "${var.adminaccessrole-uid}:*",
"${var.terraform_role_id}:*", "${lookup(var.unmanaged_role_ids, "admin-ec2-role")}:*",
"${lookup(var.unmanaged_role_ids, "InfosecSecurityAuditRole")}:*",
"${var.aws_account_id}" "${var.aws_account_id}"
] ]
} }

Просмотреть файл

@ -43,6 +43,10 @@ variable "ssl_certificates" {
} }
} }
variable "terraform_role_id" { variable "unmanaged_role_ids" {
default = "AROAJQQ4P767MJJUWKKVK" # admin-ec2-role AWS role type = "map"
default = {
admin-ec2-role = "AROAJQQ4P767MJJUWKKVK"
InfosecSecurityAuditRole = "AROAJHELZZZIXWALL3AVS"
}
} }