Add Infosec audit role to bucket access

2017-05-24 12:37:03 +01:00 · 2017-05-24 12:37:03 +01:00 · 5fdd1aed76
--- a/backups.tf
+++ b/backups.tf
@ -21,6 +21,8 @@ data "aws_iam_policy_document" "jenkins-backup-bucket-policy" {
            variable = "aws:userId"
            values = [
                "${aws_iam_role.admin-access-role.unique_id}:*",
+                "${lookup(var.unmanaged_role_ids, "admin-ec2-role")}:*",
+                "${lookup(var.unmanaged_role_ids, "InfosecSecurityAuditRole")}:*",
                "${var.aws_account_id}"
            ]
        }
@ -50,7 +52,8 @@ data "aws_iam_policy_document" "jenkins-public-backup-bucket-policy" {
            variable = "aws:userId"
            values = [
                "${aws_iam_role.admin-access-role.unique_id}:*",
-                "${var.terraform_role_id}:*",
+                "${lookup(var.unmanaged_role_ids, "admin-ec2-role")}:*",
+                "${lookup(var.unmanaged_role_ids, "InfosecSecurityAuditRole")}:*",
                "${var.aws_account_id}"
            ]
        }
--- a/discourse.tf
+++ b/discourse.tf
@ -9,6 +9,7 @@ module "discourse-production" {
    fqdn                                = "discourse.mozilla-community.org"
    ssl_certificate                     = "${lookup(var.ssl_certificates, "community-sites-elb-${var.aws_region}")}"
    aws_account_id                      = "${var.aws_account_id}"
+    InfosecSecurityAuditRole_uid        = "${lookup(var.unmanaged_role_ids, "InfosecSecurityAuditRole")}"
 }

 module "discourse-staging" {
@ -22,4 +23,5 @@ module "discourse-staging" {
    fqdn                                = "discourse.staging.paas.mozilla.community"
    ssl_certificate                     = "${lookup(var.ssl_certificates, "community-sites-elb-${var.aws_region}")}"
    aws_account_id                      = "${var.aws_account_id}"
+    InfosecSecurityAuditRole_uid        = "${lookup(var.unmanaged_role_ids, "InfosecSecurityAuditRole")}"
 }
--- a/modules/discourse/main.tf
+++ b/modules/discourse/main.tf
@ -6,6 +6,7 @@ variable "environment" {}
 variable "fqdn" {}
 variable "ssl_certificate" {}
 variable "aws_account_id" {}
+variable "InfosecSecurityAuditRole_uid" {}

 resource "aws_security_group" "discourse-redis-sg" {
    name                     = "discourse-redis-shared-sg"
@ -88,6 +89,32 @@ data "aws_iam_policy_document" "discourse-content-policy" {
      "${aws_s3_bucket.discourse-content.arn}/*",
    ]
  }
+
+  statement {
+    effect = "Deny"
+    actions = [
+      "s3:*",
+    ]
+
+    principals {
+        type = "AWS"
+        identifiers = ["*"]
+    }
+
+    condition {
+        test = "StringNotLike"
+        variable = "aws:userId"
+        values = [
+            "${var.InfosecSecurityAuditRole_uid}:*",
+            "${var.aws_account_id}"
+        ]
+    }
+
+    resources = [
+      "${aws_s3_bucket.discourse-content.arn}",
+      "${aws_s3_bucket.discourse-content.arn}/*",
+    ]
+  }
 }


--- a/modules/mesos-cluster/backups.tf
+++ b/modules/mesos-cluster/backups.tf
@ -23,7 +23,8 @@ data "aws_iam_policy_document" "marathon-backup-buckets-policy" {
            variable = "aws:userId"
            values = [
                "${var.adminaccessrole-uid}:*",
-                "${var.terraform_role_id}:*",
+                "${lookup(var.unmanaged_role_ids, "admin-ec2-role")}:*",
+                "${lookup(var.unmanaged_role_ids, "InfosecSecurityAuditRole")}:*",
                "${var.aws_account_id}"
            ]
        }
--- a/variables.tf
+++ b/variables.tf
@ -43,6 +43,10 @@ variable "ssl_certificates" {
  }
 }

-variable "terraform_role_id" {
-    default = "AROAJQQ4P767MJJUWKKVK" # admin-ec2-role AWS role
+variable "unmanaged_role_ids" {
+    type = "map"
+    default = {
+        admin-ec2-role = "AROAJQQ4P767MJJUWKKVK"
+        InfosecSecurityAuditRole = "AROAJHELZZZIXWALL3AVS"
+    }
 }