From fc4e6f54c4f661f12c3f662a9178018b9fc6ad98 Mon Sep 17 00:00:00 2001
From: Yousef Alam <flamingspaz96@googlemail.com>
Date: Mon, 11 Sep 2017 15:44:31 +0100
Subject: [PATCH] Use variable for MozDef logs policy ARN

---
 consul.tf                    | 2 +-
 iam.tf                       | 2 +-
 jenkins-public.tf            | 2 +-
 modules/mesos-cluster/iam.tf | 2 +-
 variables.tf                 | 7 +++++++
 vpn.tf                       | 2 +-
 6 files changed, 12 insertions(+), 5 deletions(-)

diff --git a/consul.tf b/consul.tf
index 74ffa1b..5c53186 100644
--- a/consul.tf
+++ b/consul.tf
@@ -22,7 +22,7 @@ resource "aws_iam_role" "consul-role" {
 
 resource "aws_iam_role_policy_attachment" "consul-access-policy" {
     role = "${aws_iam_role.consul-role.name}"
-    policy_arn = "arn:aws:iam::484535289196:policy/SnsMozdefLogsFullAccess"
+    policy_arn = "${lookup(var.unmanaged_role_arns, "mozdef-logging")}"
 }
 
 resource "aws_iam_instance_profile" "consul-profile" {
diff --git a/iam.tf b/iam.tf
index 5091bce..97e57c4 100644
--- a/iam.tf
+++ b/iam.tf
@@ -393,5 +393,5 @@ resource "aws_iam_role" "mozdef-logs-role" {
 
 resource "aws_iam_role_policy_attachment" "mozdef-sns-policy" {
     role = "${aws_iam_role.mozdef-logs-role.name}"
-    policy_arn = "arn:aws:iam::484535289196:policy/SnsMozdefLogsFullAccess"
+    policy_arn = "${lookup(var.unmanaged_role_arns, "mozdef-logging")}"
 }
diff --git a/jenkins-public.tf b/jenkins-public.tf
index d7dcc49..4f2f9c7 100644
--- a/jenkins-public.tf
+++ b/jenkins-public.tf
@@ -22,7 +22,7 @@ resource "aws_iam_role" "jenkins-role" {
 
 resource "aws_iam_role_policy_attachment" "jenkins-access-policy" {
     role = "${aws_iam_role.jenkins-role.name}"
-    policy_arn = "arn:aws:iam::484535289196:policy/SnsMozdefLogsFullAccess"
+    policy_arn = "${lookup(var.unmanaged_role_arns, "mozdef-logging")}"
 }
 
 resource "aws_iam_instance_profile" "jenkins-profile" {
diff --git a/modules/mesos-cluster/iam.tf b/modules/mesos-cluster/iam.tf
index 009a41b..c03d8a0 100644
--- a/modules/mesos-cluster/iam.tf
+++ b/modules/mesos-cluster/iam.tf
@@ -35,7 +35,7 @@ resource "aws_iam_role" "mesos-slave-host-role" {
 
 resource "aws_iam_role_policy_attachment" "mesos-master-host-mozdef-policy" {
     role = "${aws_iam_role.mesos-master-host-role.name}"
-    policy_arn = "arn:aws:iam::484535289196:policy/SnsMozdefLogsFullAccess"
+    policy_arn = "${lookup(var.unmanaged_role_arns, "mozdef-logging")}"
 }
 
 resource "aws_iam_instance_profile" "mesos-master-profile" {
diff --git a/variables.tf b/variables.tf
index 1922f09..3109bef 100644
--- a/variables.tf
+++ b/variables.tf
@@ -51,3 +51,10 @@ variable "unmanaged_role_ids" {
         InfosecSecurityAuditRole = "AROAJHELZZZIXWALL3AVS"
     }
 }
+
+variable "unmanaged_role_arns" {
+    type = "map"
+    default = {
+        mozdef-logging = "arn:aws:iam::484535289196:policy/SnsMozdefLogsFullAccess"
+    }
+}
diff --git a/vpn.tf b/vpn.tf
index 08dd303..bfd2773 100644
--- a/vpn.tf
+++ b/vpn.tf
@@ -22,7 +22,7 @@ resource "aws_iam_role" "vpn-role" {
 
 resource "aws_iam_role_policy_attachment" "vpn-access-policy" {
     role = "${aws_iam_role.vpn-role.name}"
-    policy_arn = "arn:aws:iam::484535289196:policy/SnsMozdefLogsFullAccess"
+    policy_arn = "${lookup(var.unmanaged_role_arns, "mozdef-logging")}"
 }
 
 resource "aws_iam_instance_profile" "vpn-profile" {