Elgato_dark/fleet
1
0
Fork 0
mirror of https://github.com/fleetdm/fleet synced 2026-04-21 13:37:30 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 91
fleet/infrastructure/loadtesting/terraform/ecs-iam.tf
Jorge Falcon dcf68ccd09
Loadtesting - Cloudfront iam fix (#31145) 
- Added missed IAM permission for tasks to access cloudfront secret
2025-07-22 15:07:26 -04:00

126 lines
4 KiB
HCL
Raw Permalink Blame History

data "aws_iam_policy_document" "fleet" {
statement {
effect = "Allow"
actions = ["cloudwatch:PutMetricData"]
resources = ["*"]
}
statement {
effect = "Allow"
actions = ["secretsmanager:GetSecretValue"]
resources = [aws_secretsmanager_secret.database_password_secret.arn, data.aws_secretsmanager_secret.license.arn, aws_secretsmanager_secret.fleet_server_private_key.arn]
}
// useful when there is a static number of mysql cluster members
# dynamic "statement" {
# for_each = module.aurora_mysql.rds_cluster_instance_dbi_resource_ids
# content {
# effect = "Allow"
# actions = ["rds-db:connect"]
# resources = ["arn:aws:rds-db:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:dbuser:${statement.value}/${module.aurora_mysql.cluster_master_username}"]
# }
# }
// allow access to any database via IAM that has the var.database_user user
// useful when you are autoscaling mysql read replicas dynamically
statement {
effect = "Allow"
actions = ["rds-db:connect"]
resources = ["arn:aws:rds-db:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:dbuser:*/${module.aurora_mysql.cluster_master_username}"]
}
statement {
effect = "Allow"
actions = [
"firehose:DescribeDeliveryStream",
"firehose:PutRecord",
"firehose:PutRecordBatch",
]
resources = [aws_kinesis_firehose_delivery_stream.osquery_results.arn, aws_kinesis_firehose_delivery_stream.osquery_status.arn]
}
statement {
actions = [ #tfsec:ignore:aws-iam-no-policy-wildcards
"kms:Encrypt*",
"kms:Decrypt*",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:Describe*"
]
resources = [aws_kms_key.main.arn, data.terraform_remote_state.shared.outputs.ecr-kms.arn]
}
}
data "aws_iam_policy_document" "assume_role" {
statement {
effect = "Allow"
actions = ["sts:AssumeRole"]
principals {
identifiers = ["ecs.amazonaws.com", "ecs-tasks.amazonaws.com"]
type = "Service"
}
}
}
resource "aws_iam_role" "main" {
name = "${local.prefix}-role"
assume_role_policy = data.aws_iam_policy_document.assume_role.json
}
resource "aws_iam_role_policy_attachment" "role_attachment" {
policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy"
role = aws_iam_role.main.name
}
resource "aws_iam_policy" "main" {
name = "${local.prefix}-iam-policy"
policy = data.aws_iam_policy_document.fleet.json
}
resource "aws_iam_role_policy_attachment" "attachment" {
policy_arn = aws_iam_policy.main.arn
role = aws_iam_role.main.name
}
data "aws_iam_policy_document" "fleet-execution" {
// allow fleet application to obtain the database password from secrets manager
statement {
effect = "Allow"
actions = ["secretsmanager:GetSecretValue"]
resources = [
aws_secretsmanager_secret.database_password_secret.arn,
aws_secretsmanager_secret.fleet_server_private_key.arn
]
}
}
resource "aws_iam_role_policy_attachment" "execution_extras" {
for_each = toset(local.extra_execution_iam_policies)
policy_arn = each.value
role = aws_iam_role.execution.name
}
resource "aws_iam_role_policy_attachment" "task_extras" {
for_each = toset(local.extra_execution_iam_policies)
policy_arn = each.value
role = aws_iam_role.main.name
}
resource "aws_iam_policy" "execution" {
name = local.iam.execution.policy_name
description = "IAM policy that Fleet application uses to define access to AWS resources"
policy = data.aws_iam_policy_document.fleet-execution.json
}
resource "aws_iam_role_policy_attachment" "execution" {
policy_arn = aws_iam_policy.execution.arn
role = aws_iam_role.execution.name
}
resource "aws_iam_role" "execution" {
name = local.iam.execution.name
description = "The execution role for Fleet in ECS"
assume_role_policy = data.aws_iam_policy_document.assume_role.json
}
Reference in a new issue View git blame Copy permalink