mirror of
https://github.com/fleetdm/fleet
synced 2026-04-21 13:37:30 +00:00
3a112afdb6
# Added - Added kms.tf to support encrypting keys, specifically cloudfront keys. - Added template/cloudfront.tf.disabled for use in enabling cloudfront.- Modified ecs-iam.tf to support log-alb.tf, cloudfront.tf policies that are injected into `local.extra_execution_iam_policies` and `local.iam`. - Added log-alb.tf to enable logging alb, required by cloudfront.tf. # Changed - Modified ecs.tf to support adding of additional secrets from `local.secrets`. - Modified firehose.tf to support provider required updates for deprecated resource configurations. - Modified init.tf to support `> v5.0` of `hashicorp/aws` provider. - Modified locals.tf to add `extra_execution_iam_policies`, `iam`, `software_installers_kms_policy`, `extra_secrets`, secrets, and `cloudfront_key_basename`, to support cloudfront. - Modified readme.md with instructions on how to enable cloudfront.tf - Modified redis.tf to support provider required updates for deprecated resource configurations - Modified s3.tf to support kms keys and add kms iam. - Modified terraform version in .github/workflows/tfvalidate.yml - 1.9.0 -> 1.10.4
83 lines
No EOL
2.6 KiB
HCL
83 lines
No EOL
2.6 KiB
HCL
data "aws_iam_policy_document" "software_installers" {
|
|
statement {
|
|
actions = [
|
|
"s3:GetObject*",
|
|
"s3:PutObject*",
|
|
"s3:ListBucket*",
|
|
"s3:ListMultipartUploadParts*",
|
|
"s3:DeleteObject",
|
|
"s3:CreateMultipartUpload",
|
|
"s3:AbortMultipartUpload",
|
|
"s3:ListMultipartUploadParts",
|
|
"s3:GetBucketLocation"
|
|
]
|
|
resources = [aws_s3_bucket.software_installers.arn, "${aws_s3_bucket.software_installers.arn}/*"]
|
|
}
|
|
dynamic "statement" {
|
|
for_each = local.software_installers_kms_policy
|
|
content {
|
|
sid = try(statement.value.sid, "")
|
|
actions = try(statement.value.actions, [])
|
|
resources = try(statement.value.resources, [])
|
|
effect = try(statement.value.effect, null)
|
|
dynamic "principals" {
|
|
for_each = try(statement.value.principals, [])
|
|
content {
|
|
type = principals.value.type
|
|
identifiers = principals.value.identifiers
|
|
}
|
|
}
|
|
dynamic "condition" {
|
|
for_each = try(statement.value.conditions, [])
|
|
content {
|
|
test = condition.value.test
|
|
variable = condition.value.variable
|
|
values = condition.value.values
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
resource "aws_iam_policy" "software_installers" {
|
|
policy = data.aws_iam_policy_document.software_installers.json
|
|
}
|
|
|
|
resource "aws_iam_role_policy_attachment" "software_installers" {
|
|
policy_arn = aws_iam_policy.software_installers.arn
|
|
role = aws_iam_role.main.name
|
|
}
|
|
|
|
resource "aws_s3_bucket" "software_installers" { #tfsec:ignore:aws-s3-encryption-customer-key:exp:2022-07-01 #tfsec:ignore:aws-s3-enable-versioning #tfsec:ignore:aws-s3-enable-bucket-logging:exp:2022-06-15
|
|
bucket_prefix = terraform.workspace
|
|
|
|
# Allow destroy of non-empty buckets
|
|
force_destroy = true
|
|
}
|
|
|
|
resource "aws_s3_bucket_server_side_encryption_configuration" "software_installers" {
|
|
bucket = aws_s3_bucket.software_installers.bucket
|
|
rule {
|
|
apply_server_side_encryption_by_default {
|
|
kms_master_key_id = aws_kms_key.software_installers.id
|
|
sse_algorithm = "aws:kms"
|
|
}
|
|
}
|
|
}
|
|
|
|
resource "aws_s3_bucket_public_access_block" "software_installers" {
|
|
bucket = aws_s3_bucket.software_installers.id
|
|
block_public_acls = true
|
|
block_public_policy = true
|
|
ignore_public_acls = true
|
|
restrict_public_buckets = true
|
|
}
|
|
|
|
resource "aws_kms_key" "software_installers" {
|
|
enable_key_rotation = true
|
|
}
|
|
|
|
resource "aws_kms_alias" "software_installers" {
|
|
target_key_id = aws_kms_key.software_installers.id
|
|
name = "alias/${terraform.workspace}-software-installers"
|
|
} |