Merge pull request #2 from dxw/ash/template_file

IAM Policy fixes
dxw · Dec 14, 2022 · f2ca48f · f2ca48f
2 parents 938c471 + 9b99f7c
commit f2ca48f
Show file tree

Hide file tree

Showing 4 changed files with 63 additions and 77 deletions.
diff --git a/main.tf b/main.tf
@@ -9,6 +9,64 @@ locals {
   bucketname = "${var.namespace}-${var.bucketname}"
 }
 
+## Data
+
+data "aws_iam_policy_document" "bucket" {
+  statement {
+    effect = "Allow"
+
+    principals {
+      type        = "Service"
+      identifiers = ["cloudtrail.amazonaws.com"]
+    }
+
+    actions   = ["s3:GetBucketAcl"]
+    resources = ["arn:aws:s3:::${local.bucketname}"]
+  }
+
+  statement {
+    effect = "Allow"
+
+    principals {
+      type        = "Service"
+      identifiers = ["cloudtrail.amazonaws.com"]
+    }
+
+    actions   = ["s3:PutObject"]
+    resources = ["arn:aws:s3:::${local.bucketname}/*"]
+
+    condition {
+      test     = "StringEquals"
+      variable = "s3:x-amz-acl"
+      values   = ["bucket-owner-full-control"]
+    }
+  }
+}
+
+data "aws_iam_policy_document" "assume_role" {
+  statement {
+    effect = "Allow"
+    sid    = ""
+
+    principals {
+      type        = "Service"
+      identifiers = ["cloudtrail.amazonaws.com"]
+    }
+
+    actions = ["sts:AssumeRole"]
+  }
+}
+
+data "aws_iam_policy_document" "logs" {
+  statement {
+    effect  = "Allow"
+    actions = ["logs:CreateLogStream", "logs:PutLogEvents"]
+    resources = [
+      "${aws_cloudwatch_log_group.cloudtrail.arn}:*"
+    ]
+  }
+}
+
 ## Resources
 
 ### Implementation
@@ -35,12 +93,7 @@ resource "aws_s3_bucket" "cloudtrail" {
 
 resource "aws_s3_bucket_policy" "cloudtrail_s3_policy" {
   bucket = aws_s3_bucket.cloudtrail.id
-  policy = templatefile(
-    "${path.module}/policies/cloudtrail_s3_policy.tpl",
-    {
-      bucket_name = local.bucketname
-    }
-  )
+  policy = data.aws_iam_policy_document.bucket.json
 }
 
 resource "aws_s3_bucket_acl" "cloudtrail_acl" {
@@ -51,18 +104,13 @@ resource "aws_s3_bucket_acl" "cloudtrail_acl" {
 resource "aws_iam_role" "cloudtrail_cloudwatch_logs_role" {
   name               = "${var.namespace}-cloudtrail-cloudwatch-logs"
   path               = "/"
-  assume_role_policy = file("${path.module}/policies/cloudtrail_assume_policy.json")
+  assume_role_policy = data.aws_iam_policy_document.assume_role.json
 }
 
 resource "aws_iam_policy" "cloudtrail_cloudwatch_logs_policy" {
-  name = "${var.namespace}-cloudtrail-cloudwatch-logs"
-  path = "/"
-  policy = templatefile(
-    "${path.module}/policies/cloudtrail_cloudwatch_logs_policy.tpl",
-    {
-      cloudwatch_log_group_arn = aws_cloudwatch_log_group.cloudtrail.arn
-    }
-  )
+  name   = "${var.namespace}-cloudtrail-cloudwatch-logs"
+  path   = "/"
+  policy = data.aws_iam_policy_document.logs.json
 }
 
 resource "aws_iam_role_policy_attachment" "cloudtrail_cloudwatch_logs_policy_attachment" {

diff --git a/policies/cloudtrail_assume_policy.json b/policies/cloudtrail_assume_policy.json
diff --git a/policies/cloudtrail_cloudwatch_logs_policy.tpl b/policies/cloudtrail_cloudwatch_logs_policy.tpl
diff --git a/policies/cloudtrail_s3_policy.tpl b/policies/cloudtrail_s3_policy.tpl