From 3521379e0f199702c97f9bbfd5b719b2fa5ac86b Mon Sep 17 00:00:00 2001 From: y-miyazaki Date: Thu, 20 May 2021 06:50:45 +0000 Subject: [PATCH] fixed config policy. --- .../recipes/security/config/create/main.tf | 214 +----------------- .../security/config/create/variables.tf | 19 +- terraform/main_security_config.tf | 5 - terraform/terraform.example.tfvars | 5 - 4 files changed, 2 insertions(+), 241 deletions(-) diff --git a/modules/aws/recipes/security/config/create/main.tf b/modules/aws/recipes/security/config/create/main.tf index 2db63e8..d2f3319 100644 --- a/modules/aws/recipes/security/config/create/main.tf +++ b/modules/aws/recipes/security/config/create/main.tf @@ -24,224 +24,12 @@ POLICY tags = var.tags } #-------------------------------------------------------------- -# Generates an IAM policy document in JSON format for use with resources that expect policy documents such as aws_iam_policy. -#-------------------------------------------------------------- -data "aws_iam_policy_document" "config" { - count = var.is_enabled ? 1 : 0 - statement { - effect = "Allow" - actions = [ - "acm:DescribeCertificate", - "acm:ListCertificates", - "acm:ListTagsForCertificate", - "application-autoscaling:DescribeScalableTargets", - "application-autoscaling:DescribeScalingPolicies", - "autoscaling:DescribeAutoScalingGroups", - "autoscaling:DescribeLaunchConfigurations", - "autoscaling:DescribeLifecycleHooks", - "autoscaling:DescribePolicies", - "autoscaling:DescribeScheduledActions", - "autoscaling:DescribeTags", - "backup:ListBackupPlans", - "backup:ListBackupSelections", - "backup:GetBackupSelection", - "cloudfront:ListTagsForResource", - "cloudformation:DescribeType", - "cloudformation:ListTypes", - "cloudtrail:DescribeTrails", - "cloudtrail:GetEventSelectors", - "cloudtrail:GetTrailStatus", - "cloudtrail:ListTags", - "cloudwatch:DescribeAlarms", - "codepipeline:GetPipeline", - "codepipeline:GetPipelineState", - "codepipeline:ListPipelines", - "config:BatchGet*", - "config:Describe*", - "config:Get*", - "config:List*", - "config:Put*", - "config:Select*", - "dax:DescribeClusters", - "dms:DescribeReplicationInstances", - "dynamodb:DescribeContinuousBackups", - "dynamodb:DescribeLimits", - "dynamodb:DescribeTable", - "dynamodb:ListTables", - "dynamodb:ListTagsOfResource", - "ec2:Describe*", - "ec2:GetEbsEncryptionByDefault", - "ecr:DescribeRepositories", - "ecr:GetLifecyclePolicy", - "ecr:GetRepositoryPolicy", - "ecr:ListTagsForResource", - "ecs:DescribeClusters", - "ecs:DescribeServices", - "ecs:DescribeTaskDefinition", - "ecs:DescribeTaskSets", - "ecs:ListClusters", - "ecs:ListServices", - "ecs:ListTagsForResource", - "ecs:ListTaskDefinitions", - "eks:DescribeCluster", - "eks:DescribeNodegroup", - "eks:ListClusters", - "eks:ListNodegroups", - "elasticache:DescribeCacheClusters", - "elasticache:DescribeReplicationGroups", - "elasticfilesystem:DescribeFileSystems", - "elasticfilesystem:DescribeLifecycleConfiguration", - "elasticfilesystem:DescribeMountTargets", - "elasticfilesystem:DescribeMountTargetSecurityGroups", - "elasticloadbalancing:DescribeListeners", - "elasticloadbalancing:DescribeLoadBalancerAttributes", - "elasticloadbalancing:DescribeLoadBalancerPolicies", - "elasticloadbalancing:DescribeLoadBalancers", - "elasticloadbalancing:DescribeRules", - "elasticloadbalancing:DescribeTags", - "elasticmapreduce:DescribeCluster", - "elasticmapreduce:DescribeSecurityConfiguration", - "elasticmapreduce:GetBlockPublicAccessConfiguration", - "elasticmapreduce:ListClusters", - "elasticmapreduce:ListInstances", - "es:DescribeElasticsearchDomain", - "es:DescribeElasticsearchDomains", - "es:ListDomainNames", - "es:ListTags", - "guardduty:GetDetector", - "guardduty:GetFindings", - "guardduty:GetMasterAccount", - "guardduty:ListDetectors", - "guardduty:ListFindings", - "iam:GenerateCredentialReport", - "iam:GetAccountAuthorizationDetails", - "iam:GetAccountPasswordPolicy", - "iam:GetAccountSummary", - "iam:GetCredentialReport", - "iam:GetGroup", - "iam:GetGroupPolicy", - "iam:GetPolicy", - "iam:GetPolicyVersion", - "iam:GetRole", - "iam:GetRolePolicy", - "iam:GetUser", - "iam:GetUserPolicy", - "iam:ListAttachedGroupPolicies", - "iam:ListAttachedRolePolicies", - "iam:ListAttachedUserPolicies", - "iam:ListEntitiesForPolicy", - "iam:ListGroupPolicies", - "iam:ListGroupsForUser", - "iam:ListInstanceProfilesForRole", - "iam:ListPolicyVersions", - "iam:ListRolePolicies", - "iam:ListUserPolicies", - "iam:ListVirtualMFADevices", - "kms:DescribeKey", - "kms:GetKeyPolicy", - "kms:GetKeyRotationStatus", - "kms:ListKeys", - "kms:ListResourceTags", - "lambda:GetAlias", - "lambda:GetFunction", - "lambda:GetPolicy", - "lambda:ListAliases", - "lambda:ListFunctions", - "logs:DescribeLogGroups", - "organizations:DescribeOrganization", - "rds:DescribeDBClusters", - "rds:DescribeDBClusterSnapshotAttributes", - "rds:DescribeDBClusterSnapshots", - "rds:DescribeDBInstances", - "rds:DescribeDBSecurityGroups", - "rds:DescribeDBSnapshotAttributes", - "rds:DescribeDBSnapshots", - "rds:DescribeDBSubnetGroups", - "rds:DescribeEventSubscriptions", - "rds:ListTagsForResource", - "redshift:DescribeClusterParameterGroups", - "redshift:DescribeClusterParameters", - "redshift:DescribeClusterSecurityGroups", - "redshift:DescribeClusterSnapshots", - "redshift:DescribeClusterSubnetGroups", - "redshift:DescribeClusters", - "redshift:DescribeEventSubscriptions", - "redshift:DescribeLoggingStatus", - "s3:GetAccelerateConfiguration", - "s3:GetAccountPublicAccessBlock", - "s3:GetBucketAcl", - "s3:GetBucketCORS", - "s3:GetBucketLocation", - "s3:GetBucketLogging", - "s3:GetBucketNotification", - "s3:GetBucketObjectLockConfiguration", - "s3:GetBucketPolicy", - "s3:GetBucketPublicAccessBlock", - "s3:GetBucketRequestPayment", - "s3:GetBucketTagging", - "s3:GetBucketVersioning", - "s3:GetBucketWebsite", - "s3:GetEncryptionConfiguration", - "s3:GetLifecycleConfiguration", - "s3:GetReplicationConfiguration", - "s3:ListAllMyBuckets", - "s3:ListBucket", - "sagemaker:DescribeEndpointConfig", - "sagemaker:DescribeNotebookInstance", - "sagemaker:ListEndpointConfigs", - "sagemaker:ListNotebookInstances", - "secretsmanager:ListSecrets", - "secretsmanager:ListSecretVersionIds", - "securityhub:describeHub", - "shield:DescribeDRTAccess", - "shield:DescribeProtection", - "shield:DescribeSubscription", - "sns:GetTopicAttributes", - "sns:ListSubscriptions", - "sns:ListTagsForResource", - "sns:ListTopics", - "sqs:GetQueueAttributes", - "sqs:ListQueues", - "sqs:ListQueueTags", - "ssm:DescribeAutomationExecutions", - "ssm:DescribeDocument", - "ssm:GetAutomationExecution", - "ssm:GetDocument", - "storagegateway:ListGateways", - "storagegateway:ListVolumes", - "support:DescribeCases", - "tag:GetResources", - "waf:GetLoggingConfiguration", - "waf:GetWebACL", - "wafv2:GetLoggingConfiguration", - "waf-regional:GetLoggingConfiguration", - "waf-regional:GetWebACL", - "waf-regional:GetWebACLForResource" - ] - resources = ["*"] - } -} - -#-------------------------------------------------------------- -# Provides an IAM policy. -#-------------------------------------------------------------- -resource "aws_iam_policy" "config" { - count = var.is_enabled ? 1 : 0 - description = lookup(var.aws_iam_policy, "description", null) - name = lookup(var.aws_iam_policy, "name") - path = lookup(var.aws_iam_policy, "path", "/") - policy = data.aws_iam_policy_document.config[0].json - depends_on = [ - data.aws_iam_policy_document.config, - ] -} -#-------------------------------------------------------------- # Attaches a Managed IAM Policy to an IAM role #-------------------------------------------------------------- resource "aws_iam_role_policy_attachment" "config" { count = var.is_enabled ? 1 : 0 role = aws_iam_role.config[0].name - policy_arn = aws_iam_policy.config[0].arn + policy_arn = "arn:aws:iam::aws:policy/service-role/AWSConfigRole" } #-------------------------------------------------------------- # Provides an AWS Config Configuration Recorder. Please note that this resource does not start the created recorder automatically. diff --git a/modules/aws/recipes/security/config/create/variables.tf b/modules/aws/recipes/security/config/create/variables.tf index e71a1aa..38d5152 100644 --- a/modules/aws/recipes/security/config/create/variables.tf +++ b/modules/aws/recipes/security/config/create/variables.tf @@ -35,24 +35,7 @@ variable "aws_iam_role" { path = "/" } } -variable "aws_iam_policy" { - type = object( - { - # (Optional) Description of the IAM policy. - description = string - # (Optional, Forces new resource) Friendly name of the role. If omitted, Terraform will assign a random, unique name. See IAM Identifiers for more information. - name = string - # (Optional) Path to the role. See IAM Identifiers for more information. - path = string - } - ) - description = "(Required) The aws_iam_policy resource." - default = { - description = null - name = "security-config-policy" - path = "/" - } -} + variable "aws_s3_bucket" { type = object( { diff --git a/terraform/main_security_config.tf b/terraform/main_security_config.tf index 2a3b3a4..3b30de1 100644 --- a/terraform/main_security_config.tf +++ b/terraform/main_security_config.tf @@ -13,10 +13,6 @@ locals { name = "${var.name_prefix}${lookup(var.security_config.aws_iam_role, "name")}" } ) - aws_iam_policy_config = merge(var.security_config.aws_iam_policy, { - name = "${var.name_prefix}${lookup(var.security_config.aws_iam_policy, "name")}" - } - ) aws_s3_bucket_config = merge(var.security_config.aws_s3_bucket, { bucket = "${var.name_prefix}${var.security_config.aws_s3_bucket.bucket}-${random_id.this.dec}" }) aws_config_delivery_channel_config = merge(var.security_config.aws_config_delivery_channel, { name = "${var.name_prefix}${lookup(var.security_config.aws_config_delivery_channel, "name")}" @@ -31,7 +27,6 @@ module "aws_recipes_security_config_create" { is_enabled = lookup(var.security_config, "is_enabled", true) aws_config_configuration_recorder = local.aws_config_configuration_recorder_config aws_iam_role = local.aws_iam_role_config - aws_iam_policy = local.aws_iam_policy_config aws_s3_bucket = local.aws_s3_bucket_config aws_config_delivery_channel = local.aws_config_delivery_channel_config aws_config_configuration_recorder_status = lookup(var.security_config, "aws_config_configuration_recorder_status") diff --git a/terraform/terraform.example.tfvars b/terraform/terraform.example.tfvars index 31b477b..d594c31 100644 --- a/terraform/terraform.example.tfvars +++ b/terraform/terraform.example.tfvars @@ -671,11 +671,6 @@ security_config = { name = "security-config-role" path = "/" } - aws_iam_policy = { - description = null - name = "security-config-policy" - path = "/" - } aws_s3_bucket = { # Random suffix is automatically added to the bucket name. bucket = "aws-config"