-
Notifications
You must be signed in to change notification settings - Fork 4
/
guacamole_iam.tf
86 lines (69 loc) · 2.84 KB
/
guacamole_iam.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
# Create a role that allows the instance to read its certs from S3.
module "guacamole_certreadrole" {
source = "github.com/cisagov/cert-read-role-tf-module"
providers = {
aws = aws.provisioncertreadrole
}
account_ids = [local.assessment_account_id]
cert_bucket_name = var.cert_bucket_name
hostname = local.guacamole_fqdn
}
# Create the IAM instance profile for the Guacamole EC2 server instance
# The instance profile to be used
resource "aws_iam_instance_profile" "guacamole" {
provider = aws.provisionassessment
name = "guacamole_instance_profile_${terraform.workspace}"
role = aws_iam_role.guacamole_instance_role.name
}
# The instance role
resource "aws_iam_role" "guacamole_instance_role" {
provider = aws.provisionassessment
assume_role_policy = data.aws_iam_policy_document.ec2_service_assume_role_doc.json
name = "guacamole_instance_role_${terraform.workspace}"
}
resource "aws_iam_role_policy" "guacamole_assume_delegated_role_policy" {
provider = aws.provisionassessment
name = "assume_delegated_role_policy"
policy = data.aws_iam_policy_document.guacamole_assume_delegated_role_policy_doc.json
role = aws_iam_role.guacamole_instance_role.id
}
# Attach the EC2 read-only policy to this role. This policy is
# required by the cisagov/guacscanner Docker image
# (https://github.com/cisagov/guacscanner-docker)
# that is part of the Guacamole composition.
resource "aws_iam_role_policy_attachment" "ec2_read_only_policy_attachment_guacamole" {
provider = aws.provisionassessment
policy_arn = "arn:aws:iam::aws:policy/AmazonEC2ReadOnlyAccess"
role = aws_iam_role.guacamole_instance_role.id
}
# Attach the CloudWatch Agent policy to this role as well
resource "aws_iam_role_policy_attachment" "cloudwatch_agent_policy_attachment_guacamole" {
provider = aws.provisionassessment
policy_arn = "arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy"
role = aws_iam_role.guacamole_instance_role.id
}
# Attach the SSM Agent policy to this role as well
resource "aws_iam_role_policy_attachment" "ssm_agent_policy_attachment_guacamole" {
provider = aws.provisionassessment
policy_arn = "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"
role = aws_iam_role.guacamole_instance_role.id
}
################################
# Define the role policies below
################################
# Allow the Guacamole instance to assume the necessary roles:
# - To read the Guacamole certificates from an S3 bucket
# - To read the VNC-related data from the SSM Parameter Store
data "aws_iam_policy_document" "guacamole_assume_delegated_role_policy_doc" {
statement {
actions = [
"sts:AssumeRole",
"sts:TagSession",
]
resources = [
module.guacamole_certreadrole.role.arn,
aws_iam_role.guacamole_parameterstorereadonly_role.arn
]
effect = "Allow"
}
}