Add Vanta role configuration for SOC2 monitoring

This will apply to all accounts by default - we can change the irrelevant ones to out-of-scope later in their UI if we want.

https://app.clubhouse.io/highwing/story/1533/set-up-vanta-monitoring

modules/vanta/main.tf

@@ -0,0 +1,65 @@
+data "aws_iam_policy_document" "vanta_additional_permissions" {
+  statement {
+    actions = [
+      "ecr:DescribeImageScanFindings",
+      "ecr:DescribeImages",
+      "dynamodb:ListTagsOfResource",
+      "ecr:ListTagsForResource",
+      "sqs:ListQueueTags"
+    ]
+    resources = ["*"]
+  }
+
+  statement {
+    effect = "Deny"
+    actions = [
+      "datapipeline:EvaluateExpression",
+      "datapipeline:QueryObjects",
+      "rds:DownloadDBLogFilePortion"
+    ]
+
+    resources = ["*"]
+  }
+}
+
+resource "aws_iam_policy" "vanta_additional_permissions" {
+  name        = "VantaAdditionalPermissions"
+  description = "Additional permissions for Vanta monitoring"
+  policy      = data.aws_iam_policy_document.vanta_additional_permissions.json
+}
+
+data "aws_iam_policy_document" "vanta_assume_role_policy" {
+  statement {
+    actions = ["sts:AssumeRole"]
+
+    principals {
+      type        = "AWS"
+      identifiers = ["956993596390"]
+    }
+
+    condition {
+      test     = "StringEquals"
+      variable = "sts:ExternalId"
+      values   = ["64AFC813486EC4B"]
+    }
+  }
+}
+
+resource "aws_iam_role" "vanta" {
+  name               = "vanta-auditor"
+  assume_role_policy = data.aws_iam_policy_document.vanta_assume_role_policy.json
+}
+
+resource "aws_iam_role_policy_attachment" "vanta_additional_permissions" {
+  role       = aws_iam_role.vanta.name
+  policy_arn = aws_iam_policy.vanta_additional_permissions.arn
+}
+
+data "aws_iam_policy" "aws_auditor" {
+  arn = "arn:aws:iam::aws:policy/SecurityAudit"
+}
+
+resource "aws_iam_role_policy_attachment" "vanta_aws_auditor" {
+  role       = aws_iam_role.vanta.name
+  policy_arn = data.aws_iam_policy.aws_auditor.arn
+}