-
Notifications
You must be signed in to change notification settings - Fork 4
/
iam.tf
154 lines (147 loc) · 3.36 KB
/
iam.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
resource "aws_iam_instance_profile" "profile" {
name_prefix = "bitwarden"
role = aws_iam_role.role.name
}
resource "aws_iam_role" "role" {
name_prefix = "bitwarden"
assume_role_policy = <<-EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Effect": "Allow",
"Sid": ""
}
]
}
EOF
}
resource "aws_iam_role_policy" "rolepolicy" {
name_prefix = "bitwarden"
role = aws_iam_role.role.id
policy = <<-EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:ListBucket"
],
"Effect": "Allow",
"Resource": "${aws_s3_bucket.bucket.arn}"
},
{
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject",
"s3:PutObjectAcl"
],
"Effect": "Allow",
"Resource": "${aws_s3_bucket.bucket.arn}/*"
},
{
"Action": [
"s3:ListBucket"
],
"Effect": "Allow",
"Resource": "${aws_s3_bucket.resources.arn}"
},
{
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject",
"s3:PutObjectAcl"
],
"Effect": "Allow",
"Resource": "${aws_s3_bucket.resources.arn}/*"
},
{
"Action": [
"secretsmanager:GetSecretValue",
"secretsemanager:DescribeSecret"
],
"Effect": "Allow",
"Resource": "${aws_secretsmanager_secret.config.arn}"
}
]
}
EOF
}
data "aws_iam_policy_document" "s3policy" {
statement {
sid = "AllowBitwardenInstanceProfile"
effect = "Allow"
resources = [aws_s3_bucket.bucket.arn]
actions = ["s3:ListBucket"]
principals {
type = "AWS"
identifiers = [aws_iam_role.role.arn]
}
}
statement {
sid = "AllowBitwardenInstanceProfileContents"
effect = "Allow"
resources = ["${aws_s3_bucket.bucket.arn}/*"]
actions = [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject",
"s3:PutObjectAcl"
]
principals {
type = "AWS"
identifiers = [aws_iam_role.role.arn]
}
}
statement {
sid = "DenyNotBitwardenVPCE"
effect = "Deny"
resources = ["${aws_s3_bucket.bucket.arn}/*"]
actions = ["s3:*"]
principals {
type = "*"
identifiers = ["*"]
}
condition {
test = "StringNotEquals"
variable = "aws:SourceVpce"
values = [aws_vpc_endpoint.s3.id]
}
}
statement {
sid = "DenyIncorrectEncryptionHeader"
effect = "Deny"
resources = ["${aws_s3_bucket.bucket.arn}/*"]
actions = ["s3:PutObject"]
principals {
type = "*"
identifiers = ["*"]
}
condition {
test = "StringNotEquals"
variable = "s3:x-amz-server-side-encryption"
values = ["AES256"]
}
}
statement {
sid = "DenyUnencryptedObjectUploads"
effect = "Deny"
resources = ["${aws_s3_bucket.bucket.arn}/*"]
actions = ["s3:PutObject"]
principals {
type = "*"
identifiers = ["*"]
}
condition {
test = "Null"
variable = "s3:x-amz-server-side-encryption"
values = ["true"]
}
}
}