HC-vault-on-aws-FORK/iam-policies.tf

# IAM Policies

## KMS Policy
data "aws_iam_policy_document" "kms_vault_policy" {
  statement {
    sid = "EncryptDecryptAndDescribe"
    effect = "Allow"
    actions = [
      "kms:Decrypt",
      "kms:Encrypt",
      "kms:DescribeKey"
    ]
    resources = [
      aws_kms_key.seal.arn
    ]
  }
}

## DynamoDB Policy
data "aws_iam_policy_document" "dynamodb_vault_policy" {
  statement {
    sid = "ManageTable"
    effect = "Allow"
    actions = [
      "dynamodb:BatchGetItem",
      "dynamodb:BatchWriteItem",
      "dynamodb:PutItem",
      "dynamodb:DescribeTable",
      "dynamodb:DeleteItem",
      "dynamodb:GetItem",
      "dynamodb:ListTagsOfResource",
      "dynamodb:UpdateItem",
      "dynamodb:DescribeTimeToLive"
    ]
    resources = [
      aws_dynamodb_table.vault_storage.arn
    ]
  }

  statement {
    sid = "GetStreamRecords"
    effect = "Allow"
    actions = [
      "dynamodb:GetRecords"
    ]
    resources = [
      "${aws_dynamodb_table.vault_storage.arn}/stream/*"
    ]
  }

  statement {
    sid = "QueryAndScanTable"
    effect = "Allow"
    actions = [
      "dynamodb:Scan",
      "dynamodb:Query"
    ]
    resources = [
      "${aws_dynamodb_table.vault_storage.arn}/index/*",
      aws_dynamodb_table.vault_storage.arn
    ]
  }
}

## AutoScalingGroup Instance Trust Policy
data "aws_iam_policy_document" "asg_trust_policy" {
  statement {
    effect = "Allow"
    principals {
      type        = "Service"
      identifiers = ["ec2.amazonaws.com"]
    }
    actions = [
      "sts:AssumeRole"
    ]
  }
}
initial commit 2020-04-10 02:37:14 +00:00			`# IAM Policies`

			`## KMS Policy`
			`data "aws_iam_policy_document" "kms_vault_policy" {`
			`statement {`
			`sid = "EncryptDecryptAndDescribe"`
			`effect = "Allow"`
			`actions = [`
			`"kms:Decrypt",`
			`"kms:Encrypt",`
			`"kms:DescribeKey"`
			`]`
			`resources = [`
			`aws_kms_key.seal.arn`
			`]`
			`}`
			`}`

			`## DynamoDB Policy`
			`data "aws_iam_policy_document" "dynamodb_vault_policy" {`
			`statement {`
			`sid = "ManageTable"`
			`effect = "Allow"`
			`actions = [`
			`"dynamodb:BatchGetItem",`
			`"dynamodb:BatchWriteItem",`
			`"dynamodb:PutItem",`
			`"dynamodb:DescribeTable",`
			`"dynamodb:DeleteItem",`
			`"dynamodb:GetItem",`
			`"dynamodb:ListTagsOfResource",`
			`"dynamodb:UpdateItem",`
			`"dynamodb:DescribeTimeToLive"`
			`]`
			`resources = [`
			`aws_dynamodb_table.vault_storage.arn`
			`]`
			`}`

			`statement {`
			`sid = "GetStreamRecords"`
			`effect = "Allow"`
			`actions = [`
			`"dynamodb:GetRecords"`
			`]`
			`resources = [`
			`"${aws_dynamodb_table.vault_storage.arn}/stream/*"`
			`]`
			`}`

			`statement {`
			`sid = "QueryAndScanTable"`
			`effect = "Allow"`
			`actions = [`
			`"dynamodb:Scan",`
			`"dynamodb:Query"`
			`]`
			`resources = [`
			`"${aws_dynamodb_table.vault_storage.arn}/index/*",`
			`aws_dynamodb_table.vault_storage.arn`
			`]`
			`}`
			`}`

			`## AutoScalingGroup Instance Trust Policy`
			`data "aws_iam_policy_document" "asg_trust_policy" {`
			`statement {`
			`effect = "Allow"`
			`principals {`
			`type = "Service"`
			`identifiers = ["ec2.amazonaws.com"]`
			`}`
			`actions = [`
			`"sts:AssumeRole"`
			`]`
			`}`
			`}`