Skip to content

Instantly share code, notes, and snippets.

@dgwhited
Last active April 17, 2022 11:45
Embed
What would you like to do?
###########################
#### Eventbridge event ####
###########################
resource "aws_cloudwatch_event_rule" "public_snapshot" {
name = "public-snapshot"
description = "Capture events when Snapshots are made public"
event_pattern = <<EOF
{
"source": ["aws.ec2"],
"detail-type": ["AWS API Call via CloudTrail"],
"detail": {
"eventSource": ["ec2.amazonaws.com"],
"eventName": [
"ModifySnapshotAttribute"
],
"requestParameters": {
"createVolumePermission": {
"add": {
"items":
{
"group": ["all"]
}
}
}
}
}
}
EOF
}
resource "aws_cloudwatch_event_target" "sfn" {
rule = aws_cloudwatch_event_rule.public_snapshot.name
target_id = "public-snapshot-to-sfn"
arn = aws_sfn_state_machine.public_snapshot.arn
role_arn = aws_iam_role.event_public_snapshot.arn
}
###########################
##### Eventbridge IAM #####
###########################
resource "aws_iam_role" "event_public_snapshot" {
name = "public-snapshot-events-role"
inline_policy {
name = "public-snapshot-events-policy"
policy = data.aws_iam_policy_document.events_policy.json
}
assume_role_policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Action = "sts:AssumeRole"
Effect = "Allow"
Principal = {
Service = "events.amazonaws.com"
}
},
]
})
}
data "aws_iam_policy_document" "events_policy" {
statement {
effect = "Allow"
actions = ["states:StartExecution"]
resources = [aws_sfn_state_machine.public_snapshot.arn]
}
}
###########################
###### Step Function ######
###########################
resource "aws_sfn_state_machine" "public_snapshot" {
name = "public-snapshot"
role_arn = aws_iam_role.sfn_public_snapshot.arn
definition = <<EOF
{
"Comment": "Removes group:all from snapshots",
"StartAt": "RemoveAllPermission",
"States": {
"RemoveAllPermission": {
"Type": "Task",
"Resource": "arn:aws:states:::aws-sdk:ec2:modifySnapshotAttribute",
"Parameters": {
"SnapshotId.$": "$.detail.requestParameters.snapshotId",
"CreateVolumePermission": {
"Remove": [ { "Group": "all" } ]
}
},
"End": true
}
}
}
EOF
}
resource "aws_iam_role" "sfn_public_snapshot" {
name = "public-snapshot-sfn-role"
inline_policy {
name = "public-snapshot-sfn-policy"
policy = data.aws_iam_policy_document.sfn_policy.json
}
assume_role_policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Action = "sts:AssumeRole"
Effect = "Allow"
Principal = {
Service = "states.amazonaws.com"
}
},
]
})
}
data "aws_iam_policy_document" "sfn_policy" {
statement {
effect = "Allow"
actions = ["ec2:ModifySnapshotAttribute"]
resources = ["*"]
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment