Created
June 20, 2017 04:30
-
-
Save tom-butler/c34fad4ecb2134d19330fe8901b95c92 to your computer and use it in GitHub Desktop.
Terraform: Central Monitoring Role
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#============================================================== | |
# tom-butler / centralMonitoringRole.tf | |
#============================================================== | |
variable "central_logging_account_id" {} | |
# The Role itself | |
resource "aws_iam_role" "monitor_access_role" { | |
name = "central-logging-monitor" | |
path = "/" | |
assume_role_policy = <<EOF | |
{ | |
"Version": "2012-10-17", | |
"Statement": [ | |
{ | |
"Sid": "", | |
"Effect": "Allow", | |
"Principal": { | |
"AWS": "arn:aws:iam::${var.central_logging_account_id}:role/monitoring_prodcloudwatch_access_role" | |
}, | |
"Action": "sts:AssumeRole" | |
} | |
] | |
} | |
EOF | |
} | |
# The policy to allow access to central monitoring | |
resource "aws_iam_role_policy" "monitor_access_policy" { | |
name = "central-logging-monitor-access" | |
role = "${aws_iam_role.monitor_access_role.id}" | |
policy = <<EOF | |
{ | |
"Version": "2012-10-17", | |
"Statement": [ | |
{ | |
"Action": [ | |
"logs:DescribeLogStreams", | |
"acm:DescribeCertificate", | |
"acm:GetCertificate", | |
"acm:ListCertificates", | |
"acm:ListTagsForCertificate", | |
"apigateway:GET", | |
"application-autoscaling:Describe*", | |
"appstream:Describe*", | |
"appstream:Get*", | |
"appstream:List*", | |
"autoscaling:Describe*", | |
"cloudformation:Describe*", | |
"cloudformation:Get*", | |
"cloudformation:List*", | |
"cloudfront:Get*", | |
"cloudfront:List*", | |
"cloudsearch:Describe*", | |
"cloudsearch:List*", | |
"cloudtrail:DescribeTrails", | |
"cloudtrail:GetEventSelectors", | |
"cloudtrail:GetTrailStatus", | |
"cloudtrail:LookupEvents", | |
"cloudtrail:ListTags", | |
"cloudtrail:ListPublicKeys", | |
"cloudwatch:Describe*", | |
"cloudwatch:Get*", | |
"cloudwatch:List*", | |
"codebuild:BatchGetBuilds", | |
"codebuild:BatchGetProjects", | |
"codebuild:List*", | |
"codecommit:BatchGetRepositories", | |
"codecommit:Get*", | |
"codecommit:GitPull", | |
"codecommit:List*", | |
"codedeploy:Batch*", | |
"codedeploy:Get*", | |
"codedeploy:List*", | |
"config:Deliver*", | |
"config:Describe*", | |
"config:Get*", | |
"config:List*", | |
"datapipeline:DescribeObjects", | |
"datapipeline:DescribePipelines", | |
"datapipeline:EvaluateExpression", | |
"datapipeline:GetAccountLimits", | |
"datapipeline:GetPipelineDefinition", | |
"datapipeline:ListPipelines", | |
"datapipeline:QueryObjects", | |
"datapipeline:ValidatePipelineDefinition", | |
"directconnect:Describe*", | |
"dms:Describe*", | |
"dms:List*", | |
"ds:Check*", | |
"ds:Describe*", | |
"ds:Get*", | |
"ds:List*", | |
"ds:Verify*", | |
"dynamodb:BatchGetItem", | |
"dynamodb:DescribeLimits", | |
"dynamodb:DescribeReservedCapacity", | |
"dynamodb:DescribeReservedCapacityOfferings", | |
"dynamodb:DescribeTable", | |
"dynamodb:GetItem", | |
"dynamodb:ListTables", | |
"dynamodb:ListTagsOfResource", | |
"dynamodb:Query", | |
"dynamodb:Scan", | |
"ec2:Describe*", | |
"ec2:GetConsoleOutput", | |
"ec2:GetConsoleScreenshot", | |
"ecr:BatchCheckLayerAvailability", | |
"ecr:BatchGetImage", | |
"ecr:Describe*", | |
"ecr:Get*", | |
"ecr:List*", | |
"ecs:Describe*", | |
"ecs:List*", | |
"elasticache:Describe*", | |
"elasticache:List*", | |
"elasticbeanstalk:Check*", | |
"elasticbeanstalk:Describe*", | |
"elasticbeanstalk:List*", | |
"elasticbeanstalk:RequestEnvironmentInfo", | |
"elasticbeanstalk:RetrieveEnvironmentInfo", | |
"elasticfilesystem:Describe*", | |
"elasticloadbalancing:Describe*", | |
"elasticmapreduce:Describe*", | |
"elasticmapreduce:List*", | |
"elastictranscoder:List*", | |
"elastictranscoder:Read*", | |
"es:DescribeElasticsearchDomain", | |
"es:DescribeElasticsearchDomains", | |
"es:DescribeElasticsearchDomainConfig", | |
"es:ListDomainNames", | |
"es:ListTags", | |
"es:ESHttpGet", | |
"es:ESHttpHead", | |
"events:DescribeRule", | |
"events:ListRuleNamesByTarget", | |
"events:ListRules", | |
"events:ListTargetsByRule", | |
"events:TestEventPattern", | |
"firehose:Describe*", | |
"firehose:List*", | |
"glacier:ListVaults", | |
"glacier:DescribeVault", | |
"glacier:GetDataRetrievalPolicy", | |
"glacier:GetVaultAccessPolicy", | |
"glacier:GetVaultLock", | |
"glacier:GetVaultNotifications", | |
"glacier:ListJobs", | |
"glacier:ListMultipartUploads", | |
"glacier:ListParts", | |
"glacier:ListTagsForVault", | |
"glacier:DescribeJob", | |
"glacier:GetJobOutput", | |
"health:Describe*", | |
"health:Get*", | |
"health:List*", | |
"iam:GenerateCredentialReport", | |
"iam:GenerateServiceLastAccessedDetails", | |
"iam:Get*", | |
"iam:List*", | |
"inspector:Describe*", | |
"inspector:Get*", | |
"inspector:List*", | |
"inspector:LocalizeText", | |
"inspector:PreviewAgentsForResourceGroup", | |
"iot:Describe*", | |
"iot:Get*", | |
"iot:List*", | |
"kinesisanalytics:DescribeApplication", | |
"kinesisanalytics:DiscoverInputSchema", | |
"kinesisanalytics:GetApplicationState", | |
"kinesisanalytics:ListApplications", | |
"kinesis:Describe*", | |
"kinesis:Get*", | |
"kinesis:List*", | |
"kms:Describe*", | |
"kms:Get*", | |
"kms:List*", | |
"lambda:List*", | |
"lambda:Get*", | |
"logs:Describe*", | |
"logs:Get*", | |
"logs:FilterLogEvents", | |
"logs:TestMetricFilter", | |
"machinelearning:Describe*", | |
"machinelearning:Get*", | |
"mobilehub:GetProject", | |
"mobilehub:ListAvailableFeatures", | |
"mobilehub:ListAvailableRegions", | |
"mobilehub:ListProjects", | |
"mobilehub:ValidateProject", | |
"mobilehub:VerifyServiceRole", | |
"opsworks:Describe*", | |
"opsworks:Get*", | |
"organizations:Describe*", | |
"organizations:List*", | |
"polly:Describe*", | |
"polly:Get*", | |
"polly:List*", | |
"polly:SynthesizeSpeech", | |
"rekognition:CompareFaces", | |
"rekognition:DetectFaces", | |
"rekognition:DetectLabels", | |
"rekognition:List*", | |
"rekognition:SearchFaces", | |
"rekognition:SearchFacesByImage", | |
"rds:Describe*", | |
"rds:ListTagsForResource", | |
"redshift:Describe*", | |
"redshift:ViewQueriesInConsole", | |
"route53:Get*", | |
"route53:List*", | |
"route53domains:CheckDomainAvailability", | |
"route53domains:GetDomainDetail", | |
"route53domains:GetOperationDetail", | |
"route53domains:ListDomains", | |
"route53domains:ListOperations", | |
"route53domains:ListTagsForDomain", | |
"s3:Get*", | |
"s3:List*", | |
"sdb:GetAttributes", | |
"sdb:List*", | |
"sdb:Select*", | |
"ses:Get*", | |
"ses:List*", | |
"shield:Describe*", | |
"shield:List*", | |
"sns:Get*", | |
"sns:List*", | |
"sqs:GetQueueAttributes", | |
"sqs:ListQueues", | |
"sqs:ReceiveMessage", | |
"ssm:Describe*", | |
"ssm:Get*", | |
"ssm:List*", | |
"states:ListStateMachines", | |
"states:ListActivities", | |
"states:DescribeStateMachine", | |
"states:ListExecutions", | |
"states:DescribeExecution", | |
"states:GetExecutionHistory", | |
"states:DescribeActivity", | |
"storagegateway:Describe*", | |
"storagegateway:List*", | |
"swf:Count*", | |
"swf:Describe*", | |
"swf:Get*", | |
"swf:List*", | |
"tag:Get*", | |
"trustedadvisor:Describe*", | |
"waf:Get*", | |
"waf:List*", | |
"workspaces:Describe*", | |
"xray:BatchGetTraces", | |
"xray:Get*" | |
], | |
"Effect": "Allow", | |
"Resource": "*" | |
} | |
] | |
} | |
EOF | |
} | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment