tom-butler/centralMonitoringRole.tf

## centralMonitoringRole.tf
#==============================================================
# tom-butler / centralMonitoringRole.tf
#==============================================================

variable "central_logging_account_id" {}

# The Role itself
resource "aws_iam_role" "monitor_access_role" {
  name = "central-logging-monitor"
  path = "/"

  assume_role_policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::${var.central_logging_account_id}:role/monitoring_prodcloudwatch_access_role"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}
EOF
}

# The policy to allow access to central monitoring
resource "aws_iam_role_policy" "monitor_access_policy" {
  name = "central-logging-monitor-access"
  role = "${aws_iam_role.monitor_access_role.id}"

  policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "logs:DescribeLogStreams",
        "acm:DescribeCertificate",
        "acm:GetCertificate",
        "acm:ListCertificates",
        "acm:ListTagsForCertificate",
        "apigateway:GET",
        "application-autoscaling:Describe*",
        "appstream:Describe*",
        "appstream:Get*",
        "appstream:List*",
        "autoscaling:Describe*",
        "cloudformation:Describe*",
        "cloudformation:Get*",
        "cloudformation:List*",
        "cloudfront:Get*",
        "cloudfront:List*",
        "cloudsearch:Describe*",
        "cloudsearch:List*",
        "cloudtrail:DescribeTrails",
        "cloudtrail:GetEventSelectors",
        "cloudtrail:GetTrailStatus",
        "cloudtrail:LookupEvents",
        "cloudtrail:ListTags",
        "cloudtrail:ListPublicKeys",
        "cloudwatch:Describe*",
        "cloudwatch:Get*",
        "cloudwatch:List*",
        "codebuild:BatchGetBuilds",
        "codebuild:BatchGetProjects",
        "codebuild:List*",
        "codecommit:BatchGetRepositories",
        "codecommit:Get*",
        "codecommit:GitPull",
        "codecommit:List*",
        "codedeploy:Batch*",
        "codedeploy:Get*",
        "codedeploy:List*",
        "config:Deliver*",
        "config:Describe*",
        "config:Get*",
        "config:List*",
        "datapipeline:DescribeObjects",
        "datapipeline:DescribePipelines",
        "datapipeline:EvaluateExpression",
        "datapipeline:GetAccountLimits",
        "datapipeline:GetPipelineDefinition",
        "datapipeline:ListPipelines",
        "datapipeline:QueryObjects",
        "datapipeline:ValidatePipelineDefinition",
        "directconnect:Describe*",
        "dms:Describe*",
        "dms:List*",
        "ds:Check*",
        "ds:Describe*",
        "ds:Get*",
        "ds:List*",
        "ds:Verify*",
        "dynamodb:BatchGetItem",
        "dynamodb:DescribeLimits",
        "dynamodb:DescribeReservedCapacity",
        "dynamodb:DescribeReservedCapacityOfferings",
        "dynamodb:DescribeTable",
        "dynamodb:GetItem",
        "dynamodb:ListTables",
        "dynamodb:ListTagsOfResource",
        "dynamodb:Query",
        "dynamodb:Scan",
        "ec2:Describe*",
        "ec2:GetConsoleOutput",
        "ec2:GetConsoleScreenshot",
        "ecr:BatchCheckLayerAvailability",
        "ecr:BatchGetImage",
        "ecr:Describe*",
        "ecr:Get*",
        "ecr:List*",
        "ecs:Describe*",
        "ecs:List*",
        "elasticache:Describe*",
        "elasticache:List*",
        "elasticbeanstalk:Check*",
        "elasticbeanstalk:Describe*",
        "elasticbeanstalk:List*",
        "elasticbeanstalk:RequestEnvironmentInfo",
        "elasticbeanstalk:RetrieveEnvironmentInfo",
        "elasticfilesystem:Describe*",
        "elasticloadbalancing:Describe*",
        "elasticmapreduce:Describe*",
        "elasticmapreduce:List*",
        "elastictranscoder:List*",
        "elastictranscoder:Read*",
        "es:DescribeElasticsearchDomain",
        "es:DescribeElasticsearchDomains",
        "es:DescribeElasticsearchDomainConfig",
        "es:ListDomainNames",
        "es:ListTags",
        "es:ESHttpGet",
        "es:ESHttpHead",
        "events:DescribeRule",
        "events:ListRuleNamesByTarget",
        "events:ListRules",
        "events:ListTargetsByRule",
        "events:TestEventPattern",
        "firehose:Describe*",
        "firehose:List*",
        "glacier:ListVaults",
        "glacier:DescribeVault",
        "glacier:GetDataRetrievalPolicy",
        "glacier:GetVaultAccessPolicy",
        "glacier:GetVaultLock",
        "glacier:GetVaultNotifications",
        "glacier:ListJobs",
        "glacier:ListMultipartUploads",
        "glacier:ListParts",
        "glacier:ListTagsForVault",
        "glacier:DescribeJob",
        "glacier:GetJobOutput",
        "health:Describe*",
        "health:Get*",
        "health:List*",
        "iam:GenerateCredentialReport",
        "iam:GenerateServiceLastAccessedDetails",
        "iam:Get*",
        "iam:List*",
        "inspector:Describe*",
        "inspector:Get*",
        "inspector:List*",
        "inspector:LocalizeText",
        "inspector:PreviewAgentsForResourceGroup",
        "iot:Describe*",
        "iot:Get*",
        "iot:List*",
        "kinesisanalytics:DescribeApplication",
        "kinesisanalytics:DiscoverInputSchema",
        "kinesisanalytics:GetApplicationState",
        "kinesisanalytics:ListApplications",
        "kinesis:Describe*",
        "kinesis:Get*",
        "kinesis:List*",
        "kms:Describe*",
        "kms:Get*",
        "kms:List*",
        "lambda:List*",
        "lambda:Get*",
        "logs:Describe*",
        "logs:Get*",
        "logs:FilterLogEvents",
        "logs:TestMetricFilter",
        "machinelearning:Describe*",
        "machinelearning:Get*",
        "mobilehub:GetProject",
        "mobilehub:ListAvailableFeatures",
        "mobilehub:ListAvailableRegions",
        "mobilehub:ListProjects",
        "mobilehub:ValidateProject",
        "mobilehub:VerifyServiceRole",
        "opsworks:Describe*",
        "opsworks:Get*",
        "organizations:Describe*",
        "organizations:List*",
        "polly:Describe*",
        "polly:Get*",
        "polly:List*",
        "polly:SynthesizeSpeech",
        "rekognition:CompareFaces",
        "rekognition:DetectFaces",
        "rekognition:DetectLabels",
        "rekognition:List*",
        "rekognition:SearchFaces",
        "rekognition:SearchFacesByImage",
        "rds:Describe*",
        "rds:ListTagsForResource",
        "redshift:Describe*",
        "redshift:ViewQueriesInConsole",
        "route53:Get*",
        "route53:List*",
        "route53domains:CheckDomainAvailability",
        "route53domains:GetDomainDetail",
        "route53domains:GetOperationDetail",
        "route53domains:ListDomains",
        "route53domains:ListOperations",
        "route53domains:ListTagsForDomain",
        "s3:Get*",
        "s3:List*",
        "sdb:GetAttributes",
        "sdb:List*",
        "sdb:Select*",
        "ses:Get*",
        "ses:List*",
        "shield:Describe*",
        "shield:List*",
        "sns:Get*",
        "sns:List*",
        "sqs:GetQueueAttributes",
        "sqs:ListQueues",
        "sqs:ReceiveMessage",
        "ssm:Describe*",
        "ssm:Get*",
        "ssm:List*",
        "states:ListStateMachines",
        "states:ListActivities",
        "states:DescribeStateMachine",
        "states:ListExecutions",
        "states:DescribeExecution",
        "states:GetExecutionHistory",
        "states:DescribeActivity",
        "storagegateway:Describe*",
        "storagegateway:List*",
        "swf:Count*",
        "swf:Describe*",
        "swf:Get*",
        "swf:List*",
        "tag:Get*",
        "trustedadvisor:Describe*",
        "waf:Get*",
        "waf:List*",
        "workspaces:Describe*",
        "xray:BatchGetTraces",
        "xray:Get*"
      ],
      "Effect": "Allow",
      "Resource": "*"
    }
  ]
}
EOF
}
	#==============================================================
	# tom-butler / centralMonitoringRole.tf
	#==============================================================

	variable "central_logging_account_id" {}

	# The Role itself
	resource "aws_iam_role" "monitor_access_role" {
	name = "central-logging-monitor"
	path = "/"

	assume_role_policy = <<EOF
	{
	"Version": "2012-10-17",
	"Statement": [
	{
	"Sid": "",
	"Effect": "Allow",
	"Principal": {
	"AWS": "arn:aws:iam::${var.central_logging_account_id}:role/monitoring_prodcloudwatch_access_role"
	},
	"Action": "sts:AssumeRole"
	}
	]
	}
	EOF
	}

	# The policy to allow access to central monitoring
	resource "aws_iam_role_policy" "monitor_access_policy" {
	name = "central-logging-monitor-access"
	role = "${aws_iam_role.monitor_access_role.id}"

	policy = <<EOF
	{
	"Version": "2012-10-17",
	"Statement": [
	{
	"Action": [
	"logs:DescribeLogStreams",
	"acm:DescribeCertificate",
	"acm:GetCertificate",
	"acm:ListCertificates",
	"acm:ListTagsForCertificate",
	"apigateway:GET",
	"application-autoscaling:Describe*",
	"appstream:Describe*",
	"appstream:Get*",
	"appstream:List*",
	"autoscaling:Describe*",
	"cloudformation:Describe*",
	"cloudformation:Get*",
	"cloudformation:List*",
	"cloudfront:Get*",
	"cloudfront:List*",
	"cloudsearch:Describe*",
	"cloudsearch:List*",
	"cloudtrail:DescribeTrails",
	"cloudtrail:GetEventSelectors",
	"cloudtrail:GetTrailStatus",
	"cloudtrail:LookupEvents",
	"cloudtrail:ListTags",
	"cloudtrail:ListPublicKeys",
	"cloudwatch:Describe*",
	"cloudwatch:Get*",
	"cloudwatch:List*",
	"codebuild:BatchGetBuilds",
	"codebuild:BatchGetProjects",
	"codebuild:List*",
	"codecommit:BatchGetRepositories",
	"codecommit:Get*",
	"codecommit:GitPull",
	"codecommit:List*",
	"codedeploy:Batch*",
	"codedeploy:Get*",
	"codedeploy:List*",
	"config:Deliver*",
	"config:Describe*",
	"config:Get*",
	"config:List*",
	"datapipeline:DescribeObjects",
	"datapipeline:DescribePipelines",
	"datapipeline:EvaluateExpression",
	"datapipeline:GetAccountLimits",
	"datapipeline:GetPipelineDefinition",
	"datapipeline:ListPipelines",
	"datapipeline:QueryObjects",
	"datapipeline:ValidatePipelineDefinition",
	"directconnect:Describe*",
	"dms:Describe*",
	"dms:List*",
	"ds:Check*",
	"ds:Describe*",
	"ds:Get*",
	"ds:List*",
	"ds:Verify*",
	"dynamodb:BatchGetItem",
	"dynamodb:DescribeLimits",
	"dynamodb:DescribeReservedCapacity",
	"dynamodb:DescribeReservedCapacityOfferings",
	"dynamodb:DescribeTable",
	"dynamodb:GetItem",
	"dynamodb:ListTables",
	"dynamodb:ListTagsOfResource",
	"dynamodb:Query",
	"dynamodb:Scan",
	"ec2:Describe*",
	"ec2:GetConsoleOutput",
	"ec2:GetConsoleScreenshot",
	"ecr:BatchCheckLayerAvailability",
	"ecr:BatchGetImage",
	"ecr:Describe*",
	"ecr:Get*",
	"ecr:List*",
	"ecs:Describe*",
	"ecs:List*",
	"elasticache:Describe*",
	"elasticache:List*",
	"elasticbeanstalk:Check*",
	"elasticbeanstalk:Describe*",
	"elasticbeanstalk:List*",
	"elasticbeanstalk:RequestEnvironmentInfo",
	"elasticbeanstalk:RetrieveEnvironmentInfo",
	"elasticfilesystem:Describe*",
	"elasticloadbalancing:Describe*",
	"elasticmapreduce:Describe*",
	"elasticmapreduce:List*",
	"elastictranscoder:List*",
	"elastictranscoder:Read*",
	"es:DescribeElasticsearchDomain",
	"es:DescribeElasticsearchDomains",
	"es:DescribeElasticsearchDomainConfig",
	"es:ListDomainNames",
	"es:ListTags",
	"es:ESHttpGet",
	"es:ESHttpHead",
	"events:DescribeRule",
	"events:ListRuleNamesByTarget",
	"events:ListRules",
	"events:ListTargetsByRule",
	"events:TestEventPattern",
	"firehose:Describe*",
	"firehose:List*",
	"glacier:ListVaults",
	"glacier:DescribeVault",
	"glacier:GetDataRetrievalPolicy",
	"glacier:GetVaultAccessPolicy",
	"glacier:GetVaultLock",
	"glacier:GetVaultNotifications",
	"glacier:ListJobs",
	"glacier:ListMultipartUploads",
	"glacier:ListParts",
	"glacier:ListTagsForVault",
	"glacier:DescribeJob",
	"glacier:GetJobOutput",
	"health:Describe*",
	"health:Get*",
	"health:List*",
	"iam:GenerateCredentialReport",
	"iam:GenerateServiceLastAccessedDetails",
	"iam:Get*",
	"iam:List*",
	"inspector:Describe*",
	"inspector:Get*",
	"inspector:List*",
	"inspector:LocalizeText",
	"inspector:PreviewAgentsForResourceGroup",
	"iot:Describe*",
	"iot:Get*",
	"iot:List*",
	"kinesisanalytics:DescribeApplication",
	"kinesisanalytics:DiscoverInputSchema",
	"kinesisanalytics:GetApplicationState",
	"kinesisanalytics:ListApplications",
	"kinesis:Describe*",
	"kinesis:Get*",
	"kinesis:List*",
	"kms:Describe*",
	"kms:Get*",
	"kms:List*",
	"lambda:List*",
	"lambda:Get*",
	"logs:Describe*",
	"logs:Get*",
	"logs:FilterLogEvents",
	"logs:TestMetricFilter",
	"machinelearning:Describe*",
	"machinelearning:Get*",
	"mobilehub:GetProject",
	"mobilehub:ListAvailableFeatures",
	"mobilehub:ListAvailableRegions",
	"mobilehub:ListProjects",
	"mobilehub:ValidateProject",
	"mobilehub:VerifyServiceRole",
	"opsworks:Describe*",
	"opsworks:Get*",
	"organizations:Describe*",
	"organizations:List*",
	"polly:Describe*",
	"polly:Get*",
	"polly:List*",
	"polly:SynthesizeSpeech",
	"rekognition:CompareFaces",
	"rekognition:DetectFaces",
	"rekognition:DetectLabels",
	"rekognition:List*",
	"rekognition:SearchFaces",
	"rekognition:SearchFacesByImage",
	"rds:Describe*",
	"rds:ListTagsForResource",
	"redshift:Describe*",
	"redshift:ViewQueriesInConsole",
	"route53:Get*",
	"route53:List*",
	"route53domains:CheckDomainAvailability",
	"route53domains:GetDomainDetail",
	"route53domains:GetOperationDetail",
	"route53domains:ListDomains",
	"route53domains:ListOperations",
	"route53domains:ListTagsForDomain",
	"s3:Get*",
	"s3:List*",
	"sdb:GetAttributes",
	"sdb:List*",
	"sdb:Select*",
	"ses:Get*",
	"ses:List*",
	"shield:Describe*",
	"shield:List*",
	"sns:Get*",
	"sns:List*",
	"sqs:GetQueueAttributes",
	"sqs:ListQueues",
	"sqs:ReceiveMessage",
	"ssm:Describe*",
	"ssm:Get*",
	"ssm:List*",
	"states:ListStateMachines",
	"states:ListActivities",
	"states:DescribeStateMachine",
	"states:ListExecutions",
	"states:DescribeExecution",
	"states:GetExecutionHistory",
	"states:DescribeActivity",
	"storagegateway:Describe*",
	"storagegateway:List*",
	"swf:Count*",
	"swf:Describe*",
	"swf:Get*",
	"swf:List*",
	"tag:Get*",
	"trustedadvisor:Describe*",
	"waf:Get*",
	"waf:List*",
	"workspaces:Describe*",
	"xray:BatchGetTraces",
	"xray:Get*"
	],
	"Effect": "Allow",
	"Resource": "*"
	}
	]
	}
	EOF
	}