-
Notifications
You must be signed in to change notification settings - Fork 1
/
iam.tf
91 lines (78 loc) · 2.78 KB
/
iam.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
locals {
splunk_token_secret_arn_list = var.log_driver == "splunk" ? [local.keycloak_splunk_token_secret_arn] : []
}
data "aws_iam_policy_document" "assume_role_policy" {
statement {
actions = ["sts:AssumeRole"]
principals {
type = "Service"
identifiers = ["ecs-tasks.amazonaws.com"]
}
}
}
resource "aws_iam_role" "keycloak-ecs-execution-task-role" {
name = "keycloak-${var.environment}-ecs-execution-task-role"
assume_role_policy = data.aws_iam_policy_document.assume_role_policy.json
tags = var.tags
}
resource "aws_iam_role_policy_attachment" "ecs-execution-task-policy" {
role = aws_iam_role.keycloak-ecs-execution-task-role.name
policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonEC2ContainerServiceforEC2Role"
}
# IAM Role for RDS Enhanced Monitoring
resource "aws_iam_role" "keycloak-db-monitoring-role" {
name = "keycloak-${var.environment}-db-monitoring-role"
assume_role_policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Action = "sts:AssumeRole"
Effect = "Allow"
Sid = ""
Principal = {
Service = "monitoring.rds.amazonaws.com"
}
},
]
})
managed_policy_arns = ["arn:aws:iam::aws:policy/service-role/AmazonRDSEnhancedMonitoringRole"]
tags = var.tags
}
# inline policy for Secrets Manager access, attached to the task execution role created by the ECS module
resource "aws_iam_role_policy" "inline-keycloak-secretsmanager" {
name = "secretsmanager-keycloak-${var.environment}"
role = aws_iam_role.keycloak-ecs-execution-task-role.name
policy = data.aws_iam_policy_document.inline-keycloak-secretsmanager-doc.json
}
# iam policy document for inline-keycloak-secretsmanager above
data "aws_iam_policy_document" "inline-keycloak-secretsmanager-doc" {
statement {
actions = ["secretsmanager:GetSecretValue"]
effect = "Allow"
resources = concat(
[
aws_secretsmanager_secret.keycloak-admin-password.arn,
aws_secretsmanager_secret.keycloak-database-password.arn,
],
local.splunk_token_secret_arn_list
)
}
}
# allow Keycloak to publish messages to SQS
resource "aws_iam_role_policy" "keycloak_to_app_user_updates_publish" {
count = length(var.applications_to_update) > 0 ? 1 : 0
name = "keycloak-${var.environment}-app-user-updates-publish"
role = aws_iam_role.keycloak-ecs-execution-task-role.name
policy = data.aws_iam_policy_document.keycloak_to_app_user_updates_publish.json
}
data "aws_iam_policy_document" "keycloak_to_app_user_updates_publish" {
statement {
sid = "AllowSendFromKeycloak"
effect = "Allow"
actions = [
"sqs:GetQueueUrl",
"sqs:SendMessage"
]
resources = [ for queue in aws_sqs_queue.keycloak_to_app_user_updates : queue.arn ]
}
}