feat(RAIN-94239): Rm modify terraform to add a policy (#127)

* Adding a new policy to avoid iam policy char limit Adding permission for FIS and codeartifact Adding tag call permissions for ses,backup,amp * Fix bug * remove empty line * Added comments to the code to explain why we need another policy Added explanation to the README file as well * Add terraform doc * Adding permission for kinesis video Adding permission for compute optimizer * Revise the name for the policy to be more verbose * Fix typo * Updated the doc * Move new permissions all into the new policy Updated readme
lacework · Jan 30, 2025 · 664dfaa · 664dfaa
1 parent 109ff6c
commit 664dfaa
Show file tree

Hide file tree

Showing 2 changed files with 104 additions and 3 deletions.
diff --git a/README.md b/README.md
@@ -38,12 +38,15 @@ Terraform module for configuring an integration with Lacework and AWS for cloud
 | Name | Type |
 |------|------|
 | [aws_iam_policy.lacework_audit_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
+| [aws_iam_policy.lacework_audit_policy_2025_1](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_role_policy_attachment.lacework_audit_policy_attachment](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
+| [aws_iam_role_policy_attachment.lacework_audit_policy_attachment_b](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_iam_role_policy_attachment.security_audit_policy_attachment](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [lacework_integration_aws_cfg.default](https://registry.terraform.io/providers/lacework/lacework/latest/docs/resources/integration_aws_cfg) | resource |
 | [random_id.uniq](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/id) | resource |
 | [time_sleep.wait_time](https://registry.terraform.io/providers/hashicorp/time/latest/docs/resources/sleep) | resource |
 | [aws_iam_policy_document.lacework_audit_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.lacework_audit_policy_2025_1](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [lacework_metric_module.lwmetrics](https://registry.terraform.io/providers/lacework/lacework/latest/docs/data-sources/metric_module) | data source |
 
 ## Inputs
@@ -76,6 +79,7 @@ Terraform module for configuring an integration with Lacework and AWS for cloud
 ## Lacework Audit Policy
 
 The Lacework audit policy extends the SecurityAudit policy to facilitate the reading of additional configuration resources.
+As of 1/22/2025, we have exceeded the limit of 6144 characters for a single policy, thus every service starting with KINESISVIDEO are in a new policy: lwaudit-policy-${random_id.uniq.hex}-2025-1
 The audit policy is comprised of the following permissions:
 
 | sid                        | actions                                                 | resources |
@@ -174,14 +178,18 @@ The audit policy is comprised of the following permissions:
 |                            | compute-optimizer:GetEBSVolumeRecommendations           |           |
 |                            | compute-optimizer:GetEC2InstanceRecommendations         |           |
 |                            | compute-optimizer:GetEnrollmentStatus                   |           |
-|                            | compute-optimizer:GetEnrollmentStatusesForOrganization  |           |
 |                            | compute-optimizer:GetLambdaFunctionRecommendations      |           |
 |                            | compute-optimizer:GetRecommendationPreferences          |           |
 |                            | compute-optimizer:GetRecommendationSummaries            |           |
+|                            | compute-optimizer:GetEcsServiceRecommendations          |           |
+|                            | compute-optimizer:GetLicenseRecommendations             |           |
 | KINESISANALYTICS           | kinesisanalytics:ListApplicationSnapshots               |           |
 |                            | kinesisanalytics:ListApplicationVersions                |           |
 |                            | kinesisanalytics:DescribeApplicationVersion             |           |
 |                            | kinesisanalytics:DescribeApplication                    |           |
+| KINESISVIDEO               | kinesisvideo:GetSignalingChannelEndpoint                | *         |
+|                            | kinesisvideo:GetDataEndpoint                            |           |
+|                            | kinesisvideo:DescribeImageGenerationConfiguration       |           |
 | AMP                        | aps:ListScrapers                                        | *         |
 |                            | aps:DescribeScraper                                     |           |
 |                            | aps:ListWorkspaces                                      |           |
@@ -195,3 +203,23 @@ The audit policy is comprised of the following permissions:
 | PERSONALIZE                | personalize:Describe*                                   |           |
 |                            | personalize:List*                                       |           |
 |                            | personalize:GetSolutionMetrics                          |           |
+| CODEARTIFACT               | codeartifact:ListDomains                                | *         |
+|                            | codeartifact:DescribeDomain                             |           |
+|                            | codeartifact:DescribeRepository                         |           |
+|                            | codeartifact:ListPackages                               |           |
+|                            | codeartifact:GetRepositoryEndpoint                      |           |
+|                            | codeartifact:DescribePackage                            |           |
+|                            | codeartifact:ListPackageVersions                        |           |
+|                            | codeartifact:DescribePackageVersion                     |           |
+|                            | codeartifact:GetPackageVersionReadme                    |           |
+|                            | codeartifact:ListPackageVersionDependencies             |           |
+|                            | codeartifact:ListPackageVersionAssets                   |           |
+|                            | codeartifact:GetPackageVersionAsset                     |           |
+| FIS                        | fis:ListActions                                         | *         |
+|                            | fis:GetAction                                           |           |
+|                            | fis:ListExperimentTemplates                             |           |
+|                            | fis:GetExperimentTemplate                               |           |
+|                            | fis:ListTargetAccountConfigurations                     |           |
+|                            | fis:ListExperiments                                     |           |
+|                            | fis:GetExperiment                                       |           |
+|                            | fis:ListExperimentResolvedTargets                       |           |
diff --git a/main.tf b/main.tf
@@ -5,6 +5,7 @@ locals {
   lacework_audit_policy_name = (
     length(var.lacework_audit_policy_name) > 0 ? var.lacework_audit_policy_name : "lwaudit-policy-${random_id.uniq.hex}"
   )
+  lacework_audit_policy_name_2025_1 = "${local.lacework_audit_policy_name}-2025-1"
   version_file   = "${abspath(path.module)}/VERSION"
   module_name    = "terraform-aws-config"
   module_version = fileexists(local.version_file) ? file(local.version_file) : ""
@@ -167,6 +168,7 @@ data "aws_iam_policy_document" "lacework_audit_policy" {
       "ses:ListRecommendations",
       "ses:ListSuppressedDestinations",
       "ses:GetSuppressedDestination",
+      "ses:ListTagsForResource",
     ]
     resources = ["*"]
   }
@@ -197,6 +199,7 @@ data "aws_iam_policy_document" "lacework_audit_policy" {
       "backup:ListRecoveryPointsByResource",
       "backup:ListReportPlans",
       "backup:ListRestoreJobs",
+      "backup:ListTags",
     ]
     resources = ["*"]
   }
@@ -220,10 +223,11 @@ data "aws_iam_policy_document" "lacework_audit_policy" {
       "compute-optimizer:GetEBSVolumeRecommendations",
       "compute-optimizer:GetEC2InstanceRecommendations",
       "compute-optimizer:GetEnrollmentStatus",
-      "compute-optimizer:GetEnrollmentStatusesForOrganization",
       "compute-optimizer:GetLambdaFunctionRecommendations",
       "compute-optimizer:GetRecommendationPreferences",
-      "compute-optimizer:GetRecommendationSummaries"
+      "compute-optimizer:GetRecommendationSummaries",
+      "compute-optimizer:GetEcsServiceRecommendations",
+      "compute-optimizer:GetLicenseRecommendations",
     ]
     resources = ["*"]
   }
@@ -237,6 +241,58 @@ data "aws_iam_policy_document" "lacework_audit_policy" {
     ]
     resources = ["*"]
   }
+}
+
+# AWS iam allows only 6144 characters in a single policy
+# We've come to a point where there are too many actions in a single policy which is causing the policy to exceed the limit
+# So we needed a new policy to accommodate the overflow of actions, thus we added this new policy "lacework_audit_policy_2025_1"
+# Which representing the first new policy in 2025
+data "aws_iam_policy_document" "lacework_audit_policy_2025_1" {
+  count   = var.use_existing_iam_role_policy ? 0 : 1
+  version = "2012-10-17"
+
+  statement {
+    sid = "CODEARTIFACT"
+    actions = ["codeartifact:ListDomains",
+      "codeartifact:DescribeDomain",
+      "codeartifact:DescribeRepository",
+      "codeartifact:ListPackages",
+      "codeartifact:GetRepositoryEndpoint",
+      "codeartifact:DescribePackage",
+      "codeartifact:ListPackageVersions",
+      "codeartifact:DescribePackageVersion",
+      "codeartifact:GetPackageVersionReadme",
+      "codeartifact:ListPackageVersionDependencies",
+      "codeartifact:ListPackageVersionAssets",
+      "codeartifact:GetPackageVersionAsset",
+      "codeartifact:ListTagsForResource",
+    ]
+    resources = ["*"]
+  }
+
+  statement {
+    sid = "FIS"
+    actions = ["fis:ListActions",
+        "fis:GetAction",
+        "fis:ListExperimentTemplates",
+        "fis:GetExperimentTemplate",
+        "fis:ListTargetAccountConfigurations",
+        "fis:ListExperiments",
+        "fis:GetExperiment",
+        "fis:ListExperimentResolvedTargets",
+        "fis:ListTagsForResource",
+    ]
+    resources = ["*"]
+  }
+
+  statement {
+    sid = "KINESISVIDEO"
+    actions = ["kinesisvideo:GetSignalingChannelEndpoint",
+      "kinesisvideo:GetDataEndpoint",
+      "kinesisvideo:DescribeImageGenerationConfiguration",
+    ]
+    resources = ["*"]
+  }
 
   statement {
     sid = "AMP"
@@ -248,6 +304,7 @@ data "aws_iam_policy_document" "lacework_audit_policy" {
       "aps:DescribeWorkspace",
       "aps:ListRuleGroupsNamespaces",
       "aps:DescribeRuleGroupsNamespace",
+      "aps:ListTagsForResource",
     ]
     resources = ["*"]
   }
@@ -278,20 +335,36 @@ resource "aws_iam_policy" "lacework_audit_policy" {
   tags        = var.tags
 }
 
+resource "aws_iam_policy" "lacework_audit_policy_2025_1" {
+  count       = var.use_existing_iam_role_policy ? 0 : 1
+  name        = local.lacework_audit_policy_name_2025_1
+  description = "An audit policy to allow Lacework to read configs (extends SecurityAudit), this is the second policy"
+  policy      = data.aws_iam_policy_document.lacework_audit_policy_2025_1[0].json
+  tags        = var.tags
+}
+
 resource "aws_iam_role_policy_attachment" "lacework_audit_policy_attachment" {
   count      = var.use_existing_iam_role_policy ? 0 : 1
   role       = local.iam_role_name
   policy_arn = aws_iam_policy.lacework_audit_policy[0].arn
   depends_on = [module.lacework_cfg_iam_role]
 }
 
+resource "aws_iam_role_policy_attachment" "lacework_audit_policy_attachment_b" {
+  count      = var.use_existing_iam_role_policy ? 0 : 1
+  role       = local.iam_role_name
+  policy_arn = aws_iam_policy.lacework_audit_policy_2025_1[0].arn
+  depends_on = [module.lacework_cfg_iam_role]
+}
+
 # wait for X seconds for things to settle down in the AWS side
 # before trying to create the Lacework external integration
 resource "time_sleep" "wait_time" {
   create_duration = var.wait_time
   depends_on = [
     aws_iam_role_policy_attachment.security_audit_policy_attachment,
     aws_iam_role_policy_attachment.lacework_audit_policy_attachment,
+    aws_iam_role_policy_attachment.lacework_audit_policy_attachment_b,
   ]
 }