From 8d3ae0fe5e5a4e21ac45d1a06519e1a1e27739a0 Mon Sep 17 00:00:00 2001
From: Austin Byers <mrmathbyers@gmail.com>
Date: Wed, 14 Feb 2018 15:00:52 -0800
Subject: [PATCH] Create re-usable Lambda Terraform module (#596)

---
 terraform/modules/tf_stream_alert/iam.tf | 194 +++++++++++++++++++++++
 1 file changed, 194 insertions(+)

diff --git a/terraform/modules/tf_stream_alert/iam.tf b/terraform/modules/tf_stream_alert/iam.tf
index d1835898c..8f4a087a0 100644
--- a/terraform/modules/tf_stream_alert/iam.tf
+++ b/terraform/modules/tf_stream_alert/iam.tf
@@ -110,3 +110,197 @@ data "aws_iam_policy_document" "streamalert_rule_processor_read_dynamodb" {
     ]
   }
 }
+
+// IAM Role: Alert Processor Execution Role
+resource "aws_iam_role" "streamalert_alert_processor_role" {
+  name = "${var.prefix}_${var.cluster}_streamalert_alert_processor_role"
+
+  assume_role_policy = "${data.aws_iam_policy_document.lambda_assume_role_policy.json}"
+}
+
+// IAM Role Policy: Allow the Alert Processor to decrypt secrets
+resource "aws_iam_role_policy" "streamalert_alert_processor_kms" {
+  name = "KmsDecryptSecrets"
+  role = "${aws_iam_role.streamalert_alert_processor_role.id}"
+
+  policy = "${data.aws_iam_policy_document.rule_processor_kms_decrypt.json}"
+}
+
+// IAM Policy Doc: KMS key permissions for decryption
+data "aws_iam_policy_document" "rule_processor_kms_decrypt" {
+  statement {
+    effect = "Allow"
+
+    actions = [
+      "kms:Decrypt",
+      "kms:DescribeKey",
+    ]
+
+    resources = [
+      "${var.kms_key_arn}",
+    ]
+  }
+}
+
+// IAM Role Policy: Allow the Alert Processor to write objects to S3.
+//                  The default S3 bucket is also created by this module.
+resource "aws_iam_role_policy" "streamalert_alert_processor_s3" {
+  name = "S3WriteAlertsDefault"
+  role = "${aws_iam_role.streamalert_alert_processor_role.id}"
+
+  policy = "${data.aws_iam_policy_document.alert_processor_s3.json}"
+}
+
+// IAM Policy Doc: Allow fetching of secrets and putting of alerts
+data "aws_iam_policy_document" "alert_processor_s3" {
+  statement {
+    effect = "Allow"
+
+    actions = [
+      "s3:PutObject",
+      "s3:PutObjectAcl",
+      "s3:ListBucket",
+    ]
+
+    resources = [
+      "arn:aws:s3:::${var.prefix}.streamalerts/*",
+    ]
+  }
+
+  statement {
+    effect = "Allow"
+
+    actions = [
+      "s3:GetObject",
+    ]
+
+    resources = [
+      "arn:aws:s3:::${var.prefix}.streamalert.secrets/*",
+    ]
+  }
+}
+
+// IAM Role Policy: Allow the Alert Processor to write CloudWatch logs
+resource "aws_iam_role_policy" "streamalert_alert_processor_cloudwatch" {
+  name = "CloudwatchWriteLogs"
+  role = "${aws_iam_role.streamalert_alert_processor_role.id}"
+
+  policy = "${data.aws_iam_policy_document.alert_processor_cloudwatch.json}"
+}
+
+// IAM Policy Doc: Allow creating log groups and events in any CloudWatch stream
+data "aws_iam_policy_document" "alert_processor_cloudwatch" {
+  statement {
+    effect = "Allow"
+
+    actions = [
+      "logs:CreateLogGroup",
+      "logs:CreateLogStream",
+      "logs:PutLogEvents",
+    ]
+
+    resources = [
+      "*",
+    ]
+  }
+}
+
+// IAM Role Policy: Allow the Alert Processor to invoke configured Lambda functions
+resource "aws_iam_role_policy" "streamalert_alert_processor_lambda" {
+  count = "${length(var.output_lambda_functions)}"
+  name  = "LambdaInvoke${count.index}"
+  role  = "${aws_iam_role.streamalert_alert_processor_role.id}"
+
+  policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Action": [
+        "lambda:InvokeFunction"
+      ],
+      "Effect": "Allow",
+      "Resource": "arn:aws:lambda:${var.region}:${var.account_id}:function:${element(
+        split(":", element(var.output_lambda_functions, count.index)), 0)}"
+    }
+  ]
+}
+EOF
+}
+
+// IAM Role Policy: Allow the Alert Processor to send to arbitrary S3 buckets as outputs
+resource "aws_iam_role_policy" "streamalert_alert_processor_s3_outputs" {
+  count = "${length(var.output_s3_buckets)}"
+  name  = "S3PutObject${count.index}"
+  role  = "${aws_iam_role.streamalert_alert_processor_role.id}"
+
+  policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Action": [
+        "s3:PutObject",
+        "s3:PutObjectAcl",
+        "s3:ListBucket"
+      ],
+      "Effect": "Allow",
+      "Resource": [
+        "arn:aws:s3:::${element(var.output_s3_buckets, count.index)}",
+        "arn:aws:s3:::${element(var.output_s3_buckets, count.index)}/*"
+      ]
+    }
+  ]
+}
+EOF
+}
+
+// IAM Role Policy: Allow the Alert Processor to write alerts to Firehose
+resource "aws_iam_role_policy" "streamalert_alert_processor_firehose" {
+  name = "FirehoseWriteAlerts"
+  role = "${aws_iam_role.streamalert_alert_processor_role.id}"
+
+  policy = "${data.aws_iam_policy_document.alert_processor_firehose.json}"
+}
+
+// IAM Policy Doc: Allow the Alert Processor to Put data to the default Firehose
+data "aws_iam_policy_document" "alert_processor_firehose" {
+  statement {
+    effect = "Allow"
+
+    actions = [
+      "firehose:Put*",
+    ]
+
+    resources = [
+      "arn:aws:firehose:${var.region}:${var.account_id}:deliverystream/${var.prefix}_streamalert_alert_delivery",
+    ]
+  }
+}
+
+// IAM Role Policy: Allow the Alert Processor to run in a VPC
+resource "aws_iam_role_policy" "streamalert_alert_processor_vpc" {
+  count = "${var.alert_processor_vpc_enabled ? 1 : 0}"
+  name  = "RunInVPC"
+  role  = "${aws_iam_role.streamalert_alert_processor_role.id}"
+
+  policy = "${data.aws_iam_policy_document.alert_processor_vpc.json}"
+}
+
+data "aws_iam_policy_document" "alert_processor_vpc" {
+  count = "${var.alert_processor_vpc_enabled ? 1 : 0}"
+
+  statement {
+    effect = "Allow"
+
+    actions = [
+      "ec2:CreateNetworkInterface",
+      "ec2:DescribeNetworkInterfaces",
+      "ec2:DeleteNetworkInterface",
+    ]
+
+    resources = [
+      "*",
+    ]
+  }
+}