Add premission to copy ami (#136)

Bit-Doctor · web-flow · commit 87041841f0d5 · 2024-09-02T10:11:30.000+02:00
diff --git a/modules/scanning-delegate-role/main.tf b/modules/scanning-delegate-role/main.tf
@@ -21,12 +21,13 @@ data "aws_iam_policy_document" "scanning_orchestrator_policy_document" {
     resources = [
       "arn:${data.aws_partition.current.partition}:ec2:*:*:volume/*",
       "arn:${data.aws_partition.current.partition}:ec2:*:*:snapshot/*",
+      "arn:${data.aws_partition.current.partition}:ec2:*:*:image/*",
     ]
     // Allow specifying tags when creating snapshots or volumes
     condition {
       test     = "StringEquals"
       variable = "ec2:CreateAction"
-      values   = ["CreateSnapshot", "CreateVolume", "CopySnapshot"]
+      values   = ["CreateSnapshot", "CreateVolume", "CopySnapshot", "CopyImage"]
     }
   }
 
@@ -114,6 +115,50 @@ data "aws_iam_policy_document" "scanning_orchestrator_policy_document" {
     }
   }
 
+  statement {
+    sid    = "DatadogAgentlessScannerCopyImage"
+    effect = "Allow"
+    actions = [
+      "ec2:CopyImage"
+    ]
+    resources = [
+      "arn:${data.aws_partition.current.partition}:ec2:*:*:image/*",
+      "arn:${data.aws_partition.current.partition}:ec2:*:*:snapshot/*",
+    ]
+    // Enforcing created image has DatadogAgentlessScanner tag
+    condition {
+      test     = "StringEquals"
+      variable = "aws:RequestTag/DatadogAgentlessScanner"
+      values   = ["true"]
+    }
+    // Enforcing created image has only tags with DatadogAgentlessScanner* prefix
+    condition {
+      test     = "ForAllValues:StringLike"
+      variable = "aws:TagKeys"
+      values   = ["DatadogAgentlessScanner*"]
+    }
+  }
+
+  statement {
+    sid    = "DatadogAgentlessScannerImageCleanup"
+    effect = "Allow"
+    actions = [
+      // Allow deleting created images
+      "ec2:DeregisterImage",
+    ]
+    resources = [
+      "arn:${data.aws_partition.current.partition}:ec2:*:*:image/*",
+    ]
+
+    // Enforce that any of these actions can be performed on images
+    // that have the DatadogAgentlessScanner tag.
+    condition {
+      test     = "StringEquals"
+      variable = "aws:ResourceTag/DatadogAgentlessScanner"
+      values   = ["true"]
+    }
+  }
+
   statement {
     sid    = "DatadogAgentlessScannerDescribeSnapshots"
     effect = "Allow"
@@ -140,6 +185,19 @@ data "aws_iam_policy_document" "scanning_orchestrator_policy_document" {
     ]
   }
 
+  statement {
+    sid    = "DatadogAgentlessScannerDescribeImages"
+    effect = "Allow"
+    actions = [
+      // Required to be able to wait for image completion and cleanup. It
+      // cannot be restricted.
+      "ec2:DescribeImages",
+    ]
+    resources = [
+      "*",
+    ]
+  }
+
   statement {
     sid       = "DatadogAgentlessScannerCopyEncryptedSnapshotGrantKey"
     effect    = "Allow"
