From 88b13060cc28dbcb4469c17f129102d8f1670ce5 Mon Sep 17 00:00:00 2001
From: lolli001 <braxton.r.lollis@census.gov>
Date: Fri, 19 Jul 2024 17:49:29 -0400
Subject: [PATCH] Updated KMS

---
 iam_policy.tf | 62 ++++++++++++++++++++++++++++++++++++++++++++++-----
 1 file changed, 56 insertions(+), 6 deletions(-)

diff --git a/iam_policy.tf b/iam_policy.tf
index 8fcfbfd..b557853 100644
--- a/iam_policy.tf
+++ b/iam_policy.tf
@@ -1,6 +1,6 @@
-resource "aws_iam_policy" "rhel_arm_codepipeline_permissions" {
-  name        = "rhel-arm-codepipeline-permissions"
-  description = "IAM policy for RHEL ARM CodePipeline to access necessary CodeCommit repositories"
+resource "aws_iam_policy" "rhel_x86_codepipeline_permissions" {
+  name        = "rhel-x86-codepipeline-permissions"
+  description = "IAM policy for RHEL x86 CodePipeline to access necessary AWS services"
   policy      = jsonencode({
     Version = "2012-10-17"
     Statement = [
@@ -25,12 +25,62 @@ resource "aws_iam_policy" "rhel_arm_codepipeline_permissions" {
           "arn:aws-us-gov:codecommit:us-gov-west-1:229685449397:image-pipeline-ansible-playbooks",
           "arn:aws-us-gov:codecommit:us-gov-west-1:229685449397:image-pipeline-goss-testing"
         ]
+      },
+      {
+        Effect = "Allow"
+        Action = [
+          "ec2:DescribeInstances",
+          "ec2:DescribeImages",
+          "ec2:DescribeInstanceStatus",
+          "ec2:RunInstances",
+          "ec2:TerminateInstances",
+          "ec2:CreateTags",
+          "ec2:DescribeKeyPairs",
+          "ec2:DescribeSecurityGroups",
+          "ec2:DescribeSubnets",
+          "ec2:DescribeVpcs",
+          "ec2:DescribeVolumes",
+          "ec2:DescribeSnapshots",
+          "ec2:CreateImage",
+          "ec2:CreateSnapshot",
+          "ec2:RegisterImage"
+        ]
+        Resource = "*"
+      },
+      {
+        Effect = "Allow"
+        Action = [
+          "s3:GetObject",
+          "s3:PutObject",
+          "s3:ListBucket"
+        ]
+        Resource = [
+          "arn:aws-us-gov:s3:::your-bucket-name",
+          "arn:aws-us-gov:s3:::your-bucket-name/*"
+        ]
+      },
+      {
+        Effect = "Allow"
+        Action = [
+          "kms:Encrypt",
+          "kms:Decrypt",
+          "kms:GenerateDataKey",
+          "kms:DescribeKey"
+        ]
+        Resource = "arn:aws:kms:us-gov-west-1:229685449397:key/your-key-id"
+      },
+      {
+        Effect = "Allow"
+        Action = [
+          "iam:PassRole"
+        ]
+        Resource = "arn:aws:iam::229685449397:role/rhel-x86-image-pipeline-demo-codepipeline-role"
       }
     ]
   })
 }
 
-resource "aws_iam_role_policy_attachment" "rhel_arm_codepipeline_role_attachment" {
-  role       = "rhel-arm-image-pipeline-demo-codepipeline-role"
-  policy_arn = aws_iam_policy.rhel_arm_codepipeline_permissions.arn
+resource "aws_iam_role_policy_attachment" "rhel_x86_codepipeline_role_attachment" {
+  role       = "rhel-x86-image-pipeline-demo-codepipeline-role"
+  policy_arn = aws_iam_policy.rhel_x86_codepipeline_permissions.arn
 }