Adding permissions in AWS trust relationship module

modules/services/trust-relationship/README.md

@@ -3,7 +3,9 @@
 This module will deploy a Trust Relationship (IAM Role) into a single AWS account, or each account within an AWS Organization.
 
 The following resources will be created in each instrumented account:
-- An IAM Role and associated IAM Policiy (`arn:aws:iam::aws:policy/SecurityAudit`) to grant Sysdig read only permissions to secure you AWS Account.
+- An IAM Role and associated IAM Policies mentioned below to grant Sysdig read only permissions to secure you AWS Account:
+    - `arn:aws:iam::aws:policy/SecurityAudit`
+    - a custom policy (`custom_resources_policy`)
     - An Access Policy attached to this role using a Sysdig provided `ExternalId`. 
 
 If instrumenting an AWS Organization, an `aws_cloudformation_stack_set` will be created in the Management Account. 
@@ -34,6 +36,7 @@ No modules.
 | [aws_cloudformation_stack_set_instance.stackset_instance](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudformation_stack_set_instance) | resource |
 | [aws_iam_role.cspm_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
 | [aws_organizations_organization.org](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/organizations_organization) | data source |
+| [aws_iam_policy_document.custom_resources_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 
 ## Inputs
 

modules/services/trust-relationship/main.tf

@@ -37,6 +37,58 @@ resource "aws_iam_role" "cspm_role" {
 }
 EOF
   managed_policy_arns = ["arn:aws:iam::aws:policy/SecurityAudit"]
+  inline_policy {
+    name   = var.role_name
+    policy = data.aws_iam_policy_document.custom_resources_policy.json
+  }
+}
+
+# Custom IAM Policy Document used by trust-relationship role
+data "aws_iam_policy_document" "custom_resources_policy" {
+
+  statement {
+    sid = "DescribeEFSAccessPoints"
+
+    effect = "Allow"
+
+    actions = [
+      "elasticfilesystem:DescribeAccessPoints",
+    ]
+
+    resources = [
+      "*",
+    ]
+  }
+
+  statement {
+    sid = "ListWafRegionalRulesAndRuleGroups"
+
+    effect = "Allow"
+
+    actions = [
+      "waf-regional:ListRules",
+      "waf-regional:ListRuleGroups",
+    ]
+
+    resources = [
+      "arn:aws:waf-regional:*:*:rule/*",
+      "arn:aws:waf-regional:*:*:rulegroup/*"
+    ]
+  }
+
+  statement {
+    sid = "AccessAccountContactInfo"
+
+    effect = "Allow"
+
+    actions = [
+      "account:GetContactInformation",
+    ]
+
+    resources = [
+      "*",
+    ]
+  }
 }
 
 #----------------------------------------------------------
@@ -77,6 +129,28 @@ Resources:
                 sts:ExternalId: ${var.external_id}
       ManagedPolicyArns:
         - "arn:aws:iam::aws:policy/SecurityAudit"
+      Policies:
+        - PolicyName: ${var.role_name}
+          PolicyDocument:
+            Version: "2012-10-17"
+            Statement:
+              - Sid: "DescribeEFSAccessPoints"
+                Effect: "Allow"
+                Action: "elasticfilesystem:DescribeAccessPoints"
+                Resource: "*"
+              - Sid: "ListWafRegionalRulesAndRuleGroups"
+                Effect: "Allow"
+                Action:
+                  - "waf-regional:ListRules"
+                  - "waf-regional:ListRuleGroups"
+                Resource:
+                  - "arn:aws:waf-regional:*:*:rule/*"
+                  - "arn:aws:waf-regional:*:*:rulegroup/*"
+              - Sid: "AccessAccountContactInfo"
+                Effect: "Allow"
+                Action:
+                  - "account:GetContactInformation"
+                Resource: "*"
 TEMPLATE
 }