Improves Codebuild Projects

Improvements for lcp-magic-machine that make it support multiple projects.
Improvements for codebuild_project_no_artifact to support multiple build sources.

base/codebuild_lcp_magic_machine/README.md

@@ -1,6 +1,10 @@
 # Codebuild_xdr_lcp
 
-This module is used to create an OCI LCP image with codebuild, an AMI, and a baremetal AWS instance. This is prefered to creating the VM on personal Laptops. For OCI and VMware LCP images, the images can not be created in AWS. 
+This module is used to create an OCI LCP image with codebuild, an AMI, and a baremetal AWS instance. This is prefered to creating the VM on personal Laptops. For OCI and VMware LCP images, the images can not be created in AWS. It uses the Terraform GitHub Provider and requires a Personal Access Token. This should be your Personal Access Token not mdr-aws-codebuild's token (see how-to below). The provider will look in the environmental variables for the token. 
+
+```
+export GITHUB_TOKEN=<gihub_token>
+```
 
 See xdr-images/base/rhel7/oci/README.md for more information. 
 

base/codebuild_lcp_magic_machine/iam.tf

@@ -117,12 +117,12 @@
 # Policy for the Magic Machine iam-instance-policy
 
 resource "aws_iam_instance_profile" "magic_machine" {
-  name = "msoc-magic-machine-instance-profile"
+  name = "msoc-magic-machine-instance-profile-${var.name}"
   role = aws_iam_role.magic_machine_instance_role.name
 }
 
 resource "aws_iam_role" "magic_machine_instance_role" {
-  name               = "msoc-magic-machine-instance-role"
+  name               = "msoc-magic-machine-instance-role-${var.name}"
   path               = "/aws_services/"
   assume_role_policy = <<EOF
 {
@@ -145,9 +145,9 @@ EOF
 }
 
 resource "aws_iam_policy" "magic_machine_policy" {
-  name        = "magic_machine_s3_access"
+  name        = "magic_machine_s3_access_${var.name}"
   path        = "/launchroles/"
-  description = "This policy allows the magic machine to push the image to S3"
+  description = "This policy allows the magic machine to push the image to S3 for ${var.name}"
   policy      = data.aws_iam_policy_document.magic_machine_instance_policy_s3_binaries_doc.json
 }
 

base/codebuild_lcp_magic_machine/main.tf

@@ -80,6 +80,7 @@ resource "aws_codebuild_project" "this" {
 }
 
 resource "aws_codebuild_webhook" "this" {
+  # Disable the webhook for now. It is too aggresive when making quick changes.
   project_name = var.name
   filter_group {
     filter {

base/codebuild_lcp_magic_machine/security-group.tf

@@ -9,8 +9,8 @@ data "aws_subnet" "this" {
 }
 
 resource "aws_security_group" "this" {
-  name        = "magic_machine_security_group"
-  description = "Security Group for magic machine"
+  name        = "${var.name}_magic_machine_security_group"
+  description = "Security Group for magic machine ${var.name}"
   tags        = merge(var.standard_tags, var.tags)
   vpc_id      = data.aws_vpc.this.id
 }
@@ -37,8 +37,8 @@ resource "aws_security_group_rule" "allow_outbound_mm" {
 
 
 resource "aws_security_group" "codebuild" {
-  name        = "codebuild_security_group"
-  description = "Security Group for codebuild"
+  name        = "${var.name}_codebuild_security_group"
+  description = "Security Group for codebuild ${var.name}"
   tags        = merge(var.standard_tags, var.tags)
   vpc_id      = data.aws_vpc.this.id
 }

base/codebuild_project_no_artifact/codebuild.tf

@@ -15,6 +15,27 @@ resource "aws_codebuild_project" "this" {
 
   source_version = var.source_version
 
+  dynamic secondary_sources {
+    for_each = var.secondary_sources
+    iterator = each
+    content {
+      type                = "GITHUB_ENTERPRISE"
+      location            = each.value["secondary_github_clone_url"]
+      report_build_status = true
+      git_clone_depth     = 1
+      source_identifier   = each.value["secondary_source_identifier"]
+    }
+  }
+
+  dynamic secondary_source_version {
+    for_each = var.secondary_sources
+    iterator = each
+    content {
+      source_identifier   = each.value["secondary_source_identifier"]
+      source_version      = each.value["secondary_source_version"]
+    }
+  }
+
   environment {
     compute_type    = "BUILD_GENERAL1_SMALL"
     image           = var.image

base/codebuild_project_no_artifact/vars.tf

@@ -49,6 +49,12 @@ variable "webhook_branch_filter" {
   default = ""
 }
 
+variable "secondary_sources" {
+  type    = list(map(any))
+  default = [{}]
+}
+
+
 #variable "environment" { type = string }
 #variable "aws_partition" { type = string }
 #variable "aws_region" { type = string }

base/standard_iam/codebuild.tf

@@ -212,6 +212,18 @@ data "aws_iam_policy_document" "codebuild_build_ec2_amis" {
 		]
 	}
 
+    statement {
+		sid       = "SSMCodeBuildPause"
+		effect    = "Allow"
+		resources = [ "*" ]
+    	actions   = [
+        "ssmmessages:CreateControlChannel",
+        "ssmmessages:CreateDataChannel",
+        "ssmmessages:OpenControlChannel",
+        "ssmmessages:OpenDataChannel"
+		]
+	}
+
   statement {
     sid       = "CreateGrantForEBS"
     effect    = "Allow"