Adds Codebuild for Packer builds

base/codebuild_lcp_magic_machine/README.md

@@ -0,0 +1,9 @@
+# Codebuild_xdr_lcp
+
+This module is used to create an OCI LCP image with codebuild, an AMI, and a baremetal AWS instance. This is prefered to creating the VM on personal Laptops. For OCI and VMware LCP images, the images can not be created in AWS. 
+
+See xdr-images/base/rhel7/oci/README.md for more information. 
+
+Assumptions: 
+- AWS Secrets Manager has the github Personal Access Token.
+- AWS Secrets Manager has the private key and passphrase for msoc-build SSH key. 

base/codebuild_lcp_magic_machine/ghe-key.tf

@@ -0,0 +1,27 @@
+data "aws_secretsmanager_secret" "ghe-key" {
+  name     = "GHE/mdr-aws-codebuild/key"
+  provider = aws.c2
+}
+
+data "aws_secretsmanager_secret_version" "ghe-key" {
+  secret_id = data.aws_secretsmanager_secret.ghe-key.id
+  provider  = aws.c2
+}
+
+#locals {
+#  If key was in json format, we would need to decode it.
+#  secret_ghe_key = jsondecode(data.aws_secretsmanager_secret_version.ghe-key.secret_string)
+#}
+
+
+# Note some AWS craziness here. The GitHub credential is not tied to a build, even though it _looks_
+# like it is in the Web UI. There can only be one GitHub credential per account+region::
+# https://docs.aws.amazon.com/cdk/api/v1/docs/@aws-cdk_aws-codebuild.GitHubSourceCredentials.html
+#
+# "Note: CodeBuild only allows a single credential for GitHub to be saved in a given AWS account 
+#        in a given region - any attempt to add more than one will result in an error."
+resource "aws_codebuild_source_credential" "github_token" {
+  auth_type   = "PERSONAL_ACCESS_TOKEN"
+  server_type = "GITHUB_ENTERPRISE"
+  token       = data.aws_secretsmanager_secret_version.ghe-key.secret_string
+}

base/codebuild_lcp_magic_machine/iam.tf

@@ -0,0 +1,196 @@
+
+# include access to the S3 bucket and aws secrets manager in PROD c2
+# resource "aws_iam_role" "codebuild_service_role" {
+#   name     = "codebuild_${var.name}_role"
+#   path     = "/aws_services/"
+
+#   assume_role_policy = <<EOF
+# {
+#     "Version": "2012-10-17",
+#     "Statement": [
+#       {
+#         "Effect": "Allow",
+#         "Principal": {
+#           "Service": [
+#             "codebuild.amazonaws.com"
+#             ]
+#         },
+#         "Action": "sts:AssumeRole"
+#       }
+#     ]
+#   }
+# EOF
+# }
+
+# resource "aws_iam_role_policy_attachment" "codebuild_service_policy_attach" {
+#   role       = aws_iam_role.codebuild_service_role.name
+#   policy_arn = aws_iam_policy.codebuild_service_policy.arn
+# }
+
+# # Some things about this policy I'm not perfectly sure about, like
+# # should the account number be hardcoded?  Also, it reads like we'll have to
+# # update it each time we have a new repository added to codecommit - that
+# # or we'll need to authorize the codebuild role to be able to pull from any 
+# # codecommit repo.  Which may be fine?
+# resource "aws_iam_policy" "codebuild_service_policy" {
+#   name        = "codebuild_${var.name}_policy"
+#   description = "Policy for AWS codebuild for ${var.name}"
+#   path     = "/aws_services/"
+
+#   policy = <<EOF
+# {
+#    "Version":"2012-10-17",
+#    "Statement":[
+#       {
+#          "Effect":"Allow",
+#          "Action":[
+#             "ec2:CreateNetworkInterface",
+#             "ec2:CreateNetworkInterfacePermission",
+#             "ec2:DeleteNetworkInterface",
+#             "ec2:Describe*",
+#             "ec2:TerminateInstances",
+#             "ec2:RunInstances",
+#             "ec2:CreateTags"
+#          ],
+#          "Resource":"*"
+#       },
+#       {
+#       "Effect":"Allow",
+#       "Action":"*",
+#       "Resource":"*"
+#       },
+#       {
+#       "Effect":"Allow",
+#       "Action":"iam:PassRole",
+#       "Resource":"arn:${var.aws_partition}:iam::${var.aws_account_id}:role/aws_services/msoc-magic-machine-instance-role"
+#       },
+#       {
+#          "Effect":"Allow",
+#          "Resource":[
+#             "arn:${var.aws_partition}:logs:${var.aws_region}:${var.aws_account_id}:log-group:/aws/codebuild/*"
+#          ],
+#          "Action":[
+#             "logs:CreateLogGroup",
+#             "logs:CreateLogStream",
+#             "logs:PutLogEvents"
+#          ]
+#       },
+#       {
+#          "Effect":"Allow",
+#          "Resource":[
+#             "arn:${var.aws_partition}:s3:::afsxdr-binaries*"
+#          ],
+#          "Action":[
+#             "s3:PutObject",
+#             "s3:GetObject",
+#             "s3:GetObjectVersion"
+#          ]
+#       },
+#       {
+#          "Sid":"PullFromECR",
+#          "Effect":"Allow",
+#          "Resource":[
+#             "*"
+#          ],
+#          "Action":[
+#             "ecr:GetDownloadUrlForLayer",
+#             "ecr:BatchGetImage",
+#             "ecr:BatchCheckLayerAvailability"
+#          ]
+#       },
+#       {
+#          "Sid":"PullFromSecretsManager",
+#          "Effect":"Allow",
+#          "Resource":[
+#             "arn:${var.aws_partition}:secretsmanager:${var.aws_region}:${var.aws_account_id}:secret:msoc-build*"
+#          ],
+#          "Action":[
+#             "secretsmanager:GetSecretValue"
+#          ]
+#       }
+#    ]
+# }
+# EOF
+# }
+
+
+# Policy for the Magic Machine iam-instance-policy
+
+resource "aws_iam_instance_profile" "magic_machine" {
+  name = "msoc-magic-machine-instance-profile"
+  role = aws_iam_role.magic_machine_instance_role.name
+}
+
+resource "aws_iam_role" "magic_machine_instance_role" {
+  name               = "msoc-magic-machine-instance-role"
+  path               = "/aws_services/"
+  assume_role_policy = <<EOF
+{
+    "Version": "2012-10-17",
+    "Statement": [
+      {
+        "Sid": "AssumeRoleAnywhere",
+        "Effect": "Allow",
+        "Principal": {
+          "Service": [
+            "ec2.amazonaws.com",
+            "ssm.amazonaws.com"
+            ]
+        },
+        "Action": "sts:AssumeRole"
+      }
+    ]
+  }
+EOF
+}
+
+resource "aws_iam_policy" "magic_machine_policy" {
+  name        = "magic_machine_s3_access"
+  path        = "/launchroles/"
+  description = "This policy allows the magic machine to push the image to S3"
+  policy      = data.aws_iam_policy_document.magic_machine_instance_policy_s3_binaries_doc.json
+}
+
+
+data "aws_iam_policy_document" "magic_machine_instance_policy_s3_binaries_doc" {
+  statement {
+    sid       = "AccessTheBucketItself"
+    effect    = "Allow"
+    resources = ["arn:${var.aws_partition}:s3:::afsxdr-binaries"]
+
+    actions = [
+      "s3:ListBucket",
+      "s3:GetBucketLocation",
+    ]
+  }
+
+  statement {
+    sid       = "GetFromTheBucket"
+    effect    = "Allow"
+    resources = ["arn:${var.aws_partition}:s3:::afsxdr-binaries/*"]
+
+    actions = [
+      "s3:GetObject",
+      "s3:GetObjectAcl",
+      "s3:PutObject",
+    ]
+  }
+
+  statement {
+    sid    = "UseTheKey"
+    effect = "Allow"
+    resources = [
+      "arn:${var.aws_partition}:kms:${var.aws_region}:${var.common_services_account}:${var.binaries_key}"
+    ]
+    actions = [
+      "kms:Decrypt",
+      "kms:DescribeKey",
+      "kms:GenerateDataKey"
+    ]
+  }
+}
+
+resource "aws_iam_role_policy_attachment" "magic_machine_instance_policy_attach" {
+  role       = aws_iam_role.magic_machine_instance_role.name
+  policy_arn = var.xdr-s3-binaries-policy
+}

base/codebuild_lcp_magic_machine/main.tf

@@ -0,0 +1,109 @@
+data "github_repository" "this" {
+  name = var.repository_name
+}
+
+resource "aws_codebuild_project" "this" {
+  name           = var.name
+  description    = "Codebuild for ${var.name}"
+  service_role   = var.service_role
+  encryption_key = var.kms_key
+  #badge_enabled         = var.badge_enabled
+
+  source {
+    type                = "GITHUB_ENTERPRISE"
+    location            = var.github_clone_url
+    report_build_status = true
+    git_clone_depth     = 1
+    buildspec           = var.buildspec
+  }
+
+  source_version = var.source_version
+
+  environment {
+    compute_type    = "BUILD_GENERAL1_SMALL"
+    image           = var.image
+    type            = "LINUX_CONTAINER"
+    privileged_mode = var.privileged_mode
+
+    dynamic "environment_variable" {
+      for_each = var.env_vars
+      iterator = each
+      content {
+        name  = each.key
+        value = each.value["value"]
+        type  = try(each.value["type"], "PLAINTEXT")
+      }
+    }
+
+    environment_variable {
+      name  = "SECURITYGROUP"
+      value = aws_security_group.this.id
+    }
+    environment_variable {
+      name  = "IAMINSTANCEPROFILE"
+      value = aws_iam_instance_profile.magic_machine.id
+    }
+    environment_variable {
+      name  = "SUBNETID"
+      value = var.public_subnets[0]
+    }
+    environment_variable {
+      name  = "GITBRANCH"
+      value = var.source_version
+    }
+  }
+
+  vpc_config {
+    vpc_id = data.aws_vpc.this.id
+
+    subnets = var.private_subnets
+
+    security_group_ids = [
+      aws_security_group.codebuild.id
+    ]
+  }
+
+  artifacts {
+    type = "NO_ARTIFACTS"
+  }
+
+  tags = merge(var.standard_tags, var.tags)
+
+  # The security group must be created before the codebuild project for the 
+  # environmental variables. 
+
+  depends_on = [aws_security_group.this, aws_security_group.codebuild]
+
+  # Govcloud incompatible with "project visibility"
+  # See https://github.com/hashicorp/terraform-provider-aws/issues/22473#issuecomment-1081187035
+  lifecycle { ignore_changes = [project_visibility] }
+}
+
+resource "aws_codebuild_webhook" "this" {
+  project_name = var.name
+  filter_group {
+    filter {
+      type    = "EVENT"
+      pattern = "PUSH"
+    }
+
+    filter {
+      type    = "HEAD_REF"
+      pattern = var.webhook_filter_pattern
+    }
+  }
+  depends_on = [aws_codebuild_project.this]
+}
+
+resource "github_repository_webhook" "this" {
+  active     = true
+  events     = ["push"]
+  repository = data.github_repository.this.name
+
+  configuration {
+    url          = aws_codebuild_webhook.this.payload_url
+    secret       = aws_codebuild_webhook.this.secret
+    content_type = "json"
+    insecure_ssl = false
+  }
+}

base/codebuild_lcp_magic_machine/output.tf

@@ -0,0 +1,11 @@
+output "artifact_s3_bucket" {
+  value = data.aws_s3_bucket.this.id
+}
+
+output "aws_security_group" {
+  value = aws_security_group.this.id
+}
+
+output "aws_iam_instance_profile" {
+  value = aws_iam_instance_profile.magic_machine.id
+}

base/codebuild_lcp_magic_machine/s3.tf

@@ -0,0 +1,4 @@
+#Magic Machine is dependent on this S3 bucket
+data "aws_s3_bucket" "this" {
+  bucket = "afsxdr-binaries"
+}

base/codebuild_lcp_magic_machine/security-group.tf

@@ -0,0 +1,64 @@
+# The Magic Machine is dependent on this Security Group
+
+data "aws_vpc" "this" {
+  id = var.vpc_id
+}
+
+data "aws_subnet" "this" {
+  id = var.public_subnets[0]
+}
+
+resource "aws_security_group" "this" {
+  name        = "magic_machine_security_group"
+  description = "Security Group for magic machine"
+  tags        = merge(var.standard_tags, var.tags)
+  vpc_id      = data.aws_vpc.this.id
+}
+
+resource "aws_security_group_rule" "this" {
+  type              = "ingress"
+  cidr_blocks       = ["10.0.0.0/8"]
+  from_port         = 22
+  to_port           = 22
+  protocol          = "tcp"
+  description       = "Allows codebuild to access Magic Machine and for troubleshooting"
+  security_group_id = aws_security_group.this.id
+}
+
+resource "aws_security_group_rule" "allow_outbound_mm" {
+  type              = "egress"
+  cidr_blocks       = ["0.0.0.0/0"]
+  from_port         = 443
+  to_port           = 443
+  protocol          = "tcp"
+  description       = "Allow Magic Machine to communicate via HTTPS outbound"
+  security_group_id = aws_security_group.this.id
+}
+
+
+resource "aws_security_group" "codebuild" {
+  name        = "codebuild_security_group"
+  description = "Security Group for codebuild"
+  tags        = merge(var.standard_tags, var.tags)
+  vpc_id      = data.aws_vpc.this.id
+}
+
+resource "aws_security_group_rule" "allow_outbound" {
+  type              = "egress"
+  cidr_blocks       = ["0.0.0.0/0"]
+  from_port         = 443
+  to_port           = 443
+  protocol          = "tcp"
+  description       = "Allow codebuild to communicate via HTTPS outbound"
+  security_group_id = aws_security_group.codebuild.id
+}
+
+resource "aws_security_group_rule" "allow_ssh_outbound" {
+  type              = "egress"
+  cidr_blocks       = ["10.0.0.0/8"]
+  from_port         = 22
+  to_port           = 22
+  protocol          = "tcp"
+  description       = "Allow codebuild to communicate via SSH outbound"
+  security_group_id = aws_security_group.codebuild.id
+}

base/codebuild_lcp_magic_machine/vars.tf

@@ -0,0 +1,72 @@
+variable "tags" {
+  description = "Tags to add to the resource (in addition to global standard tags)"
+  type        = map(any)
+  default     = {}
+}
+variable "standard_tags" { type = map(any) }
+variable "environment" { type = string }
+variable "aws_region" { type = string }
+variable "aws_partition" { type = string }
+variable "aws_partition_alias" { type = string }
+variable "aws_account_id" { type = string }
+variable "name" { type = string }
+variable "repository_name" { type = string }
+variable "github_clone_url" { type = string }
+variable "vpc_id" { type = string }
+variable "private_subnets" { type = list(any) }
+variable "public_subnets" { type = list(any) }
+variable "service_role" { type = string }
+variable "common_services_account" { type = string }
+variable "binaries_key" { type = string }
+variable "xdr-s3-binaries-policy" { type = string }
+
+variable "kms_key" {
+  type    = string
+  default = ""
+}
+
+variable "source_version" {
+  description = "Tag or branch for the git repository."
+  type        = string
+  default     = "main"
+}
+
+variable "badge_enabled" {
+  type    = string
+  default = "false"
+}
+
+variable "buildspec" {
+  type    = string
+  default = "buildspec.yml"
+}
+
+variable "schedule_expression" {
+  type    = string
+  default = ""
+}
+
+variable "image" {
+  type    = string
+  default = "aws/codebuild/amazonlinux2-x86_64-standard:3.0"
+}
+
+variable "privileged_mode" {
+  type    = bool
+  default = true
+}
+
+variable "enable_webhook" {
+  type    = bool
+  default = false
+}
+
+variable "env_vars" {
+  type    = map(any)
+  default = {}
+}
+
+variable "webhook_filter_pattern" {
+  type    = string
+  default = "^refs/heads/main$"
+}

base/s3_bucket_writer_role/outputs.tf

@@ -0,0 +1,3 @@
+output binaries_writers_policy {
+  value = aws_iam_policy.this.arn
+}

base/standalone_vpc/README.md

@@ -0,0 +1,3 @@
+# Standalone VPC
+
+Module to set up a 'standalone' vpc, which is a VPC with 3 private and 3 public subnets and a NAT gatway. This VPC is designed to NOT connect to the transit gateway and is used for other purposes.

base/standalone_vpc/main.tf

@@ -0,0 +1,102 @@
+locals {
+  vpc_name = "${var.vpc_info["name"]}-${var.account_name}"
+}
+
+data "aws_availability_zones" "available" {
+  state = "available"
+}
+
+module "vpc" {
+  source  = "terraform-aws-modules/vpc/aws"
+  version = "~> v2.70"
+  name    = local.vpc_name
+  cidr    = var.vpc_info["cidr"]
+
+  azs = slice(data.aws_availability_zones.available.names, 0, 3)
+
+  private_subnets = [
+    cidrsubnet(var.vpc_info["cidr"], 3, 0),
+    cidrsubnet(var.vpc_info["cidr"], 3, 1),
+    cidrsubnet(var.vpc_info["cidr"], 3, 2),
+  ]
+
+  public_subnets = [
+    cidrsubnet(var.vpc_info["cidr"], 3, 4),
+    cidrsubnet(var.vpc_info["cidr"], 3, 5),
+    cidrsubnet(var.vpc_info["cidr"], 3, 6),
+  ]
+
+  enable_nat_gateway     = var.enable_nat_gateway
+  single_nat_gateway     = var.single_nat_gateway
+  one_nat_gateway_per_az = var.one_nat_gateway_per_az
+  enable_vpn_gateway     = false
+  enable_dns_hostnames   = true
+  enable_dhcp_options    = true
+
+
+  # Endpoints without a DNS setting
+  enable_dynamodb_endpoint = true
+  enable_s3_endpoint       = true
+
+  # Endpoints with a dns setting
+  enable_ec2_endpoint              = true
+  ec2_endpoint_private_dns_enabled = true
+  ec2_endpoint_security_group_ids  = [module.aws_endpoints_sg.security_group_id]
+
+  enable_ec2messages_endpoint              = true
+  ec2messages_endpoint_private_dns_enabled = true
+  ec2messages_endpoint_security_group_ids  = [module.aws_endpoints_sg.security_group_id]
+
+  enable_ecr_api_endpoint              = true
+  ecr_api_endpoint_private_dns_enabled = true
+  ecr_api_endpoint_security_group_ids  = [module.aws_endpoints_sg.security_group_id]
+
+  enable_ecr_dkr_endpoint              = true
+  ecr_dkr_endpoint_private_dns_enabled = true
+  ecr_dkr_endpoint_security_group_ids  = [module.aws_endpoints_sg.security_group_id]
+
+  enable_kms_endpoint              = true
+  kms_endpoint_private_dns_enabled = true
+  kms_endpoint_security_group_ids  = [module.aws_endpoints_sg.security_group_id]
+
+  enable_logs_endpoint              = true
+  logs_endpoint_private_dns_enabled = true
+  logs_endpoint_security_group_ids  = [module.aws_endpoints_sg.security_group_id]
+
+  enable_ssm_endpoint              = true
+  ssm_endpoint_private_dns_enabled = true
+  ssm_endpoint_security_group_ids  = [module.aws_endpoints_sg.security_group_id]
+
+  enable_ssmmessages_endpoint              = true
+  ssmmessages_endpoint_private_dns_enabled = true
+  ssmmessages_endpoint_security_group_ids  = [module.aws_endpoints_sg.security_group_id]
+
+  enable_sts_endpoint              = true
+  sts_endpoint_private_dns_enabled = true
+  sts_endpoint_security_group_ids  = [module.aws_endpoints_sg.security_group_id]
+
+  enable_monitoring_endpoint              = true
+  monitoring_endpoint_private_dns_enabled = true
+  monitoring_endpoint_security_group_ids  = [module.aws_endpoints_sg.security_group_id]
+
+  #dhcp_options_domain_name = var.dns_info["private"]["zone"]
+  #dhcp_options_domain_name_servers = var.dns_servers
+  dhcp_options_ntp_servers = ["169.254.169.123"]
+  dhcp_options_tags        = merge(var.standard_tags, var.tags)
+
+  tags = merge(var.standard_tags, var.tags, { "Purpose" = var.vpc_info["purpose"] })
+
+  nat_eip_tags = {
+    "eip_type" = "natgw"
+    Name       = local.vpc_name
+  }
+}
+
+resource "aws_flow_log" "flowlogs" {
+  iam_role_arn    = "arn:${var.aws_partition}:iam::${var.aws_account_id}:role/aws_services/flowlogs"
+  log_destination = "arn:${var.aws_partition}:logs:${var.aws_region}:${var.aws_account_id}:log-group:vpc_flow_logs"
+
+  traffic_type = "REJECT" # ALL is very noisy, and CIS only requires rejects.
+  vpc_id       = module.vpc.vpc_id
+  tags         = merge(var.standard_tags, var.tags)
+}

base/standalone_vpc/outputs.tf

@@ -0,0 +1,35 @@
+output "vpc_id" {
+  value = module.vpc.vpc_id
+}
+
+output "public_subnets" {
+  value = module.vpc.public_subnets
+}
+
+output "private_subnets" {
+  value = module.vpc.private_subnets
+}
+
+output "allow_all_from_trusted_sg_id" {
+  value = module.allow_all_from_trusted_sg.security_group_id
+}
+
+output "allow_all_outbound_sg_id" {
+  value = module.allow_all_outbound_sg.security_group_id
+}
+
+output "private_route_tables" {
+  value = module.vpc.private_route_table_ids
+}
+
+output "public_route_tables" {
+  value = module.vpc.public_route_table_ids
+}
+
+output "azs" {
+  value = module.vpc.azs
+}
+
+output "nat_public_ips" {
+  value = module.vpc.nat_public_ips
+}

base/standalone_vpc/security-groups.tf

@@ -0,0 +1,51 @@
+# Several of these security groups will have customer IPs listed in them to allow
+# POP systems to access our services.
+#
+
+locals {
+  endpoint_cidr_blocks = var.allow_any_to_endpoints ? ["10.0.0.0/8"] : [module.vpc.vpc_cidr_block]
+}
+
+module "aws_endpoints_sg" {
+  use_name_prefix = false
+  source          = "terraform-aws-modules/security-group/aws"
+  version         = "= 4.0.0"
+  name            = "aws_endpoints"
+  tags            = merge(var.standard_tags, var.tags)
+  vpc_id          = module.vpc.vpc_id
+
+  ingress_cidr_blocks     = local.endpoint_cidr_blocks
+  egress_cidr_blocks      = local.endpoint_cidr_blocks
+  egress_ipv6_cidr_blocks = []
+
+  egress_rules  = ["all-all"]
+  ingress_rules = ["all-all"]
+}
+
+# "Allow
+module "allow_all_from_trusted_sg" {
+  use_name_prefix = false
+  source          = "terraform-aws-modules/security-group/aws"
+  version         = "= 4.0.0"
+  name            = "allow-all-from-trusted"
+  tags            = merge(var.standard_tags, var.tags)
+  vpc_id          = module.vpc.vpc_id
+
+  ingress_cidr_blocks = concat(var.trusted_ips, ["10.0.0.0/8"])
+  egress_cidr_blocks  = ["0.0.0.0/0"]
+  ingress_rules       = ["all-all"]
+  egress_rules        = ["all-all"]
+}
+
+module "allow_all_outbound_sg" {
+  use_name_prefix = false
+  source          = "terraform-aws-modules/security-group/aws"
+  version         = "= 4.0.0"
+  name            = "allow-all-outbound"
+  tags            = merge(var.standard_tags, var.tags)
+  vpc_id          = module.vpc.vpc_id
+
+  egress_rules = ["all-all"]
+}
+
+

base/standalone_vpc/vars.tf

@@ -0,0 +1,45 @@
+variable "allow_any_to_endpoints" {
+  description = "Whether to accept the transit gateway sharing invitation. Only done once per account."
+  type        = bool
+  default     = false
+}
+
+variable "enable_nat_gateway" {
+  description = "Whether to add a NAT gateway to the VPC"
+  type        = bool
+  default     = true
+}
+
+variable "single_nat_gateway" {
+  description = "Whether to add one NAT gateway for the VPC or one NAT gateway per availability zone."
+  type        = bool
+  default     = true
+}
+
+variable "one_nat_gateway_per_az" {
+  description = "Whether to add one NAT gateway per availability zone."
+  type        = bool
+  default     = false
+}
+
+variable "vpc_info" {
+  description = "A map of information about the VPC to create. Must contain `name` and `cidr`."
+  type        = map(any)
+}
+
+variable "tags" {
+  description = "Tags to add to the resource (in addition to global standard tags)"
+  type        = map(any)
+  default     = {}
+}
+
+# Inherited
+variable "account_name" { type = string }
+variable "trusted_ips" { type = list(string) }
+#variable "dns_servers" { type = list(string) }
+variable "dns_info" { type = map(any) }
+variable "cidr_map" { type = map(any) }
+variable "standard_tags" { type = map(any) }
+variable "aws_region" { type = string }
+variable "aws_account_id" { type = string }
+variable "aws_partition" { type = string }

base/standard_iam/codebuild.tf

@@ -143,60 +143,74 @@ resource "aws_iam_policy" "codebuild_build_ec2_amis_policy" {
 }
 
 data "aws_iam_policy_document" "codebuild_build_ec2_amis" {
-  statement {
-    sid       = "BuildEC2AMIFromPackerDocs"
-    effect    = "Allow"
-    resources = ["*"]
-    actions = [
-      "ec2:AttachVolume",
-      "ec2:AuthorizeSecurityGroupIngress",
-      "ec2:CopyImage",
-      "ec2:CreateImage",
-      "ec2:CreateKeypair",
-      "ec2:CreateSecurityGroup",
-      "ec2:CreateSnapshot",
-      "ec2:CreateTags",
-      "ec2:CreateVolume",
-      "ec2:DeleteKeyPair",
-      "ec2:DeleteSecurityGroup",
-      "ec2:DeleteSnapshot",
-      "ec2:DeleteVolume",
-      "ec2:DeregisterImage",
-      "ec2:DescribeImageAttribute",
-      "ec2:DescribeImages",
-      "ec2:DescribeInstances",
-      "ec2:DescribeInstanceStatus",
-      "ec2:DescribeRegions",
-      "ec2:DescribeSecurityGroups",
-      "ec2:DescribeSnapshots",
-      "ec2:DescribeSubnets",
-      "ec2:DescribeTags",
-      "ec2:DescribeVolumes",
-      "ec2:DetachVolume",
-      "ec2:GetPasswordData",
-      "ec2:ModifyImageAttribute",
-      "ec2:ModifyInstanceAttribute",
-      "ec2:ModifySnapshotAttribute",
-      "ec2:RegisterImage",
-      "ec2:RunInstances",
-      "ec2:StopInstances",
-      "ec2:TerminateInstances"
-    ]
-  }
+	statement {
+		sid       = "BuildEC2AMIFromPackerDocs"
+		effect    = "Allow"
+		resources = [ "*" ]
+		actions   = [
+			"ec2:AttachVolume",
+			"ec2:AuthorizeSecurityGroupIngress",
+			"ec2:CopyImage",
+			"ec2:CreateImage",
+			"ec2:CreateKeypair",
+			"ec2:CreateSecurityGroup",
+			"ec2:CreateSnapshot",
+			"ec2:CreateTags",
+			"ec2:CreateVolume",
+			"ec2:CreateNetworkInterface",
+			"ec2:CreateNetworkInterfacePermission",
+			"ec2:DeleteKeyPair",
+			"ec2:DeleteNetworkInterface",
+			"ec2:DeleteSecurityGroup",
+			"ec2:DeleteSnapshot",
+			"ec2:DeleteVolume",
+			"ec2:DeregisterImage",
+			"ec2:Describe*",
+			"ec2:DetachVolume",
+			"ec2:GetPasswordData",
+			"ec2:ModifyImageAttribute",
+			"ec2:ModifyInstanceAttribute",
+			"ec2:ModifySnapshotAttribute",
+			"ec2:RegisterImage",
+			"ec2:RunInstances",
+			"ec2:StopInstances",
+			"ec2:TerminateInstances"
+		]
+	}
+	statement {
+		sid       = "BuildEC2WithInstanceRole"
+		effect    = "Allow"
+		resources = [ "*" ]
+		actions   = [
+			"iam:PassRole"
+		]
+	}
+
+	statement {
+		sid       = "PullFromSecretsManager"
+		effect    = "Allow"
+		resources = [ 
+			"arn:${local.aws_partition}:secretsmanager:${local.aws_region}:${local.aws_account}:secret:msoc-build*",
+			"arn:${local.aws_partition}:secretsmanager:${local.aws_region}:${local.aws_account}:secret:mdr-aws-codebuild*" 
+		]
+		actions   = [
+			"secretsmanager:GetSecretValue"
+		]
+	}
 
   statement {
-    sid       = "KMSAccessNeededForEBS"
-    effect    = "Allow"
-    resources = ["*"]
-    actions = [
-      "kms:RevokeGrant",
-      "kms:ListGrants",
-      "kms:Decrypt",
-      "kms:DescribeKey",
-      "kms:GenerateDataKeyWithoutPlainText",
-      "kms:ReEncrypt*",
-    ]
-  }
+		sid       = "KMSAccessNeededForEBS"
+		effect    = "Allow"
+		resources = [ "*" ]
+    	actions   = [
+			"kms:RevokeGrant",
+			"kms:ListGrants",
+			"kms:Decrypt",
+			"kms:DescribeKey",
+			"kms:GenerateDataKeyWithoutPlainText",
+			"kms:ReEncrypt*",
+		]
+	}
 
   statement {
     sid       = "CreateGrantForEBS"

base/standard_iam/outputs.tf

@@ -0,0 +1,3 @@
+output service_role {
+  value = aws_iam_role.codebuild_packer_role.arn
+}