| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101 |
- # resource "aws_iam_role" "codebuild_role" {
- # name = "codebuild_role"
- # assume_role_policy = <<EOF
- # {
- # "Version": "2012-10-17",
- # "Statement": [
- # {
- # "Effect": "Allow",
- # "Principal": {
- # "Service": [
- # "codebuild.amazonaws.com"
- # ]
- # },
- # "Action": "sts:AssumeRole"
- # }
- # ]
- # }
- # EOF
- # }
- # resource "aws_iam_role_policy_attachment" "codebuild_role_policy_attach" {
- # role = aws_iam_role.codebuild_role.name
- # policy_arn = aws_iam_policy.codebuild_policy.arn
- # }
- # # Some things about this policy I'm not perfectly sure about, like
- # # should the account number be hardcoded? Also, it reads like we'll have to
- # # update it each time we have a new repository added to codecommit - that
- # # or we'll need to authorize the codebuild role to be able to pull from any
- # # codecommit repo. Which may be fine?
- # resource "aws_iam_policy" "codebuild_policy" {
- # name = "codebuild_policy"
- # description = "Policy for AWS codebuild to build and store artifacts"
- # policy = <<EOF
- # {
- # "Version": "2012-10-17",
- # "Statement": [
- # {
- # "Effect": "Allow",
- # "Resource": [
- # "arn:aws-us-gov:logs:us-gov-east-1:701290387780:log-group:/aws/codebuild/*"
- # ],
- # "Action": [
- # "logs:CreateLogGroup",
- # "logs:CreateLogStream",
- # "logs:PutLogEvents"
- # ]
- # },
- # {
- # "Effect": "Allow",
- # "Resource": [
- # "arn:aws-us-gov:s3:::codepipeline-us-gov-east-1-*"
- # ],
- # "Action": [
- # "s3:PutObject",
- # "s3:GetObject",
- # "s3:GetObjectVersion"
- # ]
- # },
- # {
- # "Effect": "Allow",
- # "Resource": [
- # "arn:aws-us-gov:codecommit:us-gov-east-1:701290387780:*"
- # ],
- # "Action": [
- # "codecommit:GitPull"
- # ]
- # },
- # {
- # "Effect": "Allow",
- # "Resource": [
- # "arn:aws-us-gov:s3:::xdr-codebuild-artifacts/*",
- # "arn:aws-us-gov:s3:::*"
- # ],
- # "Action": [
- # "s3:PutObject",
- # "s3:GetObject*",
- # "s3:ListBucket"
- # ]
- # },
- # {
- # "Effect": "Allow",
- # "Resource": [
- # "*"
- # ],
- # "Action": [
- # "ecr:GetAuthorizationToken",
- # "ecr:BatchCheckLayerAvailability",
- # "ecr:CompleteLayerUpload",
- # "ecr:GetAuthorizationToken",
- # "ecr:InitiateLayerUpload",
- # "ecr:PutImage",
- # "ecr:UploadLayerPart"
- # ]
- # }
- # ]
- # }
- # EOF
- # }
|
