AFS
/
xdr-terraform-modules


			
				
					
						
						
							1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798
							# creates a role and schedules a build for each server type
# 
# Being polite aws users, we randomize the schedule to the beginning of the work day
# (Between 9am and 1pm ET)
resource "random_integer" "hour" {
  min = 14 # 9 am ET
  max = 17 # noon ET
}

resource "random_integer" "minute" {
  min = 0
  max = 59
}

resource "aws_cloudwatch_event_rule" "schedule_rule" {
  for_each               = local.splunk_server_types

  name = "scheduled_build_${each.value}"
  schedule_expression = "cron(${random_integer.minute.result} ${random_integer.hour.result} * * ? *)"
}

resource "aws_iam_role" "codebuild_role" {
  name = "splunk_apps_codebuild_role"
  path     = "/aws_services/"

  assume_role_policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": [
          "events.amazonaws.com",
          "codebuild.amazonaws.com"
        ]
      },
      "Action": "sts:AssumeRole"
    }
  ]
}
EOF
}

resource "aws_iam_policy" "codebuild_policy" {
  name = "splunk_apps_policy"
  path     = "/aws_services/"

  policy = <<POLICY
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Resource": [
                "arn:${var.aws_partition}:logs:${var.aws_region}:${var.aws_account_id}:log-group:/aws/codebuild/*"
            ],
            "Action": [
                "logs:CreateLogGroup",
                "logs:CreateLogStream",
                "logs:PutLogEvents"
            ]
        },
        {
           "Action": [
              "codebuild:StartBuild",
              "codebuild:StopBuild",
              "codebuild:BatchGet*",
              "codebuild:Get*",
              "codebuild:List*",
              "codecommit:GetBranch",
              "codecommit:GetCommit",
              "codecommit:GetRepository",
              "codecommit:ListBranches"
            ],
            "Effect": "Allow",
            "Resource": "*"
          }
    ]
}
POLICY
}

resource "aws_iam_policy_attachment" "service_role_attachment" {
  name = "splunk_apps_policy_attachment"
  policy_arn = "${aws_iam_policy.codebuild_policy.arn}"
  roles = ["${aws_iam_role.codebuild_role.id}"]
}

resource "aws_cloudwatch_event_target" "trigger_build" {
  for_each = local.splunk_server_types

  target_id = "trigger_build_${each.value}"
  rule = "${aws_cloudwatch_event_rule.schedule_rule[each.value].name}"
  arn = "${aws_codebuild_project.this[each.value].id}"

  role_arn = "${aws_iam_role.codebuild_role.arn}"
}