AFS
/
xdr-terraform-modules


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214
							#-----------------------------------------------------------------------
# Common AssumeRole policy for these codebuild roles
#-----------------------------------------------------------------------
data "aws_iam_policy_document" "codebuild_role_assume_role_policy" {
  statement {
    effect = "Allow"
    actions = [
      "sts:AssumeRole"
    ]
    principals {
      type = "Service"
      identifiers = [
        "codebuild.amazonaws.com",
        "events.amazonaws.com"
      ]
    }
  }
}

#-----------------------------------------------------------------------
# "Basic" Codebuild Role - not capable to make EC2 images / run Packer
#-----------------------------------------------------------------------
resource "aws_iam_role" "codebuild_basic_role" {
  name               = "codebuild_basic_role"
  path               = "/aws_services/"
  assume_role_policy = data.aws_iam_policy_document.codebuild_role_assume_role_policy.json
}

resource "aws_iam_role_policy_attachment" "codebuild_basic_role_basic_policy_attach" {
  role       = aws_iam_role.codebuild_basic_role.name
  policy_arn = aws_iam_policy.codebuild_basic_policy.arn
}

#-----------------------------------------------------------------------
# "Packer" Codebuild Role
#-----------------------------------------------------------------------
resource "aws_iam_role" "codebuild_packer_role" {
  name               = "codebuild_packer_role"
  path               = "/aws_services/"
  assume_role_policy = data.aws_iam_policy_document.codebuild_role_assume_role_policy.json
}

# Packer role needs basic role too for things like cloudwatch
resource "aws_iam_role_policy_attachment" "codebuild_packer_role_basic_policy_attach" {
  role       = aws_iam_role.codebuild_packer_role.name
  policy_arn = aws_iam_policy.codebuild_basic_policy.arn
}

resource "aws_iam_role_policy_attachment" "codebuild_packer_role_packer_policy_attach" {
  role       = aws_iam_role.codebuild_packer_role.name
  policy_arn = aws_iam_policy.codebuild_build_ec2_amis_policy.arn
}

#-----------------------------------------------------------------------
# "Basic" Policy for codebuild - can make artifacts and ECR images but not EC2
# FIXME: Not sure about this policy
#   2.  Lets codebuild (apparently) write to ANY ECR repo
#   4.  Latest codebuild policies (from AWS console) have report-group resources and actions
#-----------------------------------------------------------------------
resource "aws_iam_policy" "codebuild_basic_policy" {
  name        = "codebuild_basic_policy"
  path        = "/aws_services/"
  description = "Policy for AWS codebuild to build AMIs"
  policy      = data.aws_iam_policy_document.codebuild_base_policy.json
}

data "aws_iam_policy_document" "codebuild_base_policy" {
  statement {
    sid    = "WriteCodebuildLogsToCloudwatchLogs"
    effect = "Allow"
    resources = [
      "arn:${local.aws_partition}:logs:${local.aws_region}:${local.aws_account}:log-group:/aws/codebuild/*"
    ]
    actions = [
      "logs:CreateLogGroup",
      "logs:CreateLogStream",
      "logs:PutLogEvents"
    ]
  }

  statement {
    sid    = "StoreArtifactsInBucket"
    effect = "Allow"
    resources = [
      "arn:${local.aws_partition}:s3:::xdr-codebuild-artifacts/*"
    ]
    actions = [
      "s3:PutObject",
      "s3:GetObject*",
      "s3:ListBucket"
    ]
  }

  statement {
    sid    = "UpdateECRRepos"
    effect = "Allow"
    resources = [
      "*"
    ]
    actions = [
      "ecr:GetAuthorizationToken",
      "ecr:BatchCheckLayerAvailability",
      "ecr:CompleteLayerUpload",
      "ecr:GetAuthorizationToken",
      "ecr:InitiateLayerUpload",
      "ecr:PutImage",
      "ecr:UploadLayerPart"
    ]
  }

  statement {
    sid    = "LetEventBridgeTriggerABuild"
    effect = "Allow"
    resources = [
      "*"
    ]
    actions = [
      "codebuild:StartBuild",
      "codebuild:StopBuild",
      "codebuild:BatchGet*",
      "codebuild:Get*",
      "codebuild:List*"
    ]
  }
}

#-----------------------------------------------------------------------
# "EC2" Policy for codebuild - able to build EC2 images / SGs / etc
# FIXME:  too powerful
#
# Parts of this are Lifted from
# https://www.packer.io/plugins/builders/amazon#iam-task-or-instance-role and
# converted from JSON to a terraform data source NOT AUDITED - taking Packer
# docs at word that these are "minimal permissions necessary"
#
# The rest is for EBS+KMS support cobbled from AWS docs
#-----------------------------------------------------------------------
resource "aws_iam_policy" "codebuild_build_ec2_amis_policy" {
  name        = "codebuild_build_ami_policy"
  path        = "/aws_services/"
  description = "Policy for AWS codebuild to build AMIs"
  policy      = data.aws_iam_policy_document.codebuild_build_ec2_amis.json
}

data "aws_iam_policy_document" "codebuild_build_ec2_amis" {
  statement {
    sid       = "BuildEC2AMIFromPackerDocs"
    effect    = "Allow"
    resources = ["*"]
    actions = [
      "ec2:AttachVolume",
      "ec2:AuthorizeSecurityGroupIngress",
      "ec2:CopyImage",
      "ec2:CreateImage",
      "ec2:CreateKeypair",
      "ec2:CreateSecurityGroup",
      "ec2:CreateSnapshot",
      "ec2:CreateTags",
      "ec2:CreateVolume",
      "ec2:DeleteKeyPair",
      "ec2:DeleteSecurityGroup",
      "ec2:DeleteSnapshot",
      "ec2:DeleteVolume",
      "ec2:DeregisterImage",
      "ec2:DescribeImageAttribute",
      "ec2:DescribeImages",
      "ec2:DescribeInstances",
      "ec2:DescribeInstanceStatus",
      "ec2:DescribeRegions",
      "ec2:DescribeSecurityGroups",
      "ec2:DescribeSnapshots",
      "ec2:DescribeSubnets",
      "ec2:DescribeTags",
      "ec2:DescribeVolumes",
      "ec2:DetachVolume",
      "ec2:GetPasswordData",
      "ec2:ModifyImageAttribute",
      "ec2:ModifyInstanceAttribute",
      "ec2:ModifySnapshotAttribute",
      "ec2:RegisterImage",
      "ec2:RunInstances",
      "ec2:StopInstances",
      "ec2:TerminateInstances"
    ]
  }

  statement {
    sid       = "KMSAccessNeededForEBS"
    effect    = "Allow"
    resources = ["*"]
    actions = [
      "kms:RevokeGrant",
      "kms:ListGrants",
      "kms:Decrypt",
      "kms:DescribeKey",
      "kms:GenerateDataKeyWithoutPlainText",
      "kms:ReEncrypt*",
    ]
  }

  statement {
    sid       = "CreateGrantForEBS"
    effect    = "Allow"
    resources = ["*"]
    actions = [
      "kms:CreateGrant",
    ]
    condition {
      test     = "Bool"
      variable = "kms:GrantIsForAWSResource"
      values   = ["true"]
    }
  }
}