Начало Каталог Помощ
Регистрация Вход
AFS
/
xdr-terraform-modules
2
0
Разклонения 0
Файлове Задачи 0 Заявки за сливане 0 Уики
ИН на ревизия: 4695200252
Клонове Маркери
xdr-terraform-m...
/
base
/
codebuild_ecr_base
/
iam.tf

iam.tf 4.4 KB
История Директен файл

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162 
  1. resource "aws_iam_role" "codebuild_role" {
    2. 

  2.   name     = "codebuild_role"
    3. 

  3. 

  4.   assume_role_policy = <<EOF
    5. 

  5. {
    6. 

  6.     "Version": "2012-10-17",
    7. 

  7.     "Statement": [
    8. 

  8.       {
    9. 

  9.         "Effect": "Allow",
    10. 

  10.         "Principal": {
    11. 

  11.           "Service": [
    12. 

  12.             "codebuild.amazonaws.com"
    13. 

  13.             ]
    14. 

  14.         },
    15. 

  15.         "Action": "sts:AssumeRole"
    16. 

  16.       }
    17. 

  17.     ]
    18. 

  18.   }
    19. 

  19. EOF
    20. 

  20. }
    21. 

  21. 

  22. resource "aws_iam_role_policy_attachment" "codebuild_role_policy_attach" {
    23. 

  23.   role       = aws_iam_role.codebuild_role.name
    24. 

  24.   policy_arn = aws_iam_policy.codebuild_policy.arn
    25. 

  25. }
    26. 

  26. 

  27. # Some things about this policy I'm not perfectly sure about, like
    28. 

  28. # should the account number be hardcoded?  Also, it reads like we'll have to
    29. 

  29. # update it each time we have a new repository added to codecommit - that
    30. 

  30. # or we'll need to authorize the codebuild role to be able to pull from any 
    31. 

  31. # codecommit repo.  Which may be fine?
    32. 

  32. resource "aws_iam_policy" "codebuild_policy" {
    33. 

  33.   name        = "codebuild_policy"
    34. 

  34.   description = "Policy for AWS codebuild to build and store artifacts"
    35. 

  35. 

  36.   policy = <<EOF
    37. 

  37. {
    38. 

  38.     "Version": "2012-10-17",
    39. 

  39.     "Statement": [
    40. 

  40.         {
    41. 

  41.             "Effect": "Allow",
    42. 

  42.             "Resource": [
    43. 

  43.                 "arn:${var.aws_partition}:logs:${var.aws_region}:${var.common_services_account}:log-group:/aws/codebuild/*"
    44. 

  44.             ],
    45. 

  45.             "Action": [
    46. 

  46.                 "logs:CreateLogGroup",
    47. 

  47.                 "logs:CreateLogStream",
    48. 

  48.                 "logs:PutLogEvents"
    49. 

  49.             ]
    50. 

  50.         },
    51. 

  51.         {
    52. 

  52.             "Effect": "Allow",
    53. 

  53.             "Resource": [
    54. 

  54.                 "arn:${var.aws_partition}:s3:::codepipeline-${var.aws_region}-*"
    55. 

  55.             ],
    56. 

  56.             "Action": [
    57. 

  57.                 "s3:PutObject",
    58. 

  58.                 "s3:GetObject",
    59. 

  59.                 "s3:GetObjectVersion"
    60. 

  60.             ]
    61. 

  61.         },
    62. 

  62.         {
    63. 

  63.             "Effect": "Allow",
    64. 

  64.             "Resource": [
    65. 

  65.                 "arn:${var.aws_partition}:codecommit:${var.aws_region}:${var.common_services_account}:*"
    66. 

  66.             ],
    67. 

  67.             "Action": [
    68. 

  68.                 "codecommit:GitPull"
    69. 

  69.             ]
    70. 

  70.         },
    71. 

  71.         {
    72. 

  72.             "Effect": "Allow",
    73. 

  73.             "Resource": [
    74. 

  74.                 "arn:${var.aws_partition}:s3:::xdr-codebuild-artifacts/*",
    75. 

  75.                 "arn:${var.aws_partition}:s3:::*"
    76. 

  76.             ],
    77. 

  77.             "Action": [
    78. 

  78.                 "s3:PutObject",
    79. 

  79.                 "s3:GetObject*",
    80. 

  80.                 "s3:ListBucket"
    81. 

  81.             ]
    82. 

  82.         },
    83. 

  83.         {
    84. 

  84.             "Effect": "Allow",
    85. 

  85.             "Resource": [
    86. 

  86.                 "*"
    87. 

  87.             ],
    88. 

  88.             "Action": [
    89. 

  89.               "ecr:GetAuthorizationToken",
    90. 

  90.               "ecr:BatchCheckLayerAvailability",
    91. 

  91.               "ecr:CompleteLayerUpload",
    92. 

  92.               "ecr:GetAuthorizationToken",
    93. 

  93.               "ecr:InitiateLayerUpload",
    94. 

  94.               "ecr:PutImage",
    95. 

  95.               "ecr:UploadLayerPart"
    96. 

  96.             ]
    97. 

  97.         }
    98. 

  98.     ]
    99. 

  99. }
    100. 

  100. EOF
    101. 

  101. }
    102. 

  102. 

  103. # !!!!!     RETAINED FOR FUTURE USE   !!!!!
    104. 

  104. # Defines an IAM user that can only download ECR images, intended for
    105. 

  105. # use in POP nodes where we need containers, but won't necessarily have
    106. 

  106. # EC2 instance role credentials.  Maybe one day this goes to vault, I
    107. 

  107. # hope.   It would be nice.
    108. 

  108. 

  109. # data "aws_iam_policy_document" "ecr_policy_pop" {
    110. 

  110. #   statement {
    111. 

  111. #     sid       = "AllowECRReadOnly"
    112. 

  112. #     effect    = "Allow"
    113. 

  113. 

  114. #     actions   = [
    115. 

  115. #       "ecr:GetAuthorizationToken",
    116. 

  116. #       "ecr:BatchCheckLayerAvailability",
    117. 

  117. #       "ecr:GetDownloadUrlForLayer",
    118. 

  118. #       "ecr:GetRepositoryPolicy",
    119. 

  119. #       "ecr:DescribeRepositories",
    120. 

  120. #       "ecr:ListImages",
    121. 

  121. #       "ecr:DescribeImages",
    122. 

  122. #       "ecr:BatchGetImage"
    123. 

  123. #     ]
    124. 

  124.     
    125. 

  125. #     resources = [
    126. 

  126. #       "*"
    127. 

  127. #     ]
    128. 

  128. 

  129. #   }
    130. 

  130. # }
    131. 

  131. 

  132. # resource "aws_iam_policy" "ecr_policy_pop" {
    133. 

  133. #   name   = "ecr_policy_pop"
    134. 

  134. #   path   = "/"
    135. 

  135. #   policy = "${data.aws_iam_policy_document.ecr_policy_pop.json}"
    136. 

  136. # }
    137. 

  137. 

  138. # resource "aws_iam_user" "pop_service_account" {
    139. 

  139. #   name = "svc-mdrpop"
    140. 

  140. #   path = "/service/"
    141. 

  141. # }
    142. 

  142. 

  143. # resource "aws_iam_user_policy_attachment" "pop_service_account_1" {
    144. 

  144. #   user       = "${aws_iam_user.pop_service_account.name}"
    145. 

  145. #   policy_arn = "${aws_iam_policy.ecr_policy_pop.arn}"
    146. 

  146. # }
    147. 

  147. 

  148. 

  149. # resource "aws_iam_access_key" "pop_service_account" {
    150. 

  150. #   user    = "${aws_iam_user.pop_service_account.name}"
    151. 

  151. #   pgp_key = "${file("../00-organizations-and-iam/duane_waddle.pgp")}"
    152. 

  152. # }
    153. 

  153. 

  154. # output "pop_service_account_key_id" {
    155. 

  155. #   value = "${aws_iam_access_key.pop_service_account.id}"
    156. 

  156. # }
    157. 

  157. 

  158. # output "pop_service_account_secret" {
    159. 

  159. #   value = "${aws_iam_access_key.pop_service_account.encrypted_secret}"
    160. 

  160. # }
    161. 

  161. 

  162. # !!!!!    END OF RETAINED FOR FUTURE USE   !!!!!
    163.