AFS
/
xdr-terraform-modules


			
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175
							resource "aws_iam_role" "codebuild_role" {
  name = "codebuild_role"

  assume_role_policy = <<EOF
{
    "Version": "2012-10-17",
    "Statement": [
      {
        "Effect": "Allow",
        "Principal": {
          "Service": [
            "codebuild.amazonaws.com",
            "events.amazonaws.com"
            ]
        },
        "Action": "sts:AssumeRole"
      }
    ]
  }
EOF
}

resource "aws_iam_role_policy_attachment" "codebuild_role_policy_attach" {
  role       = aws_iam_role.codebuild_role.name
  policy_arn = aws_iam_policy.codebuild_policy.arn
}

# FIXME: Not sure about this policy
#   1.  Lets codebuild (apparently) write to ANY s3 bucket
#   2.  Lets codebuild (apparently) write to ANY ECR repo
#   3.  It's in JSON instead of a terraform data source so these comments
#           have to be at the top instead of inline where they would make sense.
#   4.  Latest codebuild policies (from AWS console) have report-group resources and actions
resource "aws_iam_policy" "codebuild_policy" {
  name        = "codebuild_policy"
  description = "Policy for AWS codebuild to build and store artifacts"

  policy = <<EOF
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Resource": [
                "arn:${var.aws_partition}:logs:${var.aws_region}:${var.common_services_account}:log-group:/aws/codebuild/*"
            ],
            "Action": [
                "logs:CreateLogGroup",
                "logs:CreateLogStream",
                "logs:PutLogEvents"
            ]
        },
        {
            "Effect": "Allow",
            "Resource": [
                "arn:${var.aws_partition}:s3:::codepipeline-${var.aws_region}-*"
            ],
            "Action": [
                "s3:PutObject",
                "s3:GetObject",
                "s3:GetObjectVersion"
            ]
        },
        {
            "Effect": "Allow",
            "Resource": [
                "arn:${var.aws_partition}:codecommit:${var.aws_region}:${var.common_services_account}:*"
            ],
            "Action": [
                "codecommit:GitPull"
            ]
        },
        {
            "Effect": "Allow",
            "Resource": [
                "arn:${var.aws_partition}:s3:::xdr-codebuild-artifacts/*",
                "arn:${var.aws_partition}:s3:::*"
            ],
            "Action": [
                "s3:PutObject",
                "s3:GetObject*",
                "s3:ListBucket"
            ]
        },
        {
            "Effect": "Allow",
            "Resource": [
                "*"
            ],
            "Action": [
              "ecr:GetAuthorizationToken",
              "ecr:BatchCheckLayerAvailability",
              "ecr:CompleteLayerUpload",
              "ecr:GetAuthorizationToken",
              "ecr:InitiateLayerUpload",
              "ecr:PutImage",
              "ecr:UploadLayerPart"
            ]
        },
        {
            "Action": [
              "codebuild:StartBuild",
              "codebuild:StopBuild",
              "codebuild:BatchGet*",
              "codebuild:Get*",
              "codebuild:List*"
            ],
            "Effect": "Allow",
            "Resource": "*"
        }
    ]
}
EOF
}

# !!!!!     RETAINED FOR FUTURE USE   !!!!!
# Defines an IAM user that can only download ECR images, intended for
# use in POP nodes where we need containers, but won't necessarily have
# EC2 instance role credentials.  Maybe one day this goes to vault, I
# hope.   It would be nice.

# data "aws_iam_policy_document" "ecr_policy_pop" {
#   statement {
#     sid       = "AllowECRReadOnly"
#     effect    = "Allow"

#     actions   = [
#       "ecr:GetAuthorizationToken",
#       "ecr:BatchCheckLayerAvailability",
#       "ecr:GetDownloadUrlForLayer",
#       "ecr:GetRepositoryPolicy",
#       "ecr:DescribeRepositories",
#       "ecr:ListImages",
#       "ecr:DescribeImages",
#       "ecr:BatchGetImage"
#     ]

#     resources = [
#       "*"
#     ]

#   }
# }

# resource "aws_iam_policy" "ecr_policy_pop" {
#   name   = "ecr_policy_pop"
#   path   = "/"
#   policy = "${data.aws_iam_policy_document.ecr_policy_pop.json}"
# }

# resource "aws_iam_user" "pop_service_account" {
#   name = "svc-mdrpop"
#   path = "/service/"
# }

# resource "aws_iam_user_policy_attachment" "pop_service_account_1" {
#   user       = "${aws_iam_user.pop_service_account.name}"
#   policy_arn = "${aws_iam_policy.ecr_policy_pop.arn}"
# }


# resource "aws_iam_access_key" "pop_service_account" {
#   user    = "${aws_iam_user.pop_service_account.name}"
#   pgp_key = "${file("../00-organizations-and-iam/duane_waddle.pgp")}"
# }

# output "pop_service_account_key_id" {
#   value = "${aws_iam_access_key.pop_service_account.id}"
# }

# output "pop_service_account_secret" {
#   value = "${aws_iam_access_key.pop_service_account.encrypted_secret}"
# }

# !!!!!    END OF RETAINED FOR FUTURE USE   !!!!!