AFS
/
xdr-terraform-modules


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117
							resource "aws_iam_role" "codebuild_splunk_docs_role" {
  name_prefix = "codebuild_splunk_docs_role"
  path        = "/aws_services/"

  assume_role_policy = <<EOF
{
    "Version": "2012-10-17",
    "Statement": [
      {
        "Effect": "Allow",
        "Principal": {
          "Service": [
            "codebuild.amazonaws.com"
            ]
        },
        "Action": "sts:AssumeRole"
      }
    ]
  }
EOF
}

resource "aws_iam_role_policy_attachment" "codebuild_splunk_docs_role_policy_attach" {
  role       = aws_iam_role.codebuild_splunk_docs_role.name
  policy_arn = aws_iam_policy.codebuild_splunk_docs_policy.arn
}

# Some things about this policy I'm not perfectly sure about, like
# should the account number be hardcoded?  Also, it reads like we'll have to
# update it each time we have a new repository added to codecommit - that
# or we'll need to authorize the codebuild role to be able to pull from any 
# codecommit repo.  Which may be fine?
resource "aws_iam_policy" "codebuild_splunk_docs_policy" {
  name_prefix = "codebuild_splunk_docs_policy"
  description = "Policy for AWS codebuild to build and store artifacts"
  path        = "/aws_services/"

  policy = <<EOF
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Resource": [
                "arn:${var.aws_partition}:logs:${var.aws_region}:${var.aws_account_id}:log-group:/aws/codebuild/*"
            ],
            "Action": [
                "logs:CreateLogGroup",
                "logs:CreateLogStream",
                "logs:PutLogEvents"
            ]
        },
        {
            "Effect": "Allow",
            "Resource": [
                "arn:${var.aws_partition}:s3:::codepipeline-${var.aws_region}-*"
            ],
            "Action": [
                "s3:PutObject",
                "s3:GetObject",
                "s3:GetObjectVersion"
            ]
        },
        {
            "Effect": "Allow",
            "Resource": [
                "arn:${var.aws_partition}:codecommit:${var.aws_region}:${var.aws_account_id}:*"
            ],
            "Action": [
                "codecommit:GitPull"
            ]
        },
        {
            "Effect": "Allow",
            "Resource": [
                "arn:${var.aws_partition}:s3:::xdr-${var.environment}-codebuild_splunk_apps/*",
                "arn:${var.aws_partition}:s3:::*"
            ],
            "Action": [
                "s3:PutObject",
                "s3:GetObject*",
                "s3:ListBucket",
                "s3:DeleteObject"
            ]
        },
        {
            "Sid": "WriteToECR",
            "Effect": "Allow",
            "Resource": [
                "*"
            ],
            "Action": [
              "ecr:GetAuthorizationToken",
              "ecr:BatchCheckLayerAvailability",
              "ecr:CompleteLayerUpload",
              "ecr:GetAuthorizationToken",
              "ecr:InitiateLayerUpload",
              "ecr:PutImage",
              "ecr:UploadLayerPart"
            ]
        },
        {
            "Sid": "PullFromECR",
            "Effect": "Allow",
            "Resource": [
                "*"
            ],
            "Action": [
              "ecr:GetDownloadUrlForLayer",
              "ecr:BatchGetImage",
              "ecr:BatchCheckLayerAvailability"
            ]
        }
    ]
}
EOF
}