AFS
/
xdr-terraform-modules


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126
							resource "aws_iam_role" "codebuild_service_role" {
  name     = "codebuild_${var.name}_role"
  path     = "/aws_services/"

  assume_role_policy = <<EOF
{
    "Version": "2012-10-17",
    "Statement": [
      {
        "Effect": "Allow",
        "Principal": {
          "Service": [
            "codebuild.amazonaws.com"
            ]
        },
        "Action": "sts:AssumeRole"
      }
    ]
  }
EOF
}

resource "aws_iam_role_policy_attachment" "codebuild_service_policy_attach" {
  role       = aws_iam_role.codebuild_service_role.name
  policy_arn = aws_iam_policy.codebuild_service_policy.arn
}

# Some things about this policy I'm not perfectly sure about, like
# should the account number be hardcoded?  Also, it reads like we'll have to
# update it each time we have a new repository added to codecommit - that
# or we'll need to authorize the codebuild role to be able to pull from any 
# codecommit repo.  Which may be fine?
resource "aws_iam_policy" "codebuild_service_policy" {
  name        = "codebuild_${var.name}_policy"
  description = "Policy for AWS codebuild for ${var.name}"
  path     = "/aws_services/"

  policy = <<EOF
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Resource": [
                "arn:${var.aws_partition}:logs:${var.aws_region}:${var.aws_account_id}:log-group:/aws/codebuild/*"
            ],
            "Action": [
                "logs:CreateLogGroup",
                "logs:CreateLogStream",
                "logs:PutLogEvents"
            ]
        },
        {
            "Effect": "Allow",
            "Resource": [
                "arn:${var.aws_partition}:s3:::codepipeline-${var.aws_region}-*"
            ],
            "Action": [
                "s3:PutObject",
                "s3:GetObject",
                "s3:GetObjectVersion"
            ]
        },
        {
            "Effect": "Allow",
            "Resource": [
                "arn:${var.aws_partition}:lambda:${var.aws_region}:${var.aws_account_id}:function:portal_*"
            ],
            "Action": [
                "lambda:UpdateFunctionCode"
            ]
        },
        {
            "Effect": "Allow",
            "Resource": [
                "arn:${var.aws_partition}:codecommit:${var.aws_region}:${var.aws_account_id}:*"
            ],
            "Action": [
                "codecommit:GitPull"
            ]
        },
        {
            "Effect": "Allow",
            "Resource": [
                "arn:${var.aws_partition}:s3:::xdr-${var.environment}-codebuild-${var.name}/*",
                "arn:${var.aws_partition}:s3:::*"
            ],
            "Action": [
                "s3:PutObject",
                "s3:GetObject*",
                "s3:ListBucket",
                "s3:DeleteObject"
            ]
        },
        {
            "Sid": "WriteToECR",
            "Effect": "Allow",
            "Resource": [
                "*"
            ],
            "Action": [
              "ecr:GetAuthorizationToken",
              "ecr:BatchCheckLayerAvailability",
              "ecr:CompleteLayerUpload",
              "ecr:GetAuthorizationToken",
              "ecr:InitiateLayerUpload",
              "ecr:PutImage",
              "ecr:UploadLayerPart"
            ]
        },
        {
            "Sid": "PullFromECR",
            "Effect": "Allow",
            "Resource": [
                "*"
            ],
            "Action": [
              "ecr:GetDownloadUrlForLayer",
              "ecr:BatchGetImage",
              "ecr:BatchCheckLayerAvailability"
            ]
        }
    ]
}
EOF
}