Skip to content

Commit f9d41ca

Browse files
akagrakagr
committed
DOPS-101 Add s3 policy to role for jenkins
1 parent 86a7e78 commit f9d41ca

File tree

3 files changed

+365
-20
lines changed

3 files changed

+365
-20
lines changed

terraform/bootstrap/jenkins.tf

Lines changed: 44 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,44 @@
1+
/*
2+
We use jenkins to automate deployment with Terraform. Jenkins
3+
is set up in a different AWS account.
4+
5+
This group of IAM resources allow jenkins to assume a role needed
6+
to deploy resources (and make changes to backend).
7+
*/
8+
9+
data "aws_iam_policy_document" "terraform_backend_account_policy" {
10+
statement {
11+
effect = "Allow"
12+
13+
principals {
14+
type = "AWS"
15+
identifiers = ["arn:aws:iam::191447213457:role/jenkins-role"]
16+
}
17+
18+
actions = ["sts:AssumeRole"]
19+
}
20+
}
21+
22+
resource "aws_iam_role" "terraform_backend_role" {
23+
name = "terraform_sandbox_backend_admin"
24+
assume_role_policy = data.aws_iam_policy_document.terraform_backend_account_policy.json
25+
}
26+
27+
data "aws_iam_policy_document" "terraform_backend_role_policy_document" {
28+
statement {
29+
effect = "Allow"
30+
31+
actions = ["s3:*"]
32+
resources = ["arn:aws:s3:::${module.bootstrap.state_bucket}/*"]
33+
}
34+
}
35+
36+
resource "aws_iam_policy" "terraform_backend_role_policy" {
37+
name = "terraform-backend-role-policy"
38+
policy = data.aws_iam_policy_document.terraform_backend_role_policy_document.json
39+
}
40+
41+
resource "aws_iam_role_policy_attachment" "terraform_backend_attachment" {
42+
role = aws_iam_role.terraform_backend_role.name
43+
policy_arn = aws_iam_policy.terraform_backend_role_policy.arn
44+
}

terraform/bootstrap/main.tf

Lines changed: 7 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -10,32 +10,32 @@ terraform {
1010
}
1111

1212
provider "aws" {
13-
region = "${var.aws_region}"
13+
region = var.aws_region
1414
}
1515

1616
module "bootstrap" {
1717
source = "trussworks/bootstrap/aws"
1818

19-
region = "${var.aws_region}"
20-
account_alias = "${var.account_alias}"
19+
region = var.aws_region
20+
account_alias = var.account_alias
2121
dynamodb_table_name = "${var.account_alias}-state-lock"
2222
}
2323

2424
data "aws_caller_identity" "current" {}
2525

2626
output "account_id" {
27-
value = "${data.aws_caller_identity.current.account_id}"
27+
value = data.aws_caller_identity.current.account_id
2828
}
2929

3030
output "arn" {
31-
value = "${data.aws_caller_identity.current.arn}"
31+
value = data.aws_caller_identity.current.arn
3232
}
3333

3434
output "user_id" {
35-
value = "${data.aws_caller_identity.current.user_id}"
35+
value = data.aws_caller_identity.current.user_id
3636
}
3737

3838
output "backend_details" {
3939
description = "Details of the S3 bucket and DynamoDB tables created for backend"
40-
value = "${module.bootstrap}"
40+
value = module.bootstrap
4141
}

0 commit comments

Comments
 (0)