Skip to content

Add extra policies for codebuild #104

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 2 commits into from
Dec 16, 2022
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -245,6 +245,7 @@ Available targets:
| [aws_iam_role.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
| [aws_iam_role_policy_attachment.codebuild](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
| [aws_iam_role_policy_attachment.codebuild_codestar](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
| [aws_iam_role_policy_attachment.codebuild_extras](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
| [aws_iam_role_policy_attachment.codebuild_s3](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
| [aws_iam_role_policy_attachment.codestar](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
| [aws_iam_role_policy_attachment.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
Expand Down Expand Up @@ -274,6 +275,7 @@ Available targets:
| <a name="input_buildspec"></a> [buildspec](#input\_buildspec) | Declaration to use for building the project. [For more info](http://docs.aws.amazon.com/codebuild/latest/userguide/build-spec-ref.html) | `string` | `""` | no |
| <a name="input_cache_bucket_suffix_enabled"></a> [cache\_bucket\_suffix\_enabled](#input\_cache\_bucket\_suffix\_enabled) | The cache bucket generates a random 13 character string to generate a unique bucket name. If set to false it uses terraform-null-label's id value. It only works when cache\_type is 'S3' | `bool` | `true` | no |
| <a name="input_cache_type"></a> [cache\_type](#input\_cache\_type) | The type of storage that will be used for the AWS CodeBuild project cache. Valid values: NO\_CACHE, LOCAL, and S3. Defaults to S3. If cache\_type is S3, it will create an S3 bucket for storing codebuild cache inside | `string` | `"S3"` | no |
| <a name="input_codebuild_extra_policy_arns"></a> [codebuild\_extra\_policy\_arns](#input\_codebuild\_extra\_policy\_arns) | List of ARNs of extra policies to attach to the CodeBuild role | `list(string)` | `[]` | no |
| <a name="input_codebuild_vpc_config"></a> [codebuild\_vpc\_config](#input\_codebuild\_vpc\_config) | Configuration for the builds to run inside a VPC. | `any` | `{}` | no |
| <a name="input_codestar_connection_arn"></a> [codestar\_connection\_arn](#input\_codestar\_connection\_arn) | CodeStar connection ARN required for Bitbucket integration with CodePipeline | `string` | `""` | no |
| <a name="input_codestar_output_artifact_format"></a> [codestar\_output\_artifact\_format](#input\_codestar\_output\_artifact\_format) | Output artifact type for Source stage in pipeline. Valid values are "CODE\_ZIP" (default) and "CODEBUILD\_CLONE\_REF". See https://docs.aws.amazon.com/codepipeline/latest/userguide/action-reference-CodestarConnectionSource.html | `string` | `"CODE_ZIP"` | no |
Expand Down
2 changes: 2 additions & 0 deletions docs/terraform.md
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,7 @@
| [aws_iam_role.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
| [aws_iam_role_policy_attachment.codebuild](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
| [aws_iam_role_policy_attachment.codebuild_codestar](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
| [aws_iam_role_policy_attachment.codebuild_extras](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
| [aws_iam_role_policy_attachment.codebuild_s3](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
| [aws_iam_role_policy_attachment.codestar](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
| [aws_iam_role_policy_attachment.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
Expand Down Expand Up @@ -70,6 +71,7 @@
| <a name="input_buildspec"></a> [buildspec](#input\_buildspec) | Declaration to use for building the project. [For more info](http://docs.aws.amazon.com/codebuild/latest/userguide/build-spec-ref.html) | `string` | `""` | no |
| <a name="input_cache_bucket_suffix_enabled"></a> [cache\_bucket\_suffix\_enabled](#input\_cache\_bucket\_suffix\_enabled) | The cache bucket generates a random 13 character string to generate a unique bucket name. If set to false it uses terraform-null-label's id value. It only works when cache\_type is 'S3' | `bool` | `true` | no |
| <a name="input_cache_type"></a> [cache\_type](#input\_cache\_type) | The type of storage that will be used for the AWS CodeBuild project cache. Valid values: NO\_CACHE, LOCAL, and S3. Defaults to S3. If cache\_type is S3, it will create an S3 bucket for storing codebuild cache inside | `string` | `"S3"` | no |
| <a name="input_codebuild_extra_policy_arns"></a> [codebuild\_extra\_policy\_arns](#input\_codebuild\_extra\_policy\_arns) | List of ARNs of extra policies to attach to the CodeBuild role | `list(string)` | `[]` | no |
| <a name="input_codebuild_vpc_config"></a> [codebuild\_vpc\_config](#input\_codebuild\_vpc\_config) | Configuration for the builds to run inside a VPC. | `any` | `{}` | no |
| <a name="input_codestar_connection_arn"></a> [codestar\_connection\_arn](#input\_codestar\_connection\_arn) | CodeStar connection ARN required for Bitbucket integration with CodePipeline | `string` | `""` | no |
| <a name="input_codestar_output_artifact_format"></a> [codestar\_output\_artifact\_format](#input\_codestar\_output\_artifact\_format) | Output artifact type for Source stage in pipeline. Valid values are "CODE\_ZIP" (default) and "CODEBUILD\_CLONE\_REF". See https://docs.aws.amazon.com/codepipeline/latest/userguide/action-reference-CodestarConnectionSource.html | `string` | `"CODE_ZIP"` | no |
Expand Down
37 changes: 19 additions & 18 deletions examples/complete/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -68,24 +68,25 @@ module "ecs_alb_service_task" {
}

module "ecs_codepipeline" {
source = "../../"
region = var.region
github_oauth_token = var.github_oauth_token
repo_owner = var.repo_owner
repo_name = var.repo_name
branch = var.branch
build_image = var.build_image
build_compute_type = var.build_compute_type
build_timeout = var.build_timeout
poll_source_changes = var.poll_source_changes
privileged_mode = var.privileged_mode
image_repo_name = var.image_repo_name
image_tag = var.image_tag
webhook_enabled = var.webhook_enabled
s3_bucket_force_destroy = var.s3_bucket_force_destroy
environment_variables = var.environment_variables
ecs_cluster_name = aws_ecs_cluster.default.name
service_name = module.ecs_alb_service_task.service_name
source = "../../"
region = var.region
github_oauth_token = var.github_oauth_token
repo_owner = var.repo_owner
repo_name = var.repo_name
branch = var.branch
build_image = var.build_image
build_compute_type = var.build_compute_type
build_timeout = var.build_timeout
poll_source_changes = var.poll_source_changes
privileged_mode = var.privileged_mode
image_repo_name = var.image_repo_name
image_tag = var.image_tag
webhook_enabled = var.webhook_enabled
s3_bucket_force_destroy = var.s3_bucket_force_destroy
environment_variables = var.environment_variables
ecs_cluster_name = aws_ecs_cluster.default.name
service_name = module.ecs_alb_service_task.service_name
codebuild_extra_policy_arns = var.codebuild_extra_policy_arns

context = module.this.context
}
6 changes: 6 additions & 0 deletions examples/complete/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -198,3 +198,9 @@ variable "s3_bucket_force_destroy" {
type = bool
description = "A boolean that indicates all objects should be deleted from the CodePipeline artifact store S3 bucket so that the bucket can be destroyed without error"
}

variable "codebuild_extra_policy_arns" {
type = list(string)
default = []
description = "List of ARNs of extra policies to attach to the CodeBuild role"
}
12 changes: 10 additions & 2 deletions main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -251,6 +251,12 @@ resource "aws_iam_role_policy_attachment" "codebuild_codestar" {
policy_arn = join("", aws_iam_policy.codestar.*.arn)
}

resource "aws_iam_role_policy_attachment" "codebuild_extras" {
for_each = module.this.enabled ? toset(var.codebuild_extra_policy_arns) : []
role = module.codebuild.role_id
policy_arn = each.value
}

resource "aws_codepipeline" "default" {
count = module.this.enabled && var.github_oauth_token != "" ? 1 : 0
name = module.codepipeline_label.id
Expand All @@ -265,7 +271,8 @@ resource "aws_codepipeline" "default" {
aws_iam_role_policy_attachment.default,
aws_iam_role_policy_attachment.s3,
aws_iam_role_policy_attachment.codebuild,
aws_iam_role_policy_attachment.codebuild_s3
aws_iam_role_policy_attachment.codebuild_s3,
aws_iam_role_policy_attachment.codebuild_extras
]

stage {
Expand Down Expand Up @@ -348,7 +355,8 @@ resource "aws_codepipeline" "bitbucket" {
aws_iam_role_policy_attachment.s3,
aws_iam_role_policy_attachment.codebuild,
aws_iam_role_policy_attachment.codebuild_s3,
aws_iam_role_policy_attachment.codestar
aws_iam_role_policy_attachment.codestar,
aws_iam_role_policy_attachment.codebuild_extras
]

stage {
Expand Down
6 changes: 6 additions & 0 deletions variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -210,3 +210,9 @@ variable "codebuild_vpc_config" {
default = {}
description = "Configuration for the builds to run inside a VPC."
}

variable "codebuild_extra_policy_arns" {
type = list(string)
default = []
description = "List of ARNs of extra policies to attach to the CodeBuild role"
}