forked from moritzzimmer/terraform-aws-lambda
-
Notifications
You must be signed in to change notification settings - Fork 0
/
iam_codepipeline.tf
116 lines (108 loc) · 3.33 KB
/
iam_codepipeline.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
resource "aws_iam_role" "codepipeline_role" {
count = var.codepipeline_role_arn == "" ? 1 : 0
name = "${local.iam_role_prefix}-codepipeline-${data.aws_region.current.name}"
tags = var.tags
assume_role_policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Action = "sts:AssumeRole"
Effect = "Allow"
Sid = ""
Principal = {
Service = "codepipeline.amazonaws.com"
}
}
]
})
dynamic "inline_policy" {
for_each = var.s3_bucket != "" ? [true] : []
content {
name = "s3-source-package-permissions"
policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Action = [
"s3:Get*",
"s3:ListBucket"
]
Effect = "Allow"
Resource = [
"arn:${data.aws_partition.current.partition}:s3:::${var.s3_bucket}",
"arn:${data.aws_partition.current.partition}:s3:::${var.s3_bucket}/*",
]
}
]
})
}
}
dynamic "inline_policy" {
for_each = var.ecr_repository_name != "" ? [true] : []
content {
name = "ecr-source-image-permissions"
policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Action = ["ecr:DescribeImages"]
Effect = "Allow"
Resource = "arn:${data.aws_partition.current.partition}:ecr:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:repository/${var.ecr_repository_name}"
}
]
})
}
}
inline_policy {
name = "codepipeline-permissions"
policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Action = [
"codebuild:StartBuild",
"codebuild:BatchGetBuilds"
]
Effect = "Allow"
Resource = aws_codebuild_project.this.arn
},
{
Action = [
"codedeploy:CreateDeployment",
"codedeploy:GetDeployment"
]
Effect = "Allow"
Resource = "arn:${data.aws_partition.current.partition}:codedeploy:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:deploymentgroup:${aws_codedeploy_app.this.name}/${aws_codedeploy_deployment_group.this.deployment_group_name}"
},
{
Action = [
"codedeploy:GetDeploymentConfig"
]
Effect = "Allow"
Resource = "arn:${data.aws_partition.current.partition}:codedeploy:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:deploymentconfig:*"
},
{
Action = [
"codedeploy:RegisterApplicationRevision"
]
Effect = "Allow"
Resource = "arn:${data.aws_partition.current.partition}:codedeploy:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:application:${aws_codedeploy_app.this.name}"
},
{
Action = [
"s3:GetObject",
"s3:GetObjectTagging",
"s3:ListBucket",
"s3:PutObject",
"s3:PutObjectTagging"
]
Effect = "Allow"
Resource = [
local.artifact_store_bucket_arn,
"${local.artifact_store_bucket_arn}/*"
]
}
]
})
}
}