diff --git a/concourse/pipelines/create-bosh-concourse.yml b/concourse/pipelines/create-bosh-concourse.yml index e3beee53d..ad8c60369 100644 --- a/concourse/pipelines/create-bosh-concourse.yml +++ b/concourse/pipelines/create-bosh-concourse.yml @@ -1088,23 +1088,6 @@ jobs: params: file: updated-concourse-tfstate/concourse.tfstate - # Temporary task to add the git-${DEPLOY_ENV} user to git group - - task: add-git-user-to-group - config: - platform: linux - image_resource: *awscli-image-resource - inputs: - - name: paas-bootstrap - params: - DEPLOY_ENV: ((deploy_env)) - run: - path: sh - args: - - -e - - -c - - | - aws iam add-user-to-group --user-name "git-${DEPLOY_ENV}" --group-name concourse-pool-git-rw - - name: generate-concourse-config serial: true plan: diff --git a/terraform/concourse/codecommit.tf b/terraform/concourse/codecommit.tf index 2a46bfbce..c62f9c899 100644 --- a/terraform/concourse/codecommit.tf +++ b/terraform/concourse/codecommit.tf @@ -9,28 +9,10 @@ resource "aws_iam_user" "git" { name = "git-${var.env}" } -# Until this feature request is not solved https://github.com/hashicorp/terraform/issues/5778, -# `aws_iam_group_membership` will wipe all the other members from the -# shared group. -# -# The workaround is use aws cli: -# -# aws iam add-user-to-group --user-name git-${DEPLOY_ENV} --group-name concourse-pool-git-rw -# -# We could do it using terraform provisioner local-exec calling out awscli -# but we want to avoid this pattern so we will do it in a script in -# the next step. -# -# Once they fix it upstream, we can replace it with this code: -# -# resource "aws_iam_group_membership" "concourse-pool-git-rw" { -# name = "concourse-pool-git-rw" -# group = "concourse-pool-git-rw" -# users = [ -# "${aws_iam_user.git.name}", -# ] -# append = true -#} +resource "aws_iam_user_group_membership" "git_concourse_pool" { + user = "${aws_iam_user.git.name}" + groups = ["concourse-pool-git-rw"] +} resource "aws_iam_user_ssh_key" "git" { username = "${aws_iam_user.git.name}"