feat(deploy-role): create AWS IAM role for deployment (#41)

jindraj · web-flow · commit 09a476c1a599 · 2025-04-24T12:15:09.000+02:00
* feat(deploy-role): create AWS IAM role for deployment
diff --git a/README.md b/README.md
@@ -87,20 +87,22 @@ module "static-site" {
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.5, < 2.0 |
 | <a name="requirement_aws"></a> [aws](#requirement\_aws) | ~> 5.27 |
+| <a name="requirement_gitlab"></a> [gitlab](#requirement\_gitlab) | >= 15.7, < 18.0 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
 | <a name="provider_aws"></a> [aws](#provider\_aws) | 5.61.0 |
+| <a name="provider_gitlab"></a> [gitlab](#provider\_gitlab) | 17.2.0 |
 
 ## Modules
 
 | Name | Source | Version |
 |------|--------|---------|
 | <a name="module_certificate"></a> [certificate](#module\_certificate) | terraform-aws-modules/acm/aws | 5.1.1 |
 | <a name="module_gitlab"></a> [gitlab](#module\_gitlab) | ./modules/gitlab | n/a |
-| <a name="module_s3_bucket"></a> [s3\_bucket](#module\_s3\_bucket) | terraform-aws-modules/s3-bucket/aws | 4.2.2 |
+| <a name="module_s3_bucket"></a> [s3\_bucket](#module\_s3\_bucket) | terraform-aws-modules/s3-bucket/aws | 4.6.1 |
 
 ## Resources
 
@@ -111,6 +113,8 @@ module "static-site" {
 | [aws_cloudfront_origin_access_identity.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudfront_origin_access_identity) | resource |
 | [aws_cloudfront_response_headers_policy.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudfront_response_headers_policy) | resource |
 | [aws_iam_access_key.deploy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_access_key) | resource |
+| [aws_iam_role.deploy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
+| [aws_iam_role_policy.deploy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
 | [aws_iam_user.deploy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user) | resource |
 | [aws_iam_user_policy.deploy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy) | resource |
 | [aws_kms_alias.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_alias) | resource |
@@ -121,20 +125,25 @@ module "static-site" {
 | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
 | [aws_cloudfront_cache_policy.managed_caching_disabled](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/cloudfront_cache_policy) | data source |
 | [aws_cloudfront_origin_request_policy.managed_all_viewer_and_cloudfront_headers](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/cloudfront_origin_request_policy) | data source |
+| [aws_iam_openid_connect_provider.gitlab](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_openid_connect_provider) | data source |
+| [aws_iam_policy_document.assume_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.deploy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.kms_key_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.s3_bucket_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
+| [gitlab_project.this](https://registry.terraform.io/providers/gitlabhq/gitlab/latest/docs/data-sources/project) | data source |
 
 ## Inputs
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | <a name="input_aws_env_vars_suffix"></a> [aws\_env\_vars\_suffix](#input\_aws\_env\_vars\_suffix) | Append suffix for Gitlab CI/CD environment variables if needed | `string` | `""` | no |
 | <a name="input_cloudfront_price_class"></a> [cloudfront\_price\_class](#input\_cloudfront\_price\_class) | CloudFront price class | `string` | `"PriceClass_100"` | no |
+| <a name="input_custom_headers"></a> [custom\_headers](#input\_custom\_headers) | n/a | <pre>object({<br/>    headers = optional(map(object({<br/>      override = optional(bool, true)<br/>      value    = string<br/>    })))<br/>    cors_rules = optional(object({<br/>      use             = optional(bool, false)<br/>      allowed_headers = optional(list(string))<br/>      allowed_methods = optional(list(string))<br/>      allowed_origins = optional(list(string))<br/>      expose_headers  = optional(list(string))<br/>      max_age_seconds = optional(number)<br/>      override        = optional(bool, true)<br/>    }), null)<br/>    frame_options = optional(object({<br/>      use          = optional(bool, false)<br/>      frame_option = string<br/>      override     = optional(bool, true)<br/>    }), null)<br/>    referrer_policy = optional(object({<br/>      use             = optional(bool, false)<br/>      referrer_policy = string<br/>      override        = optional(bool, true)<br/>    }), null)<br/>    xss_protection = optional(object({<br/>      use        = optional(bool, false)<br/>      mode_block = bool<br/>      protection = bool<br/>      override   = optional(bool, true)<br/>    }), null)<br/>    content_security_policy = optional(object({<br/>      use                     = optional(bool, false)<br/>      content_security_policy = string<br/>      override                = optional(bool, true)<br/>    }), null)<br/>    strict_transport_security = optional(object({<br/>      use                        = optional(bool, false)<br/>      access_control_max_age_sec = string<br/>      include_subdomains         = bool<br/>      preload                    = bool<br/>      override                   = optional(bool, true)<br/>    }), null)<br/>    content_type_options = optional(object({<br/>      override = optional(bool, true)<br/>    }), null)<br/>  })</pre> | `null` | no |
 | <a name="input_default_ttl"></a> [default\_ttl](#input\_default\_ttl) | Default amount of time that you want objects to stay in a CloudFront cache | `number` | `3600` | no |
 | <a name="input_domain_zone_id"></a> [domain\_zone\_id](#input\_domain\_zone\_id) | The ID of the hosted zone for domain | `string` | n/a | yes |
 | <a name="input_domains"></a> [domains](#input\_domains) | List of domain aliases. You can also specify wildcard eg.: `*.example.com` | `list(string)` | n/a | yes |
+| <a name="input_enable_deploy_role"></a> [enable\_deploy\_role](#input\_enable\_deploy\_role) | Toggle IAM role creation for S3 deploy & CloudFront invalidation; This requires existing aws\_iam\_openid\_connect\_provider matching domain of your gitlab provider | `bool` | `false` | no |
 | <a name="input_enable_deploy_user"></a> [enable\_deploy\_user](#input\_enable\_deploy\_user) | Toggle s3 deploy user creation | `bool` | `true` | no |
 | <a name="input_encrypt_with_kms"></a> [encrypt\_with\_kms](#input\_encrypt\_with\_kms) | Enable server side s3 bucket encryption with KMS key | `bool` | `false` | no |
 | <a name="input_extra_domains"></a> [extra\_domains](#input\_extra\_domains) | Map of extra\_domains with domain name and zone\_id | `map(string)` | `{}` | no |
@@ -154,10 +163,13 @@ module "static-site" {
 | <a name="input_proxy_paths"></a> [proxy\_paths](#input\_proxy\_paths) | n/a | <pre>list(object({<br/>    origin_domain = string<br/>    path_prefix   = string<br/>  }))</pre> | `[]` | no |
 | <a name="input_response_header_access_control_allow_credentials"></a> [response\_header\_access\_control\_allow\_credentials](#input\_response\_header\_access\_control\_allow\_credentials) | n/a | `bool` | `false` | no |
 | <a name="input_response_header_origin_override"></a> [response\_header\_origin\_override](#input\_response\_header\_origin\_override) | n/a | `bool` | `false` | no |
+| <a name="input_restriction_type"></a> [restriction\_type](#input\_restriction\_type) | Apply for geo restrictions, values: none, whitelist, blacklist | `string` | `"none"` | no |
+| <a name="input_restrictions_locations"></a> [restrictions\_locations](#input\_restrictions\_locations) | List of country codes | `list(string)` | `null` | no |
 | <a name="input_s3_bucket_name"></a> [s3\_bucket\_name](#input\_s3\_bucket\_name) | n/a | `string` | n/a | yes |
 | <a name="input_s3_bucket_policy"></a> [s3\_bucket\_policy](#input\_s3\_bucket\_policy) | Additional S3 bucket policy | `string` | `"{}"` | no |
 | <a name="input_s3_cors_rule"></a> [s3\_cors\_rule](#input\_s3\_cors\_rule) | List of maps containing rules for Cross-Origin Resource Sharing. | <pre>list(object({<br/>    allowed_headers = optional(list(string))<br/>    allowed_methods = optional(list(string))<br/>    allowed_origins = optional(list(string))<br/>    expose_headers  = optional(list(string))<br/>    max_age_seconds = optional(number)<br/>  }))</pre> | `[]` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | n/a | `map(string)` | `{}` | no |
+| <a name="input_waf_acl_arn"></a> [waf\_acl\_arn](#input\_waf\_acl\_arn) | WAF ACL ARN | `string` | `null` | no |
 
 ## Outputs
 
diff --git a/deploy.tf b/deploy.tf
@@ -1,19 +1,65 @@
 locals {
-  gitlab_project_ids = toset(concat(var.gitlab_project_ids, var.gitlab_project_id != "" ? [var.gitlab_project_id] : []))
+  gitlab_project_ids    = toset(concat(var.gitlab_project_ids, var.gitlab_project_id != "" ? [var.gitlab_project_id] : []))
+  first_project_web_url = data.gitlab_project.this[element(keys(data.gitlab_project.this), 0)].web_url
+  gitlab_domain         = regex("https://([^/]+)/.*", local.first_project_web_url)[0]
+}
+
+data "gitlab_project" "this" {
+  for_each = local.gitlab_project_ids
+  id       = each.value
+}
+
+data "aws_iam_openid_connect_provider" "gitlab" {
+  count = var.enable_deploy_role ? 1 : 0
+  url   = format("https://%s", local.gitlab_domain)
+}
+
+data "aws_iam_policy_document" "assume_role" {
+  count = var.enable_deploy_role ? 1 : 0
+  statement {
+    actions = ["sts:AssumeRoleWithWebIdentity"]
+    effect  = "Allow"
+
+    condition {
+      test     = "ForAnyValue:StringLike"
+      values   = [for repo in local.gitlab_project_ids : format("project_path:%s:ref_type:*:ref:*", data.gitlab_project.this[repo].path_with_namespace)]
+      variable = format("%s:sub", local.gitlab_domain)
+    }
+
+    principals {
+      identifiers = [data.aws_iam_openid_connect_provider.gitlab[0].arn]
+      type        = "Federated"
+    }
+  }
+}
+
+resource "aws_iam_role" "deploy" {
+  count              = var.enable_deploy_role ? 1 : 0
+  assume_role_policy = data.aws_iam_policy_document.assume_role[0].json
+  description        = format("Role used by the GitLab project %s", "GITLAB_PROJECT_PLACEHOLDER")
+  name               = "zvirt-${local.main_domain_sanitized}-deploy"
+  tags               = var.tags
+}
+
+resource "aws_iam_role_policy" "deploy" {
+  count  = var.enable_deploy_role ? 1 : 0
+  name   = "S3Deploy-CFInvalidate"
+  role   = aws_iam_role.deploy[0].id
+  policy = data.aws_iam_policy_document.deploy[0].json
 }
 
 resource "aws_iam_user" "deploy" {
-  count = var.enable_deploy_user == true ? 1 : 0
+  count = var.enable_deploy_user ? 1 : 0
   name  = "zvirt-${local.main_domain_sanitized}-deploy"
 }
 
 resource "aws_iam_access_key" "deploy" {
-  count = var.enable_deploy_user == true ? 1 : 0
+  count = var.enable_deploy_user ? 1 : 0
   user  = aws_iam_user.deploy[0].name
 }
 
 data "aws_iam_policy_document" "deploy" {
-  count = var.enable_deploy_user == true ? 1 : 0
+  count = var.enable_deploy_user || var.enable_deploy_role ? 1 : 0
   statement {
     effect = "Allow"
     actions = [
@@ -38,7 +84,7 @@ data "aws_iam_policy_document" "deploy" {
 }
 
 resource "aws_iam_user_policy" "deploy" {
-  count = var.enable_deploy_user == true ? 1 : 0
+  count = var.enable_deploy_user ? 1 : 0
 
   user = aws_iam_user.deploy[0].name
 
@@ -55,6 +101,7 @@ module "gitlab" {
 
   aws_s3_bucket_name             = module.s3_bucket.s3_bucket_id
   aws_cloudfront_distribution_id = aws_cloudfront_distribution.this.id
+  aws_role_arn                   = aws_iam_role.deploy[0].arn
   aws_access_key_id              = aws_iam_access_key.deploy[0].id
   aws_secret_access_key          = aws_iam_access_key.deploy[0].secret
   aws_default_region             = data.aws_region.current.name
diff --git a/modules/gitlab/README.md b/modules/gitlab/README.md
@@ -70,6 +70,7 @@ No modules.
 | [gitlab_project_variable.cloudfront_distribution_id](https://registry.terraform.io/providers/gitlabhq/gitlab/latest/docs/resources/project_variable) | resource |
 | [gitlab_project_variable.s3_bucket](https://registry.terraform.io/providers/gitlabhq/gitlab/latest/docs/resources/project_variable) | resource |
 | [gitlab_project_variable.site_aws_access_key_id](https://registry.terraform.io/providers/gitlabhq/gitlab/latest/docs/resources/project_variable) | resource |
+| [gitlab_project_variable.site_aws_role_arn](https://registry.terraform.io/providers/gitlabhq/gitlab/latest/docs/resources/project_variable) | resource |
 | [gitlab_project_variable.site_aws_secret_access_key](https://registry.terraform.io/providers/gitlabhq/gitlab/latest/docs/resources/project_variable) | resource |
 | [gitlab_project.this](https://registry.terraform.io/providers/gitlabhq/gitlab/latest/docs/data-sources/project) | data source |
 
@@ -81,6 +82,7 @@ No modules.
 | <a name="input_aws_cloudfront_distribution_id"></a> [aws\_cloudfront\_distribution\_id](#input\_aws\_cloudfront\_distribution\_id) | n/a | `string` | n/a | yes |
 | <a name="input_aws_default_region"></a> [aws\_default\_region](#input\_aws\_default\_region) | n/a | `string` | n/a | yes |
 | <a name="input_aws_env_vars_suffix"></a> [aws\_env\_vars\_suffix](#input\_aws\_env\_vars\_suffix) | n/a | `string` | `""` | no |
+| <a name="input_aws_role_arn"></a> [aws\_role\_arn](#input\_aws\_role\_arn) | n/a | `string` | n/a | yes |
 | <a name="input_aws_s3_bucket_name"></a> [aws\_s3\_bucket\_name](#input\_aws\_s3\_bucket\_name) | n/a | `string` | n/a | yes |
 | <a name="input_aws_secret_access_key"></a> [aws\_secret\_access\_key](#input\_aws\_secret\_access\_key) | n/a | `string` | n/a | yes |
 | <a name="input_gitlab_environment"></a> [gitlab\_environment](#input\_gitlab\_environment) | n/a | `string` | `"*"` | no |
diff --git a/modules/gitlab/main.tf b/modules/gitlab/main.tf
@@ -48,6 +48,21 @@ resource "gitlab_project_variable" "cloudfront_distribution_id" {
   environment_scope = var.gitlab_environment
 }
 
+resource "gitlab_project_variable" "site_aws_role_arn" {
+  for_each = data.gitlab_project.this
+
+  project = each.value.id
+
+  protected = false
+  masked    = false
+  raw       = true
+
+  key   = "AWS_ROLE_ARN${var.aws_env_vars_suffix}"
+  value = var.aws_role_arn
+
+  environment_scope = var.gitlab_environment
+}
+
 resource "gitlab_project_variable" "site_aws_access_key_id" {
   for_each = data.gitlab_project.this
 
diff --git a/modules/gitlab/variables.tf b/modules/gitlab/variables.tf
@@ -15,6 +15,10 @@ variable "aws_cloudfront_distribution_id" {
   type = string
 }
 
+variable "aws_role_arn" {
+  type = string
+}
+
 variable "aws_access_key_id" {
   type = string
 }
diff --git a/variables.tf b/variables.tf
@@ -108,6 +108,12 @@ variable "functions" {
   default = {}
 }
 
+variable "enable_deploy_role" {
+  type        = bool
+  default     = false
+  description = "Toggle IAM role creation for S3 deploy & CloudFront invalidation; This requires existing aws_iam_openid_connect_provider matching domain of your gitlab provider"
+}
+
 variable "enable_deploy_user" {
   type        = bool
   default     = true
diff --git a/versions.tf b/versions.tf
@@ -7,5 +7,9 @@ terraform {
       version               = "~> 5.27"
       configuration_aliases = [aws.us_east_1]
     }
+    gitlab = {
+      source  = "gitlabhq/gitlab"
+      version = ">= 15.7, < 18.0"
+    }
   }
 }

Original file line number	Diff line number	Diff line change
`@@ -15,6 +15,10 @@ variable "aws_cloudfront_distribution_id" {`
`15`	`15`	`type = string`
`16`	`16`	`}`
`17`	`17`
	`18`	`+variable "aws_role_arn" {`
	`19`	`+ type = string`
	`20`	`+}`
	`21`	`+`
`18`	`22`	`variable "aws_access_key_id" {`
`19`	`23`	`type = string`
`20`	`24`	`}`
Original file line number	Diff line number	Diff line change
`@@ -7,5 +7,9 @@ terraform {`
`7`	`7`	`version = "~> 5.27"`
`8`	`8`	`configuration_aliases = [aws.us_east_1]`
`9`	`9`	`}`
	`10`	`+ gitlab = {`
	`11`	`+ source = "gitlabhq/gitlab"`
	`12`	`+ version = ">= 15.7, < 18.0"`
	`13`	`+ }`
`10`	`14`	`}`
`11`	`15`	`}`