chore(ci-staging): refactor iam role (#640)

rust-lang · Dec 4, 2024 · 20bcecc · 20bcecc
1 parent cdbf5b2
commit 20bcecc
Showing 1 changed file with 15 additions and 15 deletions.
diff --git a/terragrunt/modules/ci-runners/iam.tf b/terragrunt/modules/ci-runners/iam.tf
@@ -1,23 +1,23 @@
 // Grant CodeBuild project IAM role access to use the connection, as documented in
 // https://docs.aws.amazon.com/codebuild/latest/userguide/connections-github-app.html#connections-github-role-access
-resource "aws_iam_role" "codebuild_role" {
-  name = "codebuild-github-runner-role"
+data "aws_iam_policy_document" "codebuild_policy_doc" {
+  statement {
+    effect = "Allow"
 
-  assume_role_policy = jsonencode({
-    Version = "2012-10-17"
-    Statement = [
-      {
-        Effect = "Allow"
-        Principal = {
-          Service = "codebuild.amazonaws.com"
-        }
-        Action = "sts:AssumeRole"
-      }
-    ]
-  })
+    principals {
+      type        = "Service"
+      identifiers = ["codebuild.amazonaws.com"]
+    }
+
+    actions = ["sts:AssumeRole"]
+  }
+}
+
+resource "aws_iam_role" "codebuild_role" {
+  name               = "codebuild-github-runner-role"
+  assume_role_policy = data.aws_iam_policy_document.codebuild_policy_doc.json
 }
 
-# Add inline or managed policy for the permissions
 resource "aws_iam_role_policy" "codebuild_policy" {
   name = "codebuild-github-runner-policy"
   role = aws_iam_role.codebuild_role.id