From cdbf5b2a3e2595ce56c1e6ebedaecfe602ea3153 Mon Sep 17 00:00:00 2001 From: Marco Ieni <11428655+MarcoIeni@users.noreply.github.com> Date: Wed, 4 Dec 2024 12:36:48 +0100 Subject: [PATCH] chore(ci-stagin): add iam role (#638) --- .../ci-staging/ci-runners/.terraform.lock.hcl | 25 ++++++++++++ .../ci-staging/ci-runners/terragrunt.hcl | 12 ++++++ terragrunt/modules/ci-runners/iam.tf | 40 +++++++++++++++++++ terragrunt/modules/ci-runners/main.tf | 8 ++++ terragrunt/modules/ci-runners/variables.tf | 6 +++ 5 files changed, 91 insertions(+) create mode 100644 terragrunt/accounts/ci-staging/ci-runners/.terraform.lock.hcl create mode 100644 terragrunt/accounts/ci-staging/ci-runners/terragrunt.hcl create mode 100644 terragrunt/modules/ci-runners/iam.tf create mode 100644 terragrunt/modules/ci-runners/main.tf create mode 100644 terragrunt/modules/ci-runners/variables.tf diff --git a/terragrunt/accounts/ci-staging/ci-runners/.terraform.lock.hcl b/terragrunt/accounts/ci-staging/ci-runners/.terraform.lock.hcl new file mode 100644 index 000000000..9a63cd0e3 --- /dev/null +++ b/terragrunt/accounts/ci-staging/ci-runners/.terraform.lock.hcl @@ -0,0 +1,25 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/hashicorp/aws" { + version = "5.79.0" + constraints = "~> 5.78" + hashes = [ + "h1:tWd63H8jMJHdsuwg3hkviz/b8OyL/gBogmXRA5kYb9A=", + "zh:008b605b7b6dcde4eb86759f54a36db731f94649f780738c6918ef3826eb064f", + "zh:08c1dd9a2b4b0d45356fc2124ac292aa549aab9053e33e240dd322700082c132", + "zh:0fa102804fc3903a598b631a791c40fd285162738c2939e92980078bb5c58bf8", + "zh:217f19d86f51e89ef479aa6b08ad3205c9ffe1d60422bbe10b373232658c56c2", + "zh:5ebf88b696c15dcd5e9a8ec3e7c58ecc6c1939bc75b72710bb8454c8a59dabce", + "zh:77da434b802735cdac2c5f4cd28b18a8221de4ec443019d4e17beab0aa064b09", + "zh:7a3cdb0f3dbc0cc6e50e3e719c48513d73a23acc154c2a6fa3a501cc86f02831", + "zh:878dc6b3c5d3068f439f1617051f3d2da9b899741fcc66d98a46a8bacf4fb320", + "zh:940ead03bdf6401ed921b71a6e14edbb613fd1f0eefc41bf555bc3d499cc604e", + "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425", + "zh:a3b496cf3a537a1b74e1433c7a4c5b19d51ed7c094c640dd240e474886b8c1de", + "zh:baac56fafa9d4aa6102554c9c6ca340512c18a31bf0c9899f7e0e823bb18a32a", + "zh:e1560da6a1cb052f719199f20f0238d4fab606f54f3ddad1b09ad390ab5c4a46", + "zh:e3fb0ad64e1812f4560396c2660e729c760ecb593f3fd1b0d76101d6923e8230", + "zh:fdc5159df807242e884b108746ac4ddf9725b7ce9f425785d4af465845de280e", + ] +} diff --git a/terragrunt/accounts/ci-staging/ci-runners/terragrunt.hcl b/terragrunt/accounts/ci-staging/ci-runners/terragrunt.hcl new file mode 100644 index 000000000..5b67a69ba --- /dev/null +++ b/terragrunt/accounts/ci-staging/ci-runners/terragrunt.hcl @@ -0,0 +1,12 @@ +terraform { + source = "../../../..//terragrunt/modules/ci-runners" +} + +include { + path = find_in_parent_folders() + merge_strategy = "deep" +} + +inputs = { + code_connection_arn = "arn:aws:codeconnections:us-east-2:442426873467:connection/98864d5c-b905-4f8e-bd76-2f69cf181818" +} diff --git a/terragrunt/modules/ci-runners/iam.tf b/terragrunt/modules/ci-runners/iam.tf new file mode 100644 index 000000000..6d8c04b2f --- /dev/null +++ b/terragrunt/modules/ci-runners/iam.tf @@ -0,0 +1,40 @@ +// Grant CodeBuild project IAM role access to use the connection, as documented in +// https://docs.aws.amazon.com/codebuild/latest/userguide/connections-github-app.html#connections-github-role-access +resource "aws_iam_role" "codebuild_role" { + name = "codebuild-github-runner-role" + + assume_role_policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Effect = "Allow" + Principal = { + Service = "codebuild.amazonaws.com" + } + Action = "sts:AssumeRole" + } + ] + }) +} + +# Add inline or managed policy for the permissions +resource "aws_iam_role_policy" "codebuild_policy" { + name = "codebuild-github-runner-policy" + role = aws_iam_role.codebuild_role.id + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Effect = "Allow" + Action = [ + "codeconnections:GetConnectionToken", + "codeconnections:GetConnection" + ] + Resource = [ + var.code_connection_arn + ] + } + ] + }) +} diff --git a/terragrunt/modules/ci-runners/main.tf b/terragrunt/modules/ci-runners/main.tf new file mode 100644 index 000000000..211d3602a --- /dev/null +++ b/terragrunt/modules/ci-runners/main.tf @@ -0,0 +1,8 @@ +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 5.64" + } + } +} diff --git a/terragrunt/modules/ci-runners/variables.tf b/terragrunt/modules/ci-runners/variables.tf new file mode 100644 index 000000000..bdb94c08d --- /dev/null +++ b/terragrunt/modules/ci-runners/variables.tf @@ -0,0 +1,6 @@ +// Since you can't create the connection from the terraform provider (as of Dec 2024), +// you need to create the connection manually at +// https://us-east-2.console.aws.amazon.com/codesuite/settings/connections +variable "code_connection_arn" { + description = "Arn of the GitHub CodeConnection" +}