diff --git a/terragrunt/modules/ci-runners/iam.tf b/terragrunt/modules/ci-runners/iam.tf index 6d8c04b2f..83f4a2de6 100644 --- a/terragrunt/modules/ci-runners/iam.tf +++ b/terragrunt/modules/ci-runners/iam.tf @@ -1,23 +1,23 @@ // Grant CodeBuild project IAM role access to use the connection, as documented in // https://docs.aws.amazon.com/codebuild/latest/userguide/connections-github-app.html#connections-github-role-access -resource "aws_iam_role" "codebuild_role" { - name = "codebuild-github-runner-role" +data "aws_iam_policy_document" "codebuild_policy_doc" { + statement { + effect = "Allow" - assume_role_policy = jsonencode({ - Version = "2012-10-17" - Statement = [ - { - Effect = "Allow" - Principal = { - Service = "codebuild.amazonaws.com" - } - Action = "sts:AssumeRole" - } - ] - }) + principals { + type = "Service" + identifiers = ["codebuild.amazonaws.com"] + } + + actions = ["sts:AssumeRole"] + } +} + +resource "aws_iam_role" "codebuild_role" { + name = "codebuild-github-runner-role" + assume_role_policy = data.aws_iam_policy_document.codebuild_policy_doc.json } -# Add inline or managed policy for the permissions resource "aws_iam_role_policy" "codebuild_policy" { name = "codebuild-github-runner-policy" role = aws_iam_role.codebuild_role.id