updated iam_policy for the codepipeline

Author: Airhis

examples/complete/main.tf

@@ -24,9 +24,9 @@ module "codepipeline" {
   #create_s3_source = var.create_s3_source
   #source_s3_bucket = var.a
   artifact_bucket_name = var.artifact_bucket_name
-  stages           = var.stages
-  pipeline_type    = var.pipeline_type
-  execution_mode   = var.execution_mode
+  stages               = var.stages
+  pipeline_type        = var.pipeline_type
+  execution_mode       = var.execution_mode
 
   tags = var.tags
 }

examples/complete/variables.tf

@@ -31,7 +31,6 @@ variable "stages" {
   description = "One or more stage blocks."
   type        = any
 }
-
 variable "pipeline_type" {
   description = "The CodePipeline pipeline_type. Valid options are V1, V2"
   type        = string
@@ -51,7 +50,7 @@ variable "execution_mode" {
 
 variable "artifact_bucket_name" {
   description = "the name of the S3 bucket used for storing the artifacts in the Codepipeline"
-  type = string
+  type        = string
 }
 
 variable "tags" {

locals.tf

@@ -14,7 +14,7 @@ locals {
   default_tags = {
     provisioner = "Terraform"
   }
-  #account_id = data.aws_caller_identity.current.account_id
+  account_id = data.aws_caller_identity.current.account_id
   #bucket_prefix = length(var.log_target_prefix) == 0 ? "AWSLogs/${local.account_id}/s3audit" : var.log_target_prefix
 
   tags = merge(local.default_tags, var.tags)

main.tf

@@ -10,7 +10,11 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.
 
-#data "aws_caller_identity" "current" {}
+data "aws_caller_identity" "current" {}
+
+data "aws_s3_bucket" "artifact_bucket" {
+  bucket = var.artifact_bucket_name
+}
 
 resource "aws_codepipeline" "this" {
   name           = var.name
@@ -26,7 +30,7 @@ resource "aws_codepipeline" "this" {
     }]
 
     content {
-      location = var.artifact_bucket_name
+      location = data.aws_s3_bucket.artifact_bucket.bucket
       type     = "S3"
 
       dynamic "encryption_key" {
@@ -90,8 +94,50 @@ resource "aws_iam_role" "codepipeline_role" {
   assume_role_policy = data.aws_iam_policy_document.assume_role.json
 }
 
+data "aws_iam_policy_document" "codepipeline_policy" {
+
+  # Eventbridge trigger
+  statement {
+    effect = "Allow"
+    actions = [
+      "cloudwatch:*",
+      "sns:*",
+      "sqs:*"
+    ]
+    resources = ["*"]
+  }
+
+  # Start any stage CodeBuild projects
+  statement {
+    effect = "Allow"
+    actions = [
+      "codebuild:BatchGetBuilds",
+      "codebuild:StartBuild",
+      "codebuild:BatchGetBuildBatches",
+      "codebuild:StartBuildBatch"
+    ]
+    resources = ["*"]
+  }
+
+  statement {
+    effect = "Allow"
+    actions = [
+      "s3:*"
+    ]
+    resources = [
+      data.aws_s3_bucket.artifact_bucket.arn,
+      "${data.aws_s3_bucket.artifact_bucket.arn}/*",
+    ]
+  }
+}
 resource "aws_iam_role_policy" "codepipeline_policy" {
   name   = "codepipeline_policy"
   role   = aws_iam_role.codepipeline_role.id
-  policy = data.aws_iam_policy_document.assume_role.json
+  policy = data.aws_iam_policy_document.codepipeline_policy.json
+}
+
+resource "random_string" "random" {
+  length  = 10
+  special = false
+  upper   = false
 }

variables.tf

@@ -29,7 +29,6 @@ variable "stages" {
   description = "One or more stage blocks."
   type        = any
 }
-
 # variable "codepipeline_iam" {
 #   description = "Additional IAM actions to add to CodePipeline IAM role."
 #   type        = map(list(string))