diff --git a/README.md b/README.md
index 5aee3e8..b2922a9 100644
--- a/README.md
+++ b/README.md
@@ -245,6 +245,7 @@ Available targets:
| [aws_iam_role.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
| [aws_iam_role_policy_attachment.codebuild](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
| [aws_iam_role_policy_attachment.codebuild_codestar](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
+| [aws_iam_role_policy_attachment.codebuild_extras](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
| [aws_iam_role_policy_attachment.codebuild_s3](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
| [aws_iam_role_policy_attachment.codestar](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
| [aws_iam_role_policy_attachment.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
@@ -274,6 +275,7 @@ Available targets:
| [buildspec](#input\_buildspec) | Declaration to use for building the project. [For more info](http://docs.aws.amazon.com/codebuild/latest/userguide/build-spec-ref.html) | `string` | `""` | no |
| [cache\_bucket\_suffix\_enabled](#input\_cache\_bucket\_suffix\_enabled) | The cache bucket generates a random 13 character string to generate a unique bucket name. If set to false it uses terraform-null-label's id value. It only works when cache\_type is 'S3' | `bool` | `true` | no |
| [cache\_type](#input\_cache\_type) | The type of storage that will be used for the AWS CodeBuild project cache. Valid values: NO\_CACHE, LOCAL, and S3. Defaults to S3. If cache\_type is S3, it will create an S3 bucket for storing codebuild cache inside | `string` | `"S3"` | no |
+| [codebuild\_extra\_policy\_arns](#input\_codebuild\_extra\_policy\_arns) | List of ARNs of extra policies to attach to the CodeBuild role | `list(string)` | `[]` | no |
| [codebuild\_vpc\_config](#input\_codebuild\_vpc\_config) | Configuration for the builds to run inside a VPC. | `any` | `{}` | no |
| [codestar\_connection\_arn](#input\_codestar\_connection\_arn) | CodeStar connection ARN required for Bitbucket integration with CodePipeline | `string` | `""` | no |
| [codestar\_output\_artifact\_format](#input\_codestar\_output\_artifact\_format) | Output artifact type for Source stage in pipeline. Valid values are "CODE\_ZIP" (default) and "CODEBUILD\_CLONE\_REF". See https://docs.aws.amazon.com/codepipeline/latest/userguide/action-reference-CodestarConnectionSource.html | `string` | `"CODE_ZIP"` | no |
diff --git a/docs/terraform.md b/docs/terraform.md
index 978a360..dbfb821 100644
--- a/docs/terraform.md
+++ b/docs/terraform.md
@@ -41,6 +41,7 @@
| [aws_iam_role.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
| [aws_iam_role_policy_attachment.codebuild](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
| [aws_iam_role_policy_attachment.codebuild_codestar](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
+| [aws_iam_role_policy_attachment.codebuild_extras](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
| [aws_iam_role_policy_attachment.codebuild_s3](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
| [aws_iam_role_policy_attachment.codestar](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
| [aws_iam_role_policy_attachment.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
@@ -70,6 +71,7 @@
| [buildspec](#input\_buildspec) | Declaration to use for building the project. [For more info](http://docs.aws.amazon.com/codebuild/latest/userguide/build-spec-ref.html) | `string` | `""` | no |
| [cache\_bucket\_suffix\_enabled](#input\_cache\_bucket\_suffix\_enabled) | The cache bucket generates a random 13 character string to generate a unique bucket name. If set to false it uses terraform-null-label's id value. It only works when cache\_type is 'S3' | `bool` | `true` | no |
| [cache\_type](#input\_cache\_type) | The type of storage that will be used for the AWS CodeBuild project cache. Valid values: NO\_CACHE, LOCAL, and S3. Defaults to S3. If cache\_type is S3, it will create an S3 bucket for storing codebuild cache inside | `string` | `"S3"` | no |
+| [codebuild\_extra\_policy\_arns](#input\_codebuild\_extra\_policy\_arns) | List of ARNs of extra policies to attach to the CodeBuild role | `list(string)` | `[]` | no |
| [codebuild\_vpc\_config](#input\_codebuild\_vpc\_config) | Configuration for the builds to run inside a VPC. | `any` | `{}` | no |
| [codestar\_connection\_arn](#input\_codestar\_connection\_arn) | CodeStar connection ARN required for Bitbucket integration with CodePipeline | `string` | `""` | no |
| [codestar\_output\_artifact\_format](#input\_codestar\_output\_artifact\_format) | Output artifact type for Source stage in pipeline. Valid values are "CODE\_ZIP" (default) and "CODEBUILD\_CLONE\_REF". See https://docs.aws.amazon.com/codepipeline/latest/userguide/action-reference-CodestarConnectionSource.html | `string` | `"CODE_ZIP"` | no |
diff --git a/examples/complete/main.tf b/examples/complete/main.tf
index 1fbbb16..ab37526 100644
--- a/examples/complete/main.tf
+++ b/examples/complete/main.tf
@@ -68,24 +68,25 @@ module "ecs_alb_service_task" {
}
module "ecs_codepipeline" {
- source = "../../"
- region = var.region
- github_oauth_token = var.github_oauth_token
- repo_owner = var.repo_owner
- repo_name = var.repo_name
- branch = var.branch
- build_image = var.build_image
- build_compute_type = var.build_compute_type
- build_timeout = var.build_timeout
- poll_source_changes = var.poll_source_changes
- privileged_mode = var.privileged_mode
- image_repo_name = var.image_repo_name
- image_tag = var.image_tag
- webhook_enabled = var.webhook_enabled
- s3_bucket_force_destroy = var.s3_bucket_force_destroy
- environment_variables = var.environment_variables
- ecs_cluster_name = aws_ecs_cluster.default.name
- service_name = module.ecs_alb_service_task.service_name
+ source = "../../"
+ region = var.region
+ github_oauth_token = var.github_oauth_token
+ repo_owner = var.repo_owner
+ repo_name = var.repo_name
+ branch = var.branch
+ build_image = var.build_image
+ build_compute_type = var.build_compute_type
+ build_timeout = var.build_timeout
+ poll_source_changes = var.poll_source_changes
+ privileged_mode = var.privileged_mode
+ image_repo_name = var.image_repo_name
+ image_tag = var.image_tag
+ webhook_enabled = var.webhook_enabled
+ s3_bucket_force_destroy = var.s3_bucket_force_destroy
+ environment_variables = var.environment_variables
+ ecs_cluster_name = aws_ecs_cluster.default.name
+ service_name = module.ecs_alb_service_task.service_name
+ codebuild_extra_policy_arns = var.codebuild_extra_policy_arns
context = module.this.context
}
diff --git a/examples/complete/variables.tf b/examples/complete/variables.tf
index 0dbe4f3..6f48af7 100644
--- a/examples/complete/variables.tf
+++ b/examples/complete/variables.tf
@@ -198,3 +198,9 @@ variable "s3_bucket_force_destroy" {
type = bool
description = "A boolean that indicates all objects should be deleted from the CodePipeline artifact store S3 bucket so that the bucket can be destroyed without error"
}
+
+variable "codebuild_extra_policy_arns" {
+ type = list(string)
+ default = []
+ description = "List of ARNs of extra policies to attach to the CodeBuild role"
+}
\ No newline at end of file
diff --git a/main.tf b/main.tf
index 6761270..c936226 100644
--- a/main.tf
+++ b/main.tf
@@ -251,6 +251,12 @@ resource "aws_iam_role_policy_attachment" "codebuild_codestar" {
policy_arn = join("", aws_iam_policy.codestar.*.arn)
}
+resource "aws_iam_role_policy_attachment" "codebuild_extras" {
+ for_each = module.this.enabled ? toset(var.codebuild_extra_policy_arns) : []
+ role = module.codebuild.role_id
+ policy_arn = each.value
+}
+
resource "aws_codepipeline" "default" {
count = module.this.enabled && var.github_oauth_token != "" ? 1 : 0
name = module.codepipeline_label.id
@@ -265,7 +271,8 @@ resource "aws_codepipeline" "default" {
aws_iam_role_policy_attachment.default,
aws_iam_role_policy_attachment.s3,
aws_iam_role_policy_attachment.codebuild,
- aws_iam_role_policy_attachment.codebuild_s3
+ aws_iam_role_policy_attachment.codebuild_s3,
+ aws_iam_role_policy_attachment.codebuild_extras
]
stage {
@@ -348,7 +355,8 @@ resource "aws_codepipeline" "bitbucket" {
aws_iam_role_policy_attachment.s3,
aws_iam_role_policy_attachment.codebuild,
aws_iam_role_policy_attachment.codebuild_s3,
- aws_iam_role_policy_attachment.codestar
+ aws_iam_role_policy_attachment.codestar,
+ aws_iam_role_policy_attachment.codebuild_extras
]
stage {
diff --git a/variables.tf b/variables.tf
index fe2e59a..ae6777c 100644
--- a/variables.tf
+++ b/variables.tf
@@ -210,3 +210,9 @@ variable "codebuild_vpc_config" {
default = {}
description = "Configuration for the builds to run inside a VPC."
}
+
+variable "codebuild_extra_policy_arns" {
+ type = list(string)
+ default = []
+ description = "List of ARNs of extra policies to attach to the CodeBuild role"
+}
\ No newline at end of file