From 6050ef554a188eaebb0cec4af802294b9350acc0 Mon Sep 17 00:00:00 2001
From: pcartas <82474601+pcartas@users.noreply.github.com>
Date: Thu, 15 Dec 2022 22:38:15 -0300
Subject: [PATCH] Add extra policies for codebuild (#104)

* Add extra policies for codebuild

* Auto Format

Co-authored-by: cloudpossebot <11232728+cloudpossebot@users.noreply.github.com>
---
 README.md                      |  2 ++
 docs/terraform.md              |  2 ++
 examples/complete/main.tf      | 37 +++++++++++++++++-----------------
 examples/complete/variables.tf |  6 ++++++
 main.tf                        | 12 +++++++++--
 variables.tf                   |  6 ++++++
 6 files changed, 45 insertions(+), 20 deletions(-)

diff --git a/README.md b/README.md
index 5aee3e8..b2922a9 100644
--- a/README.md
+++ b/README.md
@@ -245,6 +245,7 @@ Available targets:
 | [aws_iam_role.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
 | [aws_iam_role_policy_attachment.codebuild](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_iam_role_policy_attachment.codebuild_codestar](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
+| [aws_iam_role_policy_attachment.codebuild_extras](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_iam_role_policy_attachment.codebuild_s3](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_iam_role_policy_attachment.codestar](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_iam_role_policy_attachment.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
@@ -274,6 +275,7 @@ Available targets:
 | <a name="input_buildspec"></a> [buildspec](#input\_buildspec) | Declaration to use for building the project. [For more info](http://docs.aws.amazon.com/codebuild/latest/userguide/build-spec-ref.html) | `string` | `""` | no |
 | <a name="input_cache_bucket_suffix_enabled"></a> [cache\_bucket\_suffix\_enabled](#input\_cache\_bucket\_suffix\_enabled) | The cache bucket generates a random 13 character string to generate a unique bucket name. If set to false it uses terraform-null-label's id value. It only works when cache\_type is 'S3' | `bool` | `true` | no |
 | <a name="input_cache_type"></a> [cache\_type](#input\_cache\_type) | The type of storage that will be used for the AWS CodeBuild project cache. Valid values: NO\_CACHE, LOCAL, and S3.  Defaults to S3.  If cache\_type is S3, it will create an S3 bucket for storing codebuild cache inside | `string` | `"S3"` | no |
+| <a name="input_codebuild_extra_policy_arns"></a> [codebuild\_extra\_policy\_arns](#input\_codebuild\_extra\_policy\_arns) | List of ARNs of extra policies to attach to the CodeBuild role | `list(string)` | `[]` | no |
 | <a name="input_codebuild_vpc_config"></a> [codebuild\_vpc\_config](#input\_codebuild\_vpc\_config) | Configuration for the builds to run inside a VPC. | `any` | `{}` | no |
 | <a name="input_codestar_connection_arn"></a> [codestar\_connection\_arn](#input\_codestar\_connection\_arn) | CodeStar connection ARN required for Bitbucket integration with CodePipeline | `string` | `""` | no |
 | <a name="input_codestar_output_artifact_format"></a> [codestar\_output\_artifact\_format](#input\_codestar\_output\_artifact\_format) | Output artifact type for Source stage in pipeline. Valid values are "CODE\_ZIP" (default) and "CODEBUILD\_CLONE\_REF". See https://docs.aws.amazon.com/codepipeline/latest/userguide/action-reference-CodestarConnectionSource.html | `string` | `"CODE_ZIP"` | no |
diff --git a/docs/terraform.md b/docs/terraform.md
index 978a360..dbfb821 100644
--- a/docs/terraform.md
+++ b/docs/terraform.md
@@ -41,6 +41,7 @@
 | [aws_iam_role.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
 | [aws_iam_role_policy_attachment.codebuild](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_iam_role_policy_attachment.codebuild_codestar](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
+| [aws_iam_role_policy_attachment.codebuild_extras](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_iam_role_policy_attachment.codebuild_s3](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_iam_role_policy_attachment.codestar](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_iam_role_policy_attachment.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
@@ -70,6 +71,7 @@
 | <a name="input_buildspec"></a> [buildspec](#input\_buildspec) | Declaration to use for building the project. [For more info](http://docs.aws.amazon.com/codebuild/latest/userguide/build-spec-ref.html) | `string` | `""` | no |
 | <a name="input_cache_bucket_suffix_enabled"></a> [cache\_bucket\_suffix\_enabled](#input\_cache\_bucket\_suffix\_enabled) | The cache bucket generates a random 13 character string to generate a unique bucket name. If set to false it uses terraform-null-label's id value. It only works when cache\_type is 'S3' | `bool` | `true` | no |
 | <a name="input_cache_type"></a> [cache\_type](#input\_cache\_type) | The type of storage that will be used for the AWS CodeBuild project cache. Valid values: NO\_CACHE, LOCAL, and S3.  Defaults to S3.  If cache\_type is S3, it will create an S3 bucket for storing codebuild cache inside | `string` | `"S3"` | no |
+| <a name="input_codebuild_extra_policy_arns"></a> [codebuild\_extra\_policy\_arns](#input\_codebuild\_extra\_policy\_arns) | List of ARNs of extra policies to attach to the CodeBuild role | `list(string)` | `[]` | no |
 | <a name="input_codebuild_vpc_config"></a> [codebuild\_vpc\_config](#input\_codebuild\_vpc\_config) | Configuration for the builds to run inside a VPC. | `any` | `{}` | no |
 | <a name="input_codestar_connection_arn"></a> [codestar\_connection\_arn](#input\_codestar\_connection\_arn) | CodeStar connection ARN required for Bitbucket integration with CodePipeline | `string` | `""` | no |
 | <a name="input_codestar_output_artifact_format"></a> [codestar\_output\_artifact\_format](#input\_codestar\_output\_artifact\_format) | Output artifact type for Source stage in pipeline. Valid values are "CODE\_ZIP" (default) and "CODEBUILD\_CLONE\_REF". See https://docs.aws.amazon.com/codepipeline/latest/userguide/action-reference-CodestarConnectionSource.html | `string` | `"CODE_ZIP"` | no |
diff --git a/examples/complete/main.tf b/examples/complete/main.tf
index 1fbbb16..ab37526 100644
--- a/examples/complete/main.tf
+++ b/examples/complete/main.tf
@@ -68,24 +68,25 @@ module "ecs_alb_service_task" {
 }
 
 module "ecs_codepipeline" {
-  source                  = "../../"
-  region                  = var.region
-  github_oauth_token      = var.github_oauth_token
-  repo_owner              = var.repo_owner
-  repo_name               = var.repo_name
-  branch                  = var.branch
-  build_image             = var.build_image
-  build_compute_type      = var.build_compute_type
-  build_timeout           = var.build_timeout
-  poll_source_changes     = var.poll_source_changes
-  privileged_mode         = var.privileged_mode
-  image_repo_name         = var.image_repo_name
-  image_tag               = var.image_tag
-  webhook_enabled         = var.webhook_enabled
-  s3_bucket_force_destroy = var.s3_bucket_force_destroy
-  environment_variables   = var.environment_variables
-  ecs_cluster_name        = aws_ecs_cluster.default.name
-  service_name            = module.ecs_alb_service_task.service_name
+  source                      = "../../"
+  region                      = var.region
+  github_oauth_token          = var.github_oauth_token
+  repo_owner                  = var.repo_owner
+  repo_name                   = var.repo_name
+  branch                      = var.branch
+  build_image                 = var.build_image
+  build_compute_type          = var.build_compute_type
+  build_timeout               = var.build_timeout
+  poll_source_changes         = var.poll_source_changes
+  privileged_mode             = var.privileged_mode
+  image_repo_name             = var.image_repo_name
+  image_tag                   = var.image_tag
+  webhook_enabled             = var.webhook_enabled
+  s3_bucket_force_destroy     = var.s3_bucket_force_destroy
+  environment_variables       = var.environment_variables
+  ecs_cluster_name            = aws_ecs_cluster.default.name
+  service_name                = module.ecs_alb_service_task.service_name
+  codebuild_extra_policy_arns = var.codebuild_extra_policy_arns
 
   context = module.this.context
 }
diff --git a/examples/complete/variables.tf b/examples/complete/variables.tf
index 0dbe4f3..6f48af7 100644
--- a/examples/complete/variables.tf
+++ b/examples/complete/variables.tf
@@ -198,3 +198,9 @@ variable "s3_bucket_force_destroy" {
   type        = bool
   description = "A boolean that indicates all objects should be deleted from the CodePipeline artifact store S3 bucket so that the bucket can be destroyed without error"
 }
+
+variable "codebuild_extra_policy_arns" {
+  type        = list(string)
+  default     = []
+  description = "List of ARNs of extra policies to attach to the CodeBuild role"
+}
\ No newline at end of file
diff --git a/main.tf b/main.tf
index 6761270..c936226 100644
--- a/main.tf
+++ b/main.tf
@@ -251,6 +251,12 @@ resource "aws_iam_role_policy_attachment" "codebuild_codestar" {
   policy_arn = join("", aws_iam_policy.codestar.*.arn)
 }
 
+resource "aws_iam_role_policy_attachment" "codebuild_extras" {
+  for_each   = module.this.enabled ? toset(var.codebuild_extra_policy_arns) : []
+  role       = module.codebuild.role_id
+  policy_arn = each.value
+}
+
 resource "aws_codepipeline" "default" {
   count    = module.this.enabled && var.github_oauth_token != "" ? 1 : 0
   name     = module.codepipeline_label.id
@@ -265,7 +271,8 @@ resource "aws_codepipeline" "default" {
     aws_iam_role_policy_attachment.default,
     aws_iam_role_policy_attachment.s3,
     aws_iam_role_policy_attachment.codebuild,
-    aws_iam_role_policy_attachment.codebuild_s3
+    aws_iam_role_policy_attachment.codebuild_s3,
+    aws_iam_role_policy_attachment.codebuild_extras
   ]
 
   stage {
@@ -348,7 +355,8 @@ resource "aws_codepipeline" "bitbucket" {
     aws_iam_role_policy_attachment.s3,
     aws_iam_role_policy_attachment.codebuild,
     aws_iam_role_policy_attachment.codebuild_s3,
-    aws_iam_role_policy_attachment.codestar
+    aws_iam_role_policy_attachment.codestar,
+    aws_iam_role_policy_attachment.codebuild_extras
   ]
 
   stage {
diff --git a/variables.tf b/variables.tf
index fe2e59a..ae6777c 100644
--- a/variables.tf
+++ b/variables.tf
@@ -210,3 +210,9 @@ variable "codebuild_vpc_config" {
   default     = {}
   description = "Configuration for the builds to run inside a VPC."
 }
+
+variable "codebuild_extra_policy_arns" {
+  type        = list(string)
+  default     = []
+  description = "List of ARNs of extra policies to attach to the CodeBuild role"
+}
\ No newline at end of file