From 65516576d38536a6cf9ba85b84a015aaa83e6e1d Mon Sep 17 00:00:00 2001 From: Alan Date: Thu, 19 Oct 2023 09:29:49 +0100 Subject: [PATCH] Adding S3 resource bucket for codebuild --- .../apex/modules/codebuild/main.tf | 33 +++++++++++++++++++ .../apex/modules/s3_bucket_policy.json.tpl | 20 +++++++++++ 2 files changed, 53 insertions(+) create mode 100644 terraform/environments/apex/modules/s3_bucket_policy.json.tpl diff --git a/terraform/environments/apex/modules/codebuild/main.tf b/terraform/environments/apex/modules/codebuild/main.tf index 88583adc855..3ef1a8ca3f0 100644 --- a/terraform/environments/apex/modules/codebuild/main.tf +++ b/terraform/environments/apex/modules/codebuild/main.tf @@ -95,6 +95,39 @@ data "aws_iam_policy_document" "local-ecr-policy-data" { } } +###################################################### +# S3 Resource Bucket for Codebuild +###################################################### + +resource "aws_s3_bucket" "codebuild_resources" { + bucket = "laa-${var.app_name}-management-resourcebucket" + # force_destroy = true +} + +resource "aws_s3_bucket_server_side_encryption_configuration" "resources_sse" { + bucket = aws_s3_bucket.codebuild_resources.id + rule { + apply_server_side_encryption_by_default { + sse_algorithm = "AES256" + } + } +} + +data "template_file" "s3_resource_bucket_policy" { + template = "${file("${path.module}/s3_bucket_policy.json.tpl")}" + + vars = { + account_id = var.account_id, + s3_resource_name = aws_s3_bucket.codebuild_resources.id, + codebuild_role_name = aws_iam_role.codebuild_s3.id + } +} + +resource "aws_s3_bucket_policy" "allow_access_from_codebuild" { + bucket = aws_s3_bucket.codebuild_resources.id + policy = data.template_file.s3_resource_bucket_policy.rendered +} + ###################################################### # CodeBuild projects ###################################################### diff --git a/terraform/environments/apex/modules/s3_bucket_policy.json.tpl b/terraform/environments/apex/modules/s3_bucket_policy.json.tpl new file mode 100644 index 00000000000..5adbbce3cfd --- /dev/null +++ b/terraform/environments/apex/modules/s3_bucket_policy.json.tpl @@ -0,0 +1,20 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Principal": { + "AWS": [ + "arn:aws:iam::${account_id}:role/${codebuild_role_name}" + ] + }, + "Effect": "Allow", + "Action": [ + "s3:*" + ], + "Resource": [ + "arn:aws:s3:::${s3_resource_name}", + "arn:aws:s3:::${s3_resource_name}/*" + ] + } + ] +}