-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathmain.tf
143 lines (142 loc) · 4.52 KB
/
main.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
#############################################################################
# Cloudformation Templates Role required for SAM Deployment.
##############################################################################
resource "aws_iam_role" "deploy" {
provider = aws.primary
name = var.functional_role
path = "/"
assume_role_policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
"Effect" = "Allow",
"Principal" = {
"AWS" = var.gateway_role_arn
},
"Action" = [
"sts:AssumeRole",
"sts:TagSession"
],
}
]
})
tags = {
"OIDCRole" = var.gateway_role_arn
}
}
##TODO: Adding `CompanionStack` permissions but we need to figure out why this permission required for cross account deployment.
resource "aws_iam_role_policy" "deploy" {
provider = aws.primary
name = "LambdaDeploy"
role = aws_iam_role.deploy.name
policy = jsonencode({
"Version" : "2012-10-17",
"Statement" : [
{
"Action" : "iam:PassRole",
"Effect" : "Allow",
"Resource" : "arn:${var.partition}:iam::${var.account_id}:role/sam-lambda_*",
"Sid" : "PassToLambdaRole"
},
{
"Action" : [
"cloudformation:CreateChangeSet",
"cloudformation:DeleteStack",
"cloudformation:DescribeChangeSet",
"cloudformation:DescribeStackEvents",
"cloudformation:DescribeStacks",
"cloudformation:ExecuteChangeSet",
"cloudformation:GetTemplate",
"cloudformation:GetTemplateSummary"
],
"Effect" : "Allow",
"Resource" : [
for name in var.function_names : "arn:${var.partition}:cloudformation:${var.region}:${var.account_id}:stack/${var.github_org_name}-${name}/*"
],
"Sid" : "SamCloudFormation"
},
# The AWS::Serverless-2016-10-31 transform is essentially an extension of CloudFormation that allows you to use a
# shorthand syntax to define serverless resources. When you deploy a SAM template,
# this transform expands the shorthand syntax into full CloudFormation syntax before deploying the resources.
{
"Action" : "cloudformation:CreateChangeSet"
"Effect" : "Allow"
"Resource" : "arn:${var.partition}:cloudformation:${var.region}:aws:transform/Serverless-2016-10-31"
},
{
"Action" : [
"cloudformation:DescribeChangeSet",
"cloudformation:DescribeStackEvents",
"cloudformation:DescribeStacks"
],
"Effect" : "Allow",
"Resource" : [
for name in var.function_names : "arn:${var.partition}:cloudformation:${var.region}:${var.account_id}:stack/${var.github_org_name}-${name}-????????-CompanionStack/*"
],
"Sid" : "SamCloudFormationCompanionStack"
},
{
"Action" : [
"cloudformation:CreateChangeSet"
],
"Effect" : "Allow",
"Resource" : "arn:aws:cloudformation:us-east-1:aws:transform/Serverless-2016-10-31",
"Sid" : "AccessToMacro"
},
{
"Action" : [
"ecr:BatchCheckLayerAvailability",
"ecr:BatchDeleteImage",
"ecr:BatchGetImage",
"ecr:CompleteLayerUpload",
"ecr:GetAuthorizationToken",
"ecr:GetDownloadUrlForLayer",
"ecr:InitiateLayerUpload",
"ecr:PutImage",
"ecr:UploadLayerPart",
"ecr:GetRepositoryPolicy"
],
"Effect" : "Allow",
"Resource" : "*",
"Sid" : "SamEcr"
},
{
"Action" : [
"s3:DeleteObject",
"s3:GetObject",
"s3:GetObjectVersion",
"s3:ListBucket",
"s3:PutObject"
],
"Effect" : "Allow",
"Resource" : [
"arn:aws:s3:::${var.artifact_bucket_name}",
"arn:aws:s3:::${var.artifact_bucket_name}/*"
],
"Sid" : "SamS3"
},
{
"Action" : [
"lambda:*"
],
"Effect" : "Allow",
"Resource" : [
for name in var.function_names : "arn:${var.partition}:lambda:${var.region}:${var.account_id}:function:${name}"
],
"Sid" : "CloudformationLambdaPermissions"
},
{
"Sid" : "CloudformationEC2Permissions",
"Effect" : "Allow",
"Action" : [
"ec2:DescribeSecurityGroups",
"ec2:DescribeSecurityGroupRules",
"ec2:DescribeTags",
"ec2:DescribeSubnets",
"ec2:DescribeVpcs",
],
"Resource" : "*"
}
]
})
}