-
Notifications
You must be signed in to change notification settings - Fork 0
/
main.tf
218 lines (186 loc) · 7.1 KB
/
main.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
locals {
## The name of the iam role to create for the readonly
readonly_role_name = format("%s-ro", var.name)
## The name of the iam role to create for the readwrite
readwrite_role_name = var.name
## The name of the iam role to create for the state reader
state_reader_role_name = format("%s-sr", var.name)
}
## Craft a trust policy for the readonly role
data "aws_iam_policy_document" "ro" {
statement {
actions = [
"sts:AssumeRoleWithWebIdentity",
]
principals {
type = "Federated"
identifiers = [
data.aws_iam_openid_connect_provider.this.arn
]
}
condition {
test = "StringEquals"
variable = format("%s:aud", trimprefix(local.selected_provider.url, "https://"))
values = concat(local.selected_provider.audiences, var.additional_audiences)
}
condition {
test = "StringLike"
variable = format("%s:sub", trimprefix(local.selected_provider.url, "https://"))
values = [
format(replace(local.selected_provider.subject_reader_mapping, format("/%s/", local.template_keys_regex), "%s"), [
for v in flatten(regexall(local.template_keys_regex, local.selected_provider.subject_reader_mapping)) : {
repo = var.repository
}[v]
]...)
]
}
}
}
## Provision the read only role
resource "aws_iam_role" "ro" {
assume_role_policy = data.aws_iam_policy_document.ro.json
description = var.description
force_detach_policies = var.force_detach_policies
max_session_duration = var.read_only_max_session_duration
name = local.readonly_role_name
path = var.role_path
permissions_boundary = local.permission_boundary_arn
tags = merge(var.tags, { Name = local.readonly_role_name })
}
## Create an inline policy for the read only role
resource "aws_iam_role_policy" "tfstate_plan_ro" {
name = "tfstate_plan"
role = aws_iam_role.ro.id
policy = data.aws_iam_policy_document.tfstate_plan.json
}
## Provision the inline policies for the read only role
resource "aws_iam_role_policy" "inline_policies_ro" {
for_each = merge(var.read_only_inline_policies, var.default_inline_policies)
name = each.key
role = aws_iam_role.ro.id
policy = each.value
}
## Attach the read only policies to the read only role
resource "aws_iam_role_policy_attachment" "ro" {
for_each = toset(concat(var.default_managed_policies, var.read_only_policy_arns))
policy_arn = each.key
role = aws_iam_role.ro.name
}
## Craft the trust policy for the read write role
data "aws_iam_policy_document" "rw" {
statement {
actions = [
"sts:AssumeRoleWithWebIdentity",
]
principals {
type = "Federated"
identifiers = [
data.aws_iam_openid_connect_provider.this.arn
]
}
condition {
test = "StringEquals"
variable = format("%s:aud", trimprefix(local.selected_provider.url, "https://"))
values = concat(local.selected_provider.audiences, var.additional_audiences)
}
condition {
test = "StringLike"
variable = format("%s:sub", trimprefix(local.selected_provider.url, "https://"))
values = compact([
var.protected_by.branch != null ? format(replace(local.selected_provider.subject_branch_mapping, format("/%s/", local.template_keys_regex), "%s"), [
for v in flatten(regexall(local.template_keys_regex, local.selected_provider.subject_branch_mapping)) : {
repo = var.repository
type = "branch"
ref = var.protected_by.branch
}[v]
]...) : "",
var.protected_by.environment != null ? format(replace(local.selected_provider.subject_env_mapping, format("/%s/", local.template_keys_regex), "%s"), [
for v in flatten(regexall(local.template_keys_regex, local.selected_provider.subject_env_mapping)) : {
repo = var.repository
env = var.protected_by.environment
}[v]
]...) : "",
var.protected_by.tag != null ? format(replace(local.selected_provider.subject_tag_mapping, format("/%s/", local.template_keys_regex), "%s"), [
for v in flatten(regexall(local.template_keys_regex, local.selected_provider.subject_tag_mapping)) : {
repo = var.repository
type = "tag"
ref = var.protected_by.tag
}[v]
]...) : ""
])
}
}
}
## Provision the read write role
resource "aws_iam_role" "rw" {
assume_role_policy = data.aws_iam_policy_document.rw.json
description = var.description
force_detach_policies = var.force_detach_policies
max_session_duration = var.read_write_max_session_duration
name = local.readwrite_role_name
path = var.role_path
permissions_boundary = local.permission_boundary_arn
tags = merge(var.tags, { Name = local.readwrite_role_name })
}
## Provision the inline terraform policy for the rw role
resource "aws_iam_role_policy" "tfstate_apply_rw" {
name = "tfstate_apply"
role = aws_iam_role.rw.id
policy = data.aws_iam_policy_document.tfstate_apply.json
}
## Provision the inline policies for the read write role
resource "aws_iam_role_policy" "inline_policies_rw" {
for_each = merge(var.read_write_inline_policies, var.default_inline_policies)
name = each.key
role = aws_iam_role.rw.id
policy = each.value
}
## Attach the read write policies to the read write role
resource "aws_iam_role_policy_attachment" "rw" {
for_each = toset(concat(var.read_write_policy_arns, var.default_managed_policies))
policy_arn = each.key
role = aws_iam_role.rw.name
}
## Craft the trust policy for the state reader role
data "aws_iam_policy_document" "sr" {
statement {
actions = [
"sts:AssumeRoleWithWebIdentity",
]
principals {
type = "Federated"
identifiers = [
data.aws_iam_openid_connect_provider.this.arn
]
}
condition {
test = "StringEquals"
variable = format("%s:aud", trimprefix(local.selected_provider.url, "https://"))
values = concat(local.selected_provider.audiences, var.additional_audiences)
}
condition {
test = "StringLike"
variable = format("%s:sub", trimprefix(local.selected_provider.url, "https://"))
values = [
for repo in var.shared_repositories :
format(replace(local.selected_provider.subject_reader_mapping, format("/%s/", local.template_keys_regex), "%s"), [
for v in flatten(regexall(local.template_keys_regex, local.selected_provider.subject_reader_mapping)) : {
repo = repo
}[v]
]...)
]
}
}
}
## Provision the state reader role
resource "aws_iam_role" "sr" {
assume_role_policy = data.aws_iam_policy_document.sr.json
description = format("Terraform state reader role for '%s' repo", local.repo_name)
name = local.state_reader_role_name
path = var.role_path
tags = merge(var.tags, { Name = local.state_reader_role_name })
inline_policy {
name = "tfstate_remote"
policy = data.aws_iam_policy_document.tfstate_remote.json
}
}