[DEV-1385] - Add IAM Role to deploy strapi (#639)

maurodandrea · web-flow · commit 945394d20d69 · 2024-02-16T14:51:10.000+01:00
diff --git a/.infrastructure/40_iam.tf b/.infrastructure/40_iam.tf
@@ -1,34 +1,41 @@
 data "aws_caller_identity" "current" {}
 
+data "aws_iam_policy_document" "deploy_github" {
+  statement {
+    effect  = "Allow"
+    actions = ["sts:AssumeRoleWithWebIdentity"]
+    principals {
+      type        = "Federated"
+      identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:oidc-provider/token.actions.githubusercontent.com"]
+    }
+
+    condition {
+      test     = "StringLike"
+      variable = "token.actions.githubusercontent.com:sub"
+      values   = ["repo:${var.github_repository}:*"]
+    }
+
+    condition {
+      test     = "ForAllValues:StringEquals"
+      variable = "token.actions.githubusercontent.com:iss"
+      values   = ["https://token.actions.githubusercontent.com"]
+    }
+
+    condition {
+      test     = "ForAllValues:StringEquals"
+      variable = "token.actions.githubusercontent.com:aud"
+      values   = ["sts.amazonaws.com"]
+    }
+  }
+}
+
 ###############################################################################
-#                      Define IAM Role to use on deploy                       #
+#                Define IAM Role to use on website deploy                     #
 ###############################################################################
 resource "aws_iam_role" "deploy_website" {
-  name        = "GitHubActionDeployWebsite"
-  description = "Role to assume to deploy the website"
-
-
-  assume_role_policy = jsonencode({
-    Version = "2012-10-17"
-    Statement = [
-      {
-        Effect = "Allow",
-        Principal = {
-          "Federated" : "arn:aws:iam::${data.aws_caller_identity.current.account_id}:oidc-provider/token.actions.githubusercontent.com"
-        },
-        Action = "sts:AssumeRoleWithWebIdentity",
-        Condition = {
-          StringLike = {
-            "token.actions.githubusercontent.com:sub" : "repo:${var.github_repository}:*"
-          },
-          "ForAllValues:StringEquals" = {
-            "token.actions.githubusercontent.com:iss" : "https://token.actions.githubusercontent.com",
-            "token.actions.githubusercontent.com:aud" : "sts.amazonaws.com"
-          }
-        }
-      }
-    ]
-  })
+  name               = "GitHubActionDeployWebsite"
+  description        = "Role to assume to deploy the website"
+  assume_role_policy = data.aws_iam_policy_document.deploy_github.json
 }
 
 resource "aws_iam_policy" "deploy_website" {
@@ -77,6 +84,60 @@ resource "aws_iam_role_policy_attachment" "deploy_website" {
   policy_arn = aws_iam_policy.deploy_website.arn
 }
 
+###############################################################################
+#                Define IAM Role to use on strapi deploy                      #
+###############################################################################
+
+resource "aws_iam_role" "deploy_cms" {
+  name               = "GitHubActionDeployCms"
+  description        = "Role to assume to deploy the cms"
+  assume_role_policy = data.aws_iam_policy_document.deploy_github.json
+}
+
+resource "aws_iam_policy" "deploy_cms" {
+  name        = "DeployCms"
+  description = "Policy to allow to deploy the cms"
+
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Action = [
+          "ecs:DescribeTaskDefinition",
+          "ecs:RegisterTaskDefinition",
+          "ecs:DescribeServices",
+          "ecs:UpdateService",
+          "ecr:GetAuthorizationToken",
+          "ecr:CompleteLayerUpload",
+          "ecr:GetAuthorizationToken",
+          "ecr:UploadLayerPart",
+          "ecr:InitiateLayerUpload",
+          "ecr:BatchCheckLayerAvailability",
+          "ecr:PutImage",
+          "ecr:BatchGetImage"
+        ]
+        Effect   = "Allow"
+        Resource = "*"
+      },
+      {
+        Action = [
+          "iam:PassRole"
+        ]
+        Effect = "Allow"
+        Resource = [
+          module.iam_role_ecs_task_execution.iam_role_arn,
+          module.iam_role_task_role.iam_role_arn
+        ]
+      }
+    ]
+  })
+}
+
+resource "aws_iam_role_policy_attachment" "deploy_cms" {
+  role       = aws_iam_role.deploy_cms.name
+  policy_arn = aws_iam_policy.deploy_cms.arn
+}
+
 ## IAM Role and policy ECS for CMS Strapi
 data "aws_iam_policy_document" "ecs_task_execution" {
   statement {
