Skip to content

Commit

Permalink
[DEV-1385] - Add IAM Role to deploy strapi (#639)
Browse files Browse the repository at this point in the history
  • Loading branch information
@maurodandrea
maurodandrea authored Feb 16, 2024
1 parent 201c98d commit 945394d
Showing 1 changed file with 87 additions and 26 deletions.
113 changes: 87 additions & 26 deletions .infrastructure/40_iam.tf
View file
Original file line number Diff line number Diff line change
@@ -1,34 +1,41 @@
data "aws_caller_identity" "current" {}

data "aws_iam_policy_document" "deploy_github" {
statement {
effect = "Allow"
actions = ["sts:AssumeRoleWithWebIdentity"]
principals {
type = "Federated"
identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:oidc-provider/token.actions.githubusercontent.com"]
}

condition {
test = "StringLike"
variable = "token.actions.githubusercontent.com:sub"
values = ["repo:${var.github_repository}:*"]
}

condition {
test = "ForAllValues:StringEquals"
variable = "token.actions.githubusercontent.com:iss"
values = ["https://token.actions.githubusercontent.com"]
}

condition {
test = "ForAllValues:StringEquals"
variable = "token.actions.githubusercontent.com:aud"
values = ["sts.amazonaws.com"]
}
}
}

###############################################################################
# Define IAM Role to use on deploy #
# Define IAM Role to use on website deploy #
###############################################################################
resource "aws_iam_role" "deploy_website" {
name = "GitHubActionDeployWebsite"
description = "Role to assume to deploy the website"


assume_role_policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Effect = "Allow",
Principal = {
"Federated" : "arn:aws:iam::${data.aws_caller_identity.current.account_id}:oidc-provider/token.actions.githubusercontent.com"
},
Action = "sts:AssumeRoleWithWebIdentity",
Condition = {
StringLike = {
"token.actions.githubusercontent.com:sub" : "repo:${var.github_repository}:*"
},
"ForAllValues:StringEquals" = {
"token.actions.githubusercontent.com:iss" : "https://token.actions.githubusercontent.com",
"token.actions.githubusercontent.com:aud" : "sts.amazonaws.com"
}
}
}
]
})
name = "GitHubActionDeployWebsite"
description = "Role to assume to deploy the website"
assume_role_policy = data.aws_iam_policy_document.deploy_github.json
}

resource "aws_iam_policy" "deploy_website" {
Expand Down Expand Up @@ -77,6 +84,60 @@ resource "aws_iam_role_policy_attachment" "deploy_website" {
policy_arn = aws_iam_policy.deploy_website.arn
}

###############################################################################
# Define IAM Role to use on strapi deploy #
###############################################################################

resource "aws_iam_role" "deploy_cms" {
name = "GitHubActionDeployCms"
description = "Role to assume to deploy the cms"
assume_role_policy = data.aws_iam_policy_document.deploy_github.json
}

resource "aws_iam_policy" "deploy_cms" {
name = "DeployCms"
description = "Policy to allow to deploy the cms"

policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Action = [
"ecs:DescribeTaskDefinition",
"ecs:RegisterTaskDefinition",
"ecs:DescribeServices",
"ecs:UpdateService",
"ecr:GetAuthorizationToken",
"ecr:CompleteLayerUpload",
"ecr:GetAuthorizationToken",
"ecr:UploadLayerPart",
"ecr:InitiateLayerUpload",
"ecr:BatchCheckLayerAvailability",
"ecr:PutImage",
"ecr:BatchGetImage"
]
Effect = "Allow"
Resource = "*"
},
{
Action = [
"iam:PassRole"
]
Effect = "Allow"
Resource = [
module.iam_role_ecs_task_execution.iam_role_arn,
module.iam_role_task_role.iam_role_arn
]
}
]
})
}

resource "aws_iam_role_policy_attachment" "deploy_cms" {
role = aws_iam_role.deploy_cms.name
policy_arn = aws_iam_policy.deploy_cms.arn
}

## IAM Role and policy ECS for CMS Strapi
data "aws_iam_policy_document" "ecs_task_execution" {
statement {
Expand Down

0 comments on commit 945394d

Please sign in to comment.