Refactor Terraform configuration to introduce IAM role and instance profile for build user, and update bucket handling in locals

Author: roknsound

locals.tf

@@ -7,6 +7,14 @@
 locals {
   account_id = data.aws_caller_identity.current.account_id
   region     = data.aws_region.current.name
+  buckets = distinct([
+    module.s3_artifacts_bucket.bucket,
+    var.assets_bucket_name,
+    var.packer_bucket.name,
+    var.ansible_bucket.name,
+    var.goss_bucket.name,
+    var.state.bucket
+  ])
 }
 
 data "aws_iam_policy_document" "build_user_default" {
@@ -46,10 +54,14 @@ data "aws_iam_policy_document" "build_user_default" {
     actions = [
       "s3:*"
     ]
-    resources = concat([
-      "arn:${data.aws_partition.current.partition}:s3:::${module.s3_artifacts_bucket.bucket}/*"
+    resources = concat(
+      [
+        for bucket in local.buckets : "arn:${data.aws_partition.current.partition}:s3:::${bucket}"
       ],
-    var.s3_bucket_arns == null ? [] : var.s3_bucket_arns)
+      [
+        for bucket in local.buckets : "arn:${data.aws_partition.current.partition}:s3:::${bucket}/*"
+      ]
+    )
   }
 }
 

main.tf

@@ -37,7 +37,6 @@ module "build_user" {
   account_id            = local.account_id
   region                = local.region
   build_user_iam_policy = local.build_user_iam_policy
-  iam_instance_profile  = aws_iam_instance_profile.build_user_instance_profile.name
 }
 
 
@@ -142,3 +141,31 @@ module "codepipeline_terraform" {
     Region       = local.region
   }
 }
+
+resource "aws_iam_role" "build_user_role" {
+  name = "${var.project_name}-build-user-role"
+
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Action = "sts:AssumeRole"
+        Effect = "Allow"
+        Principal = {
+          Service = "ec2.amazonaws.com"
+        }
+      }
+    ]
+  })
+
+  tags = {
+    Project_Name = var.project_name
+    Account_ID   = local.account_id
+    Region       = local.region
+  }
+}
+
+resource "aws_iam_instance_profile" "build_user_instance_profile" {
+  name = "${var.project_name}-instance-profile"
+  role = aws_iam_role.build_user_role.name
+}

modules/build_user/main.tf

@@ -34,8 +34,3 @@ resource "aws_secretsmanager_secret_version" "credentials" {
     aws_access_key_id     = aws_iam_access_key.build_user.id
   })
 }
-
-resource "aws_iam_instance_profile" "build_user_instance_profile" {
-  name = "${var.project_name}-instance-profile"
-  role = aws_iam_user.build_user.name
-}

modules/codebuild/main.tf

@@ -33,7 +33,7 @@ locals {
   # value is a map with keys vars, environment_variables, and buildspec. 
   # This map is assigned to the build_projects local value.
   _build_projects = var.docker_build ? concat([
-    for project in var.build_projects : project if ! contains(["test", "build"], project.name)
+    for project in var.build_projects : project if !contains(["test", "build"], project.name)
     ],
     [
       {

modules/codebuild/variables.tf

@@ -15,7 +15,7 @@ variable "role_arn" {
   default     = ""
 }
 
-variable assets_bucket_name {
+variable "assets_bucket_name" {
   description = "Name of the S3 bucket used to store the deployment artifacts"
   type        = string
   default     = "image-pipeline-assets"

parameters_and_secrets.tf

@@ -4,15 +4,16 @@ locals {
   # This includes configurations like region, subnets, security group IDs, VPC ID, source AMI, and more.
   # Conditional logic is used to include optional parameters only if they are provided.
   parameters = tomap(merge({
-    aws_account_id     = data.aws_caller_identity.current.account_id,    # AWS account ID where resources will be provisioned.
-    region             = local.vpc_config.region,                        # AWS region where resources will be provisioned.
-    subnets            = join(",", local.vpc_config.subnets),            # Comma-separated list of subnet IDs.
-    security_group_ids = join(",", local.vpc_config.security_group_ids), # Comma-separated list of security group IDs.
-    vpc_id             = local.vpc_config.vpc_id,                        # VPC ID where resources will be provisioned.
-    goss_profile       = var.goss_profile,                               # GOSS profile for server testing.
-    goss_binary        = var.goss_binary,                                # GOSS binary for server testing.
-    playbook           = var.playbook,                                   # Ansible playbook for configuration management.
-    troubleshoot       = var.troubleshoot,                               # Enable troubleshooting mode.
+    instance_profile   = var.instance_profile == null ? "${var.project_name}-instance-profile" : var.instance_profile # IAM instance profile for the EC2 instance.
+    aws_account_id     = data.aws_caller_identity.current.account_id,                                                 # AWS account ID where resources will be provisioned.
+    region             = local.vpc_config.region,                                                                     # AWS region where resources will be provisioned.
+    subnets            = join(",", local.vpc_config.subnets),                                                         # Comma-separated list of subnet IDs.
+    security_group_ids = join(",", local.vpc_config.security_group_ids),                                              # Comma-separated list of security group IDs.
+    vpc_id             = local.vpc_config.vpc_id,                                                                     # VPC ID where resources will be provisioned.
+    goss_profile       = var.goss_profile,                                                                            # GOSS profile for server testing.
+    goss_binary        = var.goss_binary,                                                                             # GOSS binary for server testing.
+    playbook           = var.playbook,                                                                                # Ansible playbook for configuration management.
+    troubleshoot       = var.troubleshoot,                                                                            # Enable troubleshooting mode.
     # Mapping of volumes to attach to the instance.
     volume_map = jsonencode(var.image_volume_mapping)
 
@@ -74,7 +75,7 @@ locals {
   nonsensitive_parameters = tomap(
     { for k, v in local.ssm_parameters :
       (issensitive(k) ? nonsensitive(k) : k) => (issensitive(v) ? nonsensitive(v) : v)
-      if ! contains(var.nonmanaged_parameters, issensitive(k) ? nonsensitive(k) : k)
+      if !contains(var.nonmanaged_parameters, issensitive(k) ? nonsensitive(k) : k)
     }
   )
 }

variables.tf

@@ -384,8 +384,13 @@ variable "required_packages" {
   default = []
 }
 
-variable assets_bucket_name {
+variable "assets_bucket_name" {
   description = "Name of the S3 bucket used to store the deployment artifacts"
   type        = string
   default     = "image-pipeline-assets"
-}
+}
+
+variable "instance_profile" {
+  type    = string
+  default = null
+}