working on workspace cleanup

arnol377 · arnol377 · commit 55828c8809c1 · 2025-02-13T16:27:27.000-05:00
diff --git a/main.tf b/main.tf
@@ -29,17 +29,11 @@ module "s3_artifacts_bucket" {
   }
 }
 
-# call build_user module
-module "build_user" {
-  count                 = local.build_user_iam_policy == null ? 0 : 1
-  source                = "./modules/build_user"
-  project_name          = var.project_name
-  account_id            = local.account_id
-  region                = local.region
-  build_user_iam_policy = local.build_user_iam_policy
+# Move away from conditional build_user module to use static IAM role
+locals {
+  build_user_role_arn = aws_iam_role.build_user_role.arn
 }
 
-
 module "codepipeline_kms" {
   source                = "./modules/kms"
   codepipeline_role_arn = module.codepipeline_iam_role.role_arn
@@ -107,7 +101,15 @@ module "codepipeline_iam_role" {
   }
 }
 
-
+module "build_user" {
+  source                = "./modules/build_user"
+  count                 = var.create_build_user ? 1 : 0
+  project_name          = var.project_name
+  region                = local.region
+  account_id            = local.account_id
+  build_user_iam_policy = local.build_user_iam_policy
+  secret_arns           = var.secret_arns
+}
 
 # Module for Infrastructure Validate, Plan, Apply and Destroy - CodePipeline
 module "codepipeline_terraform" {
@@ -152,7 +154,7 @@ resource "aws_iam_role" "build_user_role" {
         Action = "sts:AssumeRole"
         Effect = "Allow"
         Principal = {
-          Service = "ec2.amazonaws.com"
+          Service = ["ec2.amazonaws.com", "codebuild.amazonaws.com"]
         }
       }
     ]
diff --git a/modules/build_user/variables.tf b/modules/build_user/variables.tf
@@ -19,3 +19,9 @@ variable "build_user_iam_policy" {
   description = "The IAM policy for the build user."
   type        = string
 }
+
+variable "secret_arns" {
+  description = "List of secret ARNs that the build user needs access to"
+  type        = list(string)
+  default     = null
+}
diff --git a/modules/iam-role/main.tf b/modules/iam-role/main.tf
@@ -3,14 +3,6 @@
 #This AWS Content is provided subject to the terms of the AWS Customer Agreement available at
 #http://aws.amazon.com/agreement or other written agreement between Customer and either
 #Amazon Web Services, Inc. or Amazon Web Services EMEA SARL or both.
-data "aws_s3_bucket" "assets" {
-  for_each = toset(concat(
-    var.goss_bucket == null ? [] : [var.goss_bucket.name],
-    var.ansible_bucket == null ? [] : [var.ansible_bucket.name],
-    var.packer_bucket == null ? [] : [var.packer_bucket.name]
-  ))
-  bucket = each.value
-}
 
 data "aws_iam_policy_document" "codepipeline_assume_role" {
   # iam:GetInstanceProfile
@@ -51,6 +43,9 @@ locals {
     var.goss_repo == null ? [] : [var.goss_repo.arn]
   )
   codecommit_repo_count = length(local.codecommit_repos)
+  
+  # Construct bucket ARNs directly since we know the bucket name
+  assets_bucket_arn = "arn:${data.aws_partition.current.partition}:s3:::${var.goss_bucket.name}"
 }
 
 data "aws_iam_policy_document" "codepipeline_policy" {
@@ -73,13 +68,13 @@ data "aws_iam_policy_document" "codepipeline_policy" {
       "arn:${data.aws_partition.current.partition}:s3:::${var.state.bucket}/*"
       ],
       var.goss_bucket == null ? [] : [
-        "${lookup(data.aws_s3_bucket.assets, var.goss_bucket.name).arn}/*"
+        "${local.assets_bucket_arn}/*"
       ],
       var.ansible_bucket == null ? [] : [
-        "${lookup(data.aws_s3_bucket.assets, var.ansible_bucket.name).arn}/*"
+        "${local.assets_bucket_arn}/*"
       ],
       var.packer_bucket == null ? [] : [
-        "${lookup(data.aws_s3_bucket.assets, var.packer_bucket.name).arn}/*"
+        "${local.assets_bucket_arn}/*"
     ]))
   }
   statement {
diff --git a/outputs.tf b/outputs.tf
@@ -31,7 +31,7 @@ output "iam_arn" {
 
 output "kms_arn" {
   value       = module.codepipeline_kms.arn
-  description = "The ARN of the KMS key used in the codepipeline"
+  description = "The KMS key ARN used in the codepipeline"
 }
 
 output "s3_arn" {
@@ -44,10 +44,6 @@ output "s3_bucket" {
   description = "The Name of the S3 Bucket"
 }
 
-output "user" {
-  value = one(module.build_user).user
-}
-
 output "sec_group" {
   value = aws_security_group.packer
 }
@@ -60,3 +56,8 @@ output "secrets" {
   value = aws_secretsmanager_secret.secrets
 }
 
+output "role_name" {
+  value       = aws_iam_role.build_user_role.name
+  description = "The name of the IAM role used for build and pipeline operations"
+}
+
diff --git a/variables.tf b/variables.tf
@@ -394,3 +394,9 @@ variable "image_volume_mapping" {
   }))
   default = []
 }
+
+variable "create_build_user" {
+  description = "Whether to create a build user. Set to false if you want to use an existing user."
+  type        = bool
+  default     = true
+}

Original file line number	Diff line number	Diff line change
`@@ -29,17 +29,11 @@ module "s3_artifacts_bucket" {`
`29`	`29`	`}`
`30`	`30`	`}`
`31`	`31`
`32`		`-# call build_user module`
`33`		`-module "build_user" {`
`34`		`- count = local.build_user_iam_policy == null ? 0 : 1`
`35`		`- source = "./modules/build_user"`
`36`		`- project_name = var.project_name`
`37`		`- account_id = local.account_id`
`38`		`- region = local.region`
`39`		`- build_user_iam_policy = local.build_user_iam_policy`
	`32`	`+# Move away from conditional build_user module to use static IAM role`
	`33`	`+locals {`
	`34`	`+ build_user_role_arn = aws_iam_role.build_user_role.arn`
`40`	`35`	`}`
`41`	`36`
`42`		`-`
`43`	`37`	`module "codepipeline_kms" {`
`44`	`38`	`source = "./modules/kms"`
`45`	`39`	`codepipeline_role_arn = module.codepipeline_iam_role.role_arn`
`@@ -107,7 +101,15 @@ module "codepipeline_iam_role" {`
`107`	`101`	`}`
`108`	`102`	`}`
`109`	`103`
`110`		`-`
	`104`	`+module "build_user" {`
	`105`	`+ source = "./modules/build_user"`
	`106`	`+ count = var.create_build_user ? 1 : 0`
	`107`	`+ project_name = var.project_name`
	`108`	`+ region = local.region`
	`109`	`+ account_id = local.account_id`
	`110`	`+ build_user_iam_policy = local.build_user_iam_policy`
	`111`	`+ secret_arns = var.secret_arns`
	`112`	`+}`
`111`	`113`
`112`	`114`	`# Module for Infrastructure Validate, Plan, Apply and Destroy - CodePipeline`
`113`	`115`	`module "codepipeline_terraform" {`
`@@ -152,7 +154,7 @@ resource "aws_iam_role" "build_user_role" {`
`152`	`154`	`Action = "sts:AssumeRole"`
`153`	`155`	`Effect = "Allow"`
`154`	`156`	`Principal = {`
`155`		`- Service = "ec2.amazonaws.com"`
	`157`	`+ Service = ["ec2.amazonaws.com", "codebuild.amazonaws.com"]`
`156`	`158`	`}`
`157`	`159`	`}`
`158`	`160`	`]`
Original file line number	Diff line number	Diff line change
`@@ -31,7 +31,7 @@ output "iam_arn" {`
`31`	`31`
`32`	`32`	`output "kms_arn" {`
`33`	`33`	`value = module.codepipeline_kms.arn`
`34`		`- description = "The ARN of the KMS key used in the codepipeline"`
	`34`	`+ description = "The KMS key ARN used in the codepipeline"`
`35`	`35`	`}`
`36`	`36`
`37`	`37`	`output "s3_arn" {`
`@@ -44,10 +44,6 @@ output "s3_bucket" {`
`44`	`44`	`description = "The Name of the S3 Bucket"`
`45`	`45`	`}`
`46`	`46`
`47`		`-output "user" {`
`48`		`- value = one(module.build_user).user`
`49`		`-}`
`50`		`-`
`51`	`47`	`output "sec_group" {`
`52`	`48`	`value = aws_security_group.packer`
`53`	`49`	`}`
`@@ -60,3 +56,8 @@ output "secrets" {`
`60`	`56`	`value = aws_secretsmanager_secret.secrets`
`61`	`57`	`}`
`62`	`58`
	`59`	`+output "role_name" {`
	`60`	`+ value = aws_iam_role.build_user_role.name`
	`61`	`+ description = "The name of the IAM role used for build and pipeline operations"`
	`62`	`+}`
	`63`	`+`