Add IAM instance profile to build_user module (#9)

* Add IAM instance profile to build_user module

Add iam_instance_profile to build_user module and update policies for S3 access.

* **modules/build_user/main.tf**
  - Add `aws_iam_instance_profile` resource to create the instance profile.
* **locals.tf**
  - Update `build_user_iam_policy` to include access to all relevant S3 buckets and objects.
* **main.tf**
  - Reference the new `iam_instance_profile` in the `build_user` module.

---

For more details, open the [Copilot Workspace session](https://copilot-workspace.githubnext.com/HappyPathway/terraform-aws-image-pipeline?shareId=XXXX-XXXX-XXXX-XXXX).

* terraform-docs: automated action

---------

Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>

Author: djaboxx

.terraform.lock.hcl

@@ -13,7 +13,9 @@
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | 5.49.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 5.86.0 |
+| <a name="provider_random"></a> [random](#provider\_random) | 3.6.3 |
+| <a name="provider_tls"></a> [tls](#provider\_tls) | 4.0.6 |
 
 ## Modules
 
@@ -30,15 +32,19 @@
 
 | Name | Type |
 |------|------|
+| [aws_key_pair.deployer](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/key_pair) | resource |
 | [aws_secretsmanager_secret.secrets](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret) | resource |
+| [aws_secretsmanager_secret.ssh_key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret) | resource |
 | [aws_secretsmanager_secret_version.secrets](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret_version) | resource |
+| [aws_secretsmanager_secret_version.ssh_key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret_version) | resource |
 | [aws_security_group.packer](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource |
 | [aws_security_group_rule.sg_rule](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
 | [aws_ssm_parameter.managed_parameters](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssm_parameter) | resource |
-| [aws_ssm_parameter.nonmanaged_parameters](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssm_parameter) | resource |
 | [aws_vpc_security_group_egress_rule.allow_all_traffic_ipv4](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_security_group_egress_rule) | resource |
 | [aws_vpc_security_group_egress_rule.allow_all_traffic_ipv6](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_security_group_egress_rule) | resource |
 | [aws_vpc_security_group_ingress_rule.allow_all_ssh_ipv4](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_security_group_ingress_rule) | resource |
+| [random_pet.keyname](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/pet) | resource |
+| [tls_private_key.ssh](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/private_key) | resource |
 | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
 | [aws_iam_policy_document.build_user_default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_partition.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source |
@@ -52,6 +58,7 @@
 | <a name="input_ansible_bucket"></a> [ansible\_bucket](#input\_ansible\_bucket) | Ansible bucket details | <pre>object({<br>    name = string,<br>    key  = string<br>  })</pre> | `null` | no |
 | <a name="input_ansible_repo"></a> [ansible\_repo](#input\_ansible\_repo) | Source of Ansible Repo | <pre>object({<br>    arn             = optional(string)<br>    repository_name = optional(string, "image-pipeline-ansible-playbooks")<br>    branch          = optional(string, "main")<br>  })</pre> | `null` | no |
 | <a name="input_ansible_source_type"></a> [ansible\_source\_type](#input\_ansible\_source\_type) | Type of source to be used for the Ansible CodePipeline | `string` | `"CodeCommit"` | no |
+| <a name="input_assets_bucket_name"></a> [assets\_bucket\_name](#input\_assets\_bucket\_name) | Name of the S3 bucket used to store the deployment artifacts | `string` | `"image-pipeline-assets"` | no |
 | <a name="input_build_environment_variables"></a> [build\_environment\_variables](#input\_build\_environment\_variables) | n/a | <pre>list(object({<br>    name  = string<br>    value = string<br>    type  = optional(string, "PLAINTEXT")<br>  }))</pre> | `null` | no |
 | <a name="input_build_project_source"></a> [build\_project\_source](#input\_build\_project\_source) | Source Code Repo for Playbook | `string` | `"CODEPIPELINE"` | no |
 | <a name="input_build_projects"></a> [build\_projects](#input\_build\_projects) | List of Names of the CodeBuild projects to be created | <pre>list(object({<br>    name = string,<br>    vars = optional(map(string), {})<br>    environment_variables = optional(list(object({<br>      name  = string<br>      value = string<br>      type  = string<br>    })), [])<br>    buildspec = optional(string)<br>  }))</pre> | <pre>[<br>  {<br>    "name": "build"<br>  },<br>  {<br>    "name": "test"<br>  }<br>]</pre> | no |
@@ -71,6 +78,8 @@
 | <a name="input_goss_repo"></a> [goss\_repo](#input\_goss\_repo) | Source of Goss Repo | <pre>object({<br>    arn             = optional(string)<br>    repository_name = optional(string, "image-pipeline-goss-testing")<br>    branch          = optional(string, "main")<br>  })</pre> | `null` | no |
 | <a name="input_goss_source_type"></a> [goss\_source\_type](#input\_goss\_source\_type) | Type of source to be used for the Goss CodePipeline | `string` | `"CodeCommit"` | no |
 | <a name="input_image"></a> [image](#input\_image) | n/a | <pre>object({<br>    dest_tag           = string<br>    dest_docker_repo   = string<br>    source_image       = string<br>    source_tag         = string<br>    source_docker_repo = string<br>  })</pre> | `null` | no |
+| <a name="input_image_volume_mapping"></a> [image\_volume\_mapping](#input\_image\_volume\_mapping) | n/a | <pre>list(object({<br>    device_name           = string<br>    volume_size           = number<br>    volume_type           = string<br>    delete_on_termination = bool<br>    encrypted             = optional(bool, false)<br>    iops                  = optional(number, null)<br>    snapshot_id           = optional(string, null)<br>    throughput            = optional(number, null)<br>    virtual_name          = optional(string, null)<br>    kms_key_id            = optional(string, null)<br>    mount_path            = optional(string, null)<br>  }))</pre> | `[]` | no |
+| <a name="input_kms_key_id"></a> [kms\_key\_id](#input\_kms\_key\_id) | n/a | `string` | `null` | no |
 | <a name="input_nonmanaged_parameters"></a> [nonmanaged\_parameters](#input\_nonmanaged\_parameters) | n/a | `list(string)` | <pre>[<br>  "dest_tag"<br>]</pre> | no |
 | <a name="input_packer_bucket"></a> [packer\_bucket](#input\_packer\_bucket) | Source bucket details | <pre>object({<br>    name = string,<br>    key  = string<br>  })</pre> | `null` | no |
 | <a name="input_packer_config"></a> [packer\_config](#input\_packer\_config) | Name of Packer Config in Repo | `string` | `"build.pkr.hcl"` | no |
@@ -80,9 +89,11 @@
 | <a name="input_parameter_arns"></a> [parameter\_arns](#input\_parameter\_arns) | n/a | `list(string)` | `null` | no |
 | <a name="input_playbook"></a> [playbook](#input\_playbook) | n/a | `string` | `null` | no |
 | <a name="input_project_name"></a> [project\_name](#input\_project\_name) | Unique name for this project | `string` | n/a | yes |
+| <a name="input_required_packages"></a> [required\_packages](#input\_required\_packages) | n/a | <pre>list(object({<br>    src  = string<br>    dest = string<br>  }))</pre> | `[]` | no |
 | <a name="input_secret_arns"></a> [secret\_arns](#input\_secret\_arns) | n/a | `list(string)` | `null` | no |
 | <a name="input_secrets"></a> [secrets](#input\_secrets) | n/a | `map(string)` | `{}` | no |
 | <a name="input_shared_accounts"></a> [shared\_accounts](#input\_shared\_accounts) | n/a | `list(string)` | `null` | no |
+| <a name="input_shared_kms_key_arns"></a> [shared\_kms\_key\_arns](#input\_shared\_kms\_key\_arns) | n/a | `list(string)` | `[]` | no |
 | <a name="input_ssh_user"></a> [ssh\_user](#input\_ssh\_user) | SSH username | `string` | `null` | no |
 | <a name="input_stage_input"></a> [stage\_input](#input\_stage\_input) | Tags to be attached to the CodePipeline | <pre>list(object({<br>    name             = string,<br>    category         = string,<br>    owner            = string,<br>    provider         = string,<br>    input_artifacts  = list(string),<br>    output_artifacts = list(string)<br>  }))</pre> | <pre>[<br>  {<br>    "category": "Build",<br>    "input_artifacts": [<br>      "SourceOutput",<br>      "SourceAnsibleOutput"<br>    ],<br>    "name": "build",<br>    "output_artifacts": [<br>      "BuildOutput"<br>    ],<br>    "owner": "AWS",<br>    "provider": "CodeBuild"<br>  },<br>  {<br>    "category": "Build",<br>    "input_artifacts": [<br>      "SourceOutput",<br>      "SourceGossOutput"<br>    ],<br>    "name": "test",<br>    "output_artifacts": [<br>      "BuildTestOutput"<br>    ],<br>    "owner": "AWS",<br>    "provider": "CodeBuild"<br>  }<br>]</pre> | no |
 | <a name="input_state"></a> [state](#input\_state) | n/a | <pre>object({<br>    bucket         = string<br>    key            = string<br>    region         = string<br>    dynamodb_table = string<br>  })</pre> | n/a | yes |
@@ -102,9 +113,9 @@
 | <a name="output_iam_arn"></a> [iam\_arn](#output\_iam\_arn) | The ARN of the IAM Role used by the CodePipeline |
 | <a name="output_kms_arn"></a> [kms\_arn](#output\_kms\_arn) | The ARN of the KMS key used in the codepipeline |
 | <a name="output_managed_parameters"></a> [managed\_parameters](#output\_managed\_parameters) | n/a |
-| <a name="output_nonmanaged_parameters"></a> [nonmanaged\_parameters](#output\_nonmanaged\_parameters) | n/a |
 | <a name="output_s3_arn"></a> [s3\_arn](#output\_s3\_arn) | The ARN of the S3 Bucket |
 | <a name="output_s3_bucket"></a> [s3\_bucket](#output\_s3\_bucket) | The Name of the S3 Bucket |
 | <a name="output_sec_group"></a> [sec\_group](#output\_sec\_group) | n/a |
 | <a name="output_secrets"></a> [secrets](#output\_secrets) | n/a |
+| <a name="output_user"></a> [user](#output\_user) | n/a |
 <!-- END_TF_DOCS -->

README.md

@@ -40,6 +40,17 @@ data "aws_iam_policy_document" "build_user_default" {
       ],
     var.secret_arns == null ? [] : var.secret_arns)
   }
+
+  statement {
+    effect = "Allow"
+    actions = [
+      "s3:*"
+    ]
+    resources = concat([
+      "arn:${data.aws_partition.current.partition}:s3:::${module.s3_artifacts_bucket.bucket}/*"
+      ],
+    var.s3_bucket_arns == null ? [] : var.s3_bucket_arns)
+  }
 }
 
 locals {

locals.tf

@@ -37,6 +37,7 @@ module "build_user" {
   account_id            = local.account_id
   region                = local.region
   build_user_iam_policy = local.build_user_iam_policy
+  iam_instance_profile  = aws_iam_instance_profile.build_user_instance_profile.name
 }
 
 

main.tf

@@ -34,3 +34,8 @@ resource "aws_secretsmanager_secret_version" "credentials" {
     aws_access_key_id     = aws_iam_access_key.build_user.id
   })
 }
+
+resource "aws_iam_instance_profile" "build_user_instance_profile" {
+  name = "${var.project_name}-instance-profile"
+  role = aws_iam_user.build_user.name
+}