Skip to content

Commit

Permalink
DOPS-101 Add s3 policy to role for jenkins
Browse files Browse the repository at this point in the history
  • Loading branch information
@akagr
akagr committed Sep 8, 2022
1 parent 86a7e78 commit 5907e45
Show file tree
Hide file tree
Showing 2 changed files with 358 additions and 13 deletions.
44 changes: 44 additions & 0 deletions terraform/bootstrap/jenkins.tf
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,44 @@
/*
We use jenkins to automate deployment with Terraform. Jenkins
is set up in a different AWS account.
This group of IAM resources allow jenkins to assume a role needed
to deploy resources (and make changes to backend).
*/

data "aws_iam_policy_document" "terraform_backend_account_policy" {
statement {
effect = "Allow"

principals {
type = "AWS"
identifiers = ["arn:aws:iam::191447213457:role/jenkins-role"]
}

actions = ["sts:AssumeRole"]
}
}

resource "aws_iam_role" "terraform_backend_role" {
name = "terraform_backend_admin"
assume_role_policy = data.aws_iam_policy_document.terraform_backend_account_policy.json
}

data "aws_iam_policy_document" "terraform_backend_role_policy_document" {
statement {
effect = "Allow"

actions = ["s3:*"]
resources = ["arn:aws:s3:::${module.bootstrap.state_bucket}/*"]
}
}

resource "aws_iam_policy" "terraform_backend_role_policy" {
name = "terraform-backend-role-policy"
policy = data.aws_iam_policy_document.terraform_backend_role_policy_document.json
}

resource "aws_iam_role_policy_attachment" "terraform_backend_attachment" {
role = aws_iam_role.terraform_backend_role.name
policy_arn = aws_iam_policy.terraform_backend_role_policy.arn
}
Loading

0 comments on commit 5907e45

Please sign in to comment.