feat: refactor iam roles to remove inline_policy deprecation warning (#…

…153) Co-authored-by: Moritz Zimmer <moritzzimmer@users.noreply.github.com>
moritzzimmer · Jan 28, 2025 · 73c9b10 · 73c9b10
1 parent c260690
commit 73c9b10
Show file tree

Hide file tree

Showing 5 changed files with 333 additions and 281 deletions.
diff --git a/modules/deployment/README.md b/modules/deployment/README.md
@@ -390,14 +390,37 @@ No modules.
 | [aws_iam_role.codedeploy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
 | [aws_iam_role.codepipeline_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
 | [aws_iam_role.trigger](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
-| [aws_iam_role_policy_attachment.codedeploy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
+| [aws_iam_role_policy.codebuild](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
+| [aws_iam_role_policy.codebuild_s3_package_permissions](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
+| [aws_iam_role_policy.codedeploy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
+| [aws_iam_role_policy.codedeploy_hooks_after_allow_traffic](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
+| [aws_iam_role_policy.codedeploy_hooks_after_before_traffic](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
+| [aws_iam_role_policy.codedeploy_pipeline_artifacts](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
+| [aws_iam_role_policy.codepipeline](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
+| [aws_iam_role_policy.codepipeline_ecr_source_image_permissions](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
+| [aws_iam_role_policy.codepipeline_s3_source_package_permissions](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
+| [aws_iam_role_policy.trigger](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
 | [aws_s3_bucket.pipeline](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource |
 | [aws_s3_bucket_public_access_block.source](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block) | resource |
 | [aws_s3_bucket_server_side_encryption_configuration.pipeline](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_server_side_encryption_configuration) | resource |
 | [aws_sns_topic.notifications](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic) | resource |
 | [aws_sns_topic_policy.notifications](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic_policy) | resource |
 | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
+| [aws_iam_policy.codedeploy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy) | data source |
+| [aws_iam_policy_document.codebuild](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.codebuild_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.codebuild_s3_package_permissions](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.codedeploy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.codedeploy_hooks_after_allow_traffic](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.codedeploy_hooks_after_before_traffic](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.codedeploy_pipeline_artifacts](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.codepipeline](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.codepipeline_ecr_source_image_permissions](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.codepipeline_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.codepipeline_s3_source_package_permissions](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.codepipeline_trigger](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.sns_codestar_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.trigger](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_partition.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source |
 | [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
 

diff --git a/modules/deployment/iam_codebuild.tf b/modules/deployment/iam_codebuild.tf
@@ -1,87 +1,100 @@
+locals {
+  create_codebuild_role = var.codebuild_role_arn == ""
+}
+
+data "aws_iam_policy_document" "codebuild_role" {
+  count = local.create_codebuild_role ? 1 : 0
+
+  statement {
+    actions = ["sts:AssumeRole"]
+
+    principals {
+      type        = "Service"
+      identifiers = ["codebuild.amazonaws.com"]
+    }
+  }
+}
+
 resource "aws_iam_role" "codebuild_role" {
-  count = var.codebuild_role_arn == "" ? 1 : 0
-
-  name = "${local.iam_role_prefix}-codebuild-${data.aws_region.current.name}"
-  tags = var.tags
-
-  assume_role_policy = jsonencode({
-    Version = "2012-10-17"
-    Statement = [
-      {
-        Action = "sts:AssumeRole"
-        Effect = "Allow"
-        Sid    = ""
-        Principal = {
-          Service = "codebuild.amazonaws.com"
-        }
-      },
+  count = local.create_codebuild_role ? 1 : 0
+
+  assume_role_policy = data.aws_iam_policy_document.codebuild_role[0].json
+  name               = "${local.iam_role_prefix}-codebuild-${data.aws_region.current.name}"
+  tags               = var.tags
+}
+
+data "aws_iam_policy_document" "codebuild_s3_package_permissions" {
+  count = var.s3_bucket != "" && local.create_codebuild_role ? 1 : 0
+
+  statement {
+    actions = ["s3:GetObjectVersion"]
+    effect  = "Allow"
+
+    resources = [
+      "arn:${data.aws_partition.current.partition}:s3:::${var.s3_bucket}/${var.s3_key}"
     ]
-  })
-
-  inline_policy {
-    name = "lambda-update-function-code-permissions"
-
-    policy = jsonencode({
-      Version = "2012-10-17"
-      Statement = [
-        {
-          Action = [
-            "lambda:GetAlias",
-            "lambda:GetFunction",
-            "lambda:GetFunctionConfiguration",
-            "lambda:PublishVersion",
-            "lambda:UpdateFunctionCode"
-          ]
-          Effect   = "Allow"
-          Resource = "arn:${data.aws_partition.current.partition}:lambda:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:function:${var.function_name}"
-        },
-        {
-          Action = [
-            "logs:CreateLogStream",
-            "logs:CreateLogGroup",
-            "logs:PutLogEvents"
-          ]
-          Effect   = "Allow"
-          Resource = "arn:${data.aws_partition.current.partition}:logs:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:log-group:/aws/codebuild/*"
-        },
-        {
-          Action = [
-            "s3:GetObject",
-            "s3:GetObjectVersion"
-          ]
-          Effect   = "Allow"
-          Resource = "${local.artifact_store_bucket_arn}/${local.pipeline_artifacts_folder}/source/*"
-        },
-        {
-          Action = [
-            "s3:PutObject",
-          ]
-          Effect   = "Allow"
-          Resource = "${local.artifact_store_bucket_arn}/${local.pipeline_artifacts_folder}/${local.deploy_output}/*"
-        }
-      ]
-    })
   }
+}
 
-  dynamic "inline_policy" {
-    for_each = var.s3_bucket != "" ? [true] : []
-    content {
-      name = "lambda-s3-package-permissions"
-
-      policy = jsonencode({
-        Version = "2012-10-17"
-        Statement = [
-          {
-            Action = [
-              "s3:GetObjectVersion"
-            ]
-            Effect = "Allow"
-            Resource = [
-              "arn:${data.aws_partition.current.partition}:s3:::${var.s3_bucket}/${var.s3_key}"
-            ]
-          }
-        ]
-      })
-    }
+resource "aws_iam_role_policy" "codebuild_s3_package_permissions" {
+  count = var.s3_bucket != "" && local.create_codebuild_role ? 1 : 0
+
+  name   = "lambda-s3-package-permissions"
+  policy = data.aws_iam_policy_document.codebuild_s3_package_permissions[0].json
+  role   = aws_iam_role.codebuild_role[0].name
+}
+
+data "aws_iam_policy_document" "codebuild" {
+  count = local.create_codebuild_role ? 1 : 0
+
+  statement {
+    actions = [
+      "lambda:GetAlias",
+      "lambda:GetFunction",
+      "lambda:GetFunctionConfiguration",
+      "lambda:PublishVersion",
+      "lambda:UpdateFunctionCode"
+    ]
+    resources = [
+      "arn:${data.aws_partition.current.partition}:lambda:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:function:${var.function_name}"
+    ]
+  }
+
+  statement {
+    actions = [
+      "logs:CreateLogStream",
+      "logs:CreateLogGroup",
+      "logs:PutLogEvents"
+    ]
+    resources = [
+      "arn:${data.aws_partition.current.partition}:logs:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:log-group:/aws/codebuild/*"
+    ]
+  }
+
+  statement {
+    actions = [
+      "s3:GetObject",
+      "s3:GetObjectVersion"
+    ]
+    resources = [
+      "${local.artifact_store_bucket_arn}/${local.pipeline_artifacts_folder}/source/*"
+    ]
+  }
+
+  statement {
+    actions = [
+      "s3:PutObject"
+    ]
+    resources = [
+      "${local.artifact_store_bucket_arn}/${local.pipeline_artifacts_folder}/${local.deploy_output}/*"
+    ]
   }
 }
+
+resource "aws_iam_role_policy" "codebuild" {
+  count = local.create_codebuild_role ? 1 : 0
+
+  name   = "lambda-update-function-code-permissions"
+  policy = data.aws_iam_policy_document.codebuild[0].json
+  role   = aws_iam_role.codebuild_role[0].name
+}
diff --git a/modules/deployment/iam_codedeploy.tf b/modules/deployment/iam_codedeploy.tf
@@ -1,75 +1,82 @@
+data "aws_iam_policy_document" "codedeploy" {
+  statement {
+    actions = ["sts:AssumeRole"]
+
+    principals {
+      type        = "Service"
+      identifiers = ["codedeploy.amazonaws.com"]
+    }
+  }
+}
+
 resource "aws_iam_role" "codedeploy" {
-  name = "${local.iam_role_prefix}-codedeploy-${data.aws_region.current.name}"
-  tags = var.tags
+  assume_role_policy = data.aws_iam_policy_document.codedeploy.json
+  name               = "${local.iam_role_prefix}-codedeploy-${data.aws_region.current.name}"
+  tags               = var.tags
+}
 
-  assume_role_policy = jsonencode({
-    Version = "2012-10-17"
-    Statement = [
-      {
-        Action = "sts:AssumeRole"
-        Effect = "Allow"
-        Sid    = ""
-        Principal = {
-          Service = "codedeploy.amazonaws.com"
-        }
-      },
+data "aws_iam_policy_document" "codedeploy_pipeline_artifacts" {
+  statement {
+    actions = [
+      "s3:GetObject",
+      "s3:GetObjectVersion"
+    ]
+    resources = [
+      "${local.artifact_store_bucket_arn}/${local.pipeline_artifacts_folder}/${local.deploy_output}/*"
     ]
-  })
+  }
+}
 
-  inline_policy {
-    name = "pipeline-artifacts-permissions"
+resource "aws_iam_role_policy" "codedeploy_pipeline_artifacts" {
+  name   = "pipeline-artifacts-permissions"
+  policy = data.aws_iam_policy_document.codedeploy_pipeline_artifacts.json
+  role   = aws_iam_role.codedeploy.name
+}
 
-    policy = jsonencode({
-      Version = "2012-10-17"
-      Statement = [
-        {
-          Action = [
-            "s3:GetObject",
-            "s3:GetObjectVersion"
-          ]
-          Effect   = "Allow"
-          Resource = "${local.artifact_store_bucket_arn}/${local.pipeline_artifacts_folder}/${local.deploy_output}/*"
-        }
-      ]
-    })
-  }
+data "aws_iam_policy_document" "codedeploy_hooks_after_allow_traffic" {
+  count = var.codedeploy_appspec_hooks_after_allow_traffic_arn != "" ? 1 : 0
 
-  dynamic "inline_policy" {
-    for_each = var.codedeploy_appspec_hooks_after_allow_traffic_arn != "" ? [true] : []
-    content {
-      name = "hooks-after-allow-traffic"
-      policy = jsonencode({
-        Version = "2012-10-17"
-        Statement = [
-          {
-            Action   = ["lambda:InvokeFunction"]
-            Effect   = "Allow"
-            Resource = var.codedeploy_appspec_hooks_after_allow_traffic_arn
-          }
-        ]
-      })
-    }
+  statement {
+    actions   = ["lambda:InvokeFunction"]
+    resources = [var.codedeploy_appspec_hooks_after_allow_traffic_arn]
   }
+}
 
-  dynamic "inline_policy" {
-    for_each = var.codedeploy_appspec_hooks_before_allow_traffic_arn != "" ? [true] : []
-    content {
-      name = "hooks-after-before-traffic"
-      policy = jsonencode({
-        Version = "2012-10-17"
-        Statement = [
-          {
-            Action   = ["lambda:InvokeFunction"]
-            Effect   = "Allow"
-            Resource = var.codedeploy_appspec_hooks_before_allow_traffic_arn
-          }
-        ]
-      })
-    }
+resource "aws_iam_role_policy" "codedeploy_hooks_after_allow_traffic" {
+  count = var.codedeploy_appspec_hooks_after_allow_traffic_arn != "" ? 1 : 0
+
+  name   = "hooks-after-allow-traffic"
+  policy = data.aws_iam_policy_document.codedeploy_hooks_after_allow_traffic[0].json
+  role   = aws_iam_role.codedeploy.name
+
+}
+
+data "aws_iam_policy_document" "codedeploy_hooks_after_before_traffic" {
+  count = var.codedeploy_appspec_hooks_before_allow_traffic_arn != "" ? 1 : 0
+
+  statement {
+    actions = ["lambda:InvokeFunction"]
+    effect  = "Allow"
+    resources = [
+      var.codedeploy_appspec_hooks_before_allow_traffic_arn
+    ]
   }
 }
 
-resource "aws_iam_role_policy_attachment" "codedeploy" {
-  role       = aws_iam_role.codedeploy.id
-  policy_arn = "arn:${data.aws_partition.current.partition}:iam::aws:policy/service-role/AWSCodeDeployRoleForLambda"
+resource "aws_iam_role_policy" "codedeploy_hooks_after_before_traffic" {
+  count = var.codedeploy_appspec_hooks_before_allow_traffic_arn != "" ? 1 : 0
+
+  name   = "hooks-after-before-traffic"
+  policy = data.aws_iam_policy_document.codedeploy_hooks_after_before_traffic[0].json
+  role   = aws_iam_role.codedeploy.name
+}
+
+data "aws_iam_policy" "codedeploy" {
+  arn = "arn:${data.aws_partition.current.partition}:iam::aws:policy/service-role/AWSCodeDeployRoleForLambda"
+}
+
+resource "aws_iam_role_policy" "codedeploy" {
+  name   = "codedeploy-permissions"
+  policy = data.aws_iam_policy.codedeploy.policy
+  role   = aws_iam_role.codedeploy.id
 }