# Bastion
resource "aws_iam_role" "bastion_role" {
name = "wsi-bastion-role"
assume_role_policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Action = "sts:AssumeRole"
Effect = "Allow"
Sid = ""
Principal = {
Service = "ec2.amazonaws.com"
}
}
]
})
}
resource "aws_iam_role_policy_attachment" "bastion_role_attachment" {
role = aws_iam_role.bastion_role.name
policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
}
resource "aws_iam_instance_profile" "wsi-bastion-profile" {
name = "wsi-bastion-profile"
role = aws_iam_role.bastion_role.name
}
# wsi App
resource "aws_iam_role" "wsi_app_role" {
name = "wsi-app-role"
assume_role_policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Action = "sts:AssumeRole"
Effect = "Allow"
Sid = ""
Principal = {
Service = "ec2.amazonaws.com"
}
}
]
})
}
resource "aws_iam_role_policy_attachment" "wsi_app_role_s3_attachment" {
role = aws_iam_role.wsi_app_role.name
policy_arn = "arn:aws:iam::aws:policy/AmazonS3FullAccess"
}
resource "aws_iam_role_policy_attachment" "wsi_app_role_codedeploy_attachment" {
role = aws_iam_role.wsi_app_role.name
policy_arn = "arn:aws:iam::aws:policy/AWSCodeDeployFullAccess"
}
resource "aws_iam_role_policy_attachment" "wsi_app_role_ecr_attachment" {
role = aws_iam_role.wsi_app_role.name
policy_arn = "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryFullAccess"
}
resource "aws_iam_instance_profile" "wsi-app-profile" {
name = "wsi-app-profile"
role = aws_iam_role.wsi_app_role.name
}
# CodeBuild
resource "aws_iam_role" "codebuild_role" {
name = "wsi-codebuild-role"
assume_role_policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Action = "sts:AssumeRole"
Effect = "Allow"
Sid = ""
Principal = {
Service = "codebuild.amazonaws.com"
}
}
]
})
}
resource "aws_iam_policy" "codebuild_role_policy" {
name = "codebuild-role-policy"
policy = jsonencode({
Version = "2012-10-17",
Statement = [
{
Effect = "Allow",
Action = [
"logs:*",
"s3:*",
"ecr:*",
"codestar-connections:*"
],
Resource = "*"
}
]
})
}
resource "aws_iam_role_policy_attachment" "codebuild_role_attachment" {
role = aws_iam_role.codebuild_role.name
policy_arn = aws_iam_policy.codebuild_role_policy.arn
}
# CodeDeploy
resource "aws_iam_role" "codedeploy_role" {
name = "wsi-codedeploy-role"
assume_role_policy = jsonencode({
Version = "2008-10-17"
Statement = [
{
Action = "sts:AssumeRole"
Effect = "Allow"
Sid = ""
Principal = {
Service = "codedeploy.amazonaws.com"
}
}
]
})
}
resource "aws_iam_role_policy_attachment" "codedeploy_role_attachment" {
role = aws_iam_role.codedeploy_role.name
policy_arn = "arn:aws:iam::aws:policy/service-role/AWSCodeDeployRole"
}
# CodePipeline
resource "aws_iam_role" "codepipeline_role" {
name = "wsi-codepipeline-role"
assume_role_policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Action = "sts:AssumeRole"
Effect = "Allow"
Sid = ""
Principal = {
Service = "codepipeline.amazonaws.com"
}
}
]
})
}
resource "aws_iam_policy" "codepipeline_role_policy" {
name = "codepipeline-policy"
policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Effect = "Allow"
Action = [
"codestar-connections:UseConnection"
]
Resource = "${aws_codestarconnections_connection.wlstmd.arn}"
},
{
Effect = "Allow"
Action = [
"s3:PutObject",
"s3:GetObject",
"s3:GetObjectVersion",
"s3:DeleteObject",
]
Resource = "${aws_s3_bucket.codepipeline_s3_bucket.arn}/*"
},
{
Effect = "Allow"
Action = [
"codebuild:BatchGetBuilds",
"codebuild:StartBuild"
]
Resource = "*"
},
{
Effect = "Allow"
Action = [
"codedeploy:CreateDeployment",
"codedeploy:GetDeployment",
"codedeploy:GetApplication",
"codedeploy:GetApplicationRevision",
"codedeploy:RegisterApplicationRevision",
"codedeploy:GetDeploymentConfig",
"codedeploy:GetDeploymentGroup"
]
Resource = "*"
},
{
Effect = "Allow"
Action = [
"kms:Decrypt",
"kms:Encrypt",
"kms:GenerateDataKey",
"kms:DescribeKey"
]
Resource = "*"
}
]
})
}
resource "aws_iam_role_policy_attachment" "codepipeline_role_attachment" {
role = aws_iam_role.codepipeline_role.name
policy_arn = aws_iam_policy.codepipeline_role_policy.arn
}