-
Notifications
You must be signed in to change notification settings - Fork 1
/
main.tf
157 lines (130 loc) · 4.2 KB
/
main.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
data "aws_region" "current" {}
data "aws_caller_identity" "current" {}
provider "github" {
token = var.github_oauth_token
owner = var.github_repo_owner
}
locals {
aws_region = data.aws_region.current.name
account_id = data.aws_caller_identity.current.account_id
}
data "aws_iam_policy_document" "codepipeline_assume" {
statement {
actions = ["sts:AssumeRole"]
principals {
type = "Service"
identifiers = ["codepipeline.amazonaws.com"]
}
}
}
resource "aws_iam_role" "codepipeline" {
name = "codepipeline-${var.name}"
assume_role_policy = data.aws_iam_policy_document.codepipeline_assume.json
tags = var.tags
}
data "aws_iam_policy_document" "codepipeline_baseline" {
statement {
actions = [
"s3:PutObject",
"s3:GetObject"
]
resources = [
"${module.codebuild_project.artifact_bucket_arn}/*"
]
}
statement {
actions = [
"codebuild:BatchGetBuilds",
"codebuild:StartBuild"
]
resources = [module.codebuild_project.codebuild_project_arn]
}
}
resource "aws_iam_role_policy" "codepipeline_baseline" {
name = "codepipeline-baseline-${var.name}"
role = aws_iam_role.codepipeline.id
policy = data.aws_iam_policy_document.codepipeline_baseline.json
}
module "codebuild_project" {
source = "github.com/Mather-Sophi/aws-codebuild-project?ref=2.2"
name = var.name
deploy_type = "ecr"
ecr_name = var.ecr_name
buildspec = var.buildspec
use_docker_credentials = var.use_docker_credentials
build_compute_type = var.build_compute_type
tags = var.tags
use_repo_access_github_token = var.use_repo_access_github_token
svcs_account_github_token_aws_secret_arn = var.svcs_account_github_token_aws_secret_arn
svcs_account_aws_kms_cmk_arn = var.svcs_account_aws_kms_cmk_arn
s3_block_public_access = var.s3_block_public_access
use_sysdig_api_token = var.use_sysdig_api_token
svcs_account_sysdig_api_token_aws_secret_arn = var.svcs_account_sysdig_api_token_aws_secret_arn
}
resource "aws_codepipeline" "pipeline" {
name = var.name
role_arn = aws_iam_role.codepipeline.arn
artifact_store {
location = module.codebuild_project.artifact_bucket_id
type = "S3"
}
stage {
name = "Source"
action {
name = "Source"
category = "Source"
owner = "ThirdParty"
provider = "GitHub"
version = "1"
output_artifacts = ["code"]
configuration = {
Owner = var.github_repo_owner
Repo = var.github_repo_name
Branch = var.github_branch_name
OAuthToken = var.github_oauth_token
PollForSourceChanges = "false"
}
}
}
stage {
name = "Build"
action {
name = "Build"
category = "Build"
owner = "AWS"
provider = "CodeBuild"
input_artifacts = ["code"]
# output_artifacts = ["none"]
version = "1"
configuration = {
ProjectName = module.codebuild_project.codebuild_project_id
}
}
}
tags = var.tags
}
resource "aws_codepipeline_webhook" "github" {
# Only create the webhook if create_github_webhook is set to true
count = var.create_github_webhook == true ? 1 : 0
name = var.name
authentication = "GITHUB_HMAC"
target_action = "Source"
target_pipeline = aws_codepipeline.pipeline.name
authentication_configuration {
secret_token = var.github_oauth_token
}
filter {
json_path = "$.ref"
match_equals = "refs/heads/{Branch}"
}
}
resource "github_repository_webhook" "aws_codepipeline" {
repository = var.github_repo_name
count = var.create_github_webhook == true ? 1 : 0
configuration {
url = aws_codepipeline_webhook.github[0].url
content_type = "json"
secret = var.github_oauth_token
}
events = ["push"]
}