Prefer aws_iam_policy_document over jsonencode().

aws_iam_policy_document does more ahead-of-time checking and is marginally less foot-shooty than writing IAM policies directly in JSON.
alphagov · Nov 13, 2023 · 42402a0 · 42402a0
1 parent 34ba3c2
commit 42402a0
Showing 1 changed file with 32 additions and 37 deletions.
diff --git a/terraform/deployments/github/mirror.tf b/terraform/deployments/github/mirror.tf
@@ -6,46 +6,41 @@ resource "aws_codecommit_repository" "govuk_repos" {
   default_branch  = each.value.default_branch
 }
 
-resource "aws_iam_role" "github_action_mirror_repos_role" {
-  name = "github_action_mirror_repos_role"
+data "aws_iam_policy_document" "github_action_can_assume_role" {
+  statement {
+    actions = ["sts:AssumeRoleWithWebIdentity"]
+    principals {
+      type        = "Federated"
+      identifiers = [aws_iam_openid_connect_provider.github_provider.arn]
+    }
+    condition {
+      test     = "StringEquals"
+      variable = "token.actions.githubusercontent.com:sub"
+      values   = ["repo:alphagov/govuk-infrastructure:ref:refs/heads/main"]
+    }
+    condition {
+      test     = "StringEquals"
+      variable = "token.actions.githubusercontent.com:aud"
+      values   = aws_iam_openid_connect_provider.github_provider.client_id_list
+    }
+  }
+}
 
+resource "aws_iam_role" "github_action_mirror_repos_role" {
+  name                 = "github_action_mirror_repos_role"
   max_session_duration = 10800
-  assume_role_policy = jsonencode({
-    Version = "2012-10-17"
-    Statement = [
-      {
-        "Effect" : "Allow",
-        "Principal" : {
-          "Federated" : "${aws_iam_openid_connect_provider.github_provider.arn}"
-        },
-        "Action" : "sts:AssumeRoleWithWebIdentity",
-        "Condition" : {
-          "StringEquals" : {
-            "token.actions.githubusercontent.com:sub" : [
-              "repo:alphagov/govuk-infrastructure:ref:refs/heads/main"
-            ],
-            "token.actions.githubusercontent.com:aud" : "${one(aws_iam_openid_connect_provider.github_provider.client_id_list)}"
-          },
-        }
-      }
-    ]
-  })
+  assume_role_policy   = data.aws_iam_policy_document.github_action_can_assume_role.json
 }
 
-resource "aws_iam_role_policy" "github_action_mirror_repos_policy" {
-  name = "github_action_mirror_repos_policy"
-  role = aws_iam_role.github_action_mirror_repos_role.id
+data "aws_iam_policy_document" "push_to_codecommit" {
+  statement {
+    actions   = ["codecommit:GitPush"]
+    resources = ["*"]
+  }
+}
 
-  policy = jsonencode({
-    Version = "2012-10-17"
-    Statement = [
-      {
-        Action = [
-          "codecommit:GitPush"
-        ]
-        Effect   = "Allow"
-        Resource = "*"
-      },
-    ]
-  })
+resource "aws_iam_role_policy" "github_action_mirror_repos_policy" {
+  name   = "github_action_mirror_repos_policy"
+  role   = aws_iam_role.github_action_mirror_repos_role.id
+  policy = data.aws_iam_policy_document.push_to_codecommit.json
 }