Skip to content

Commit

Permalink
Add IAM permissions for ECR & SSM access for deploy buildspec
Browse files Browse the repository at this point in the history
  • Loading branch information
@tony-griffin
tony-griffin committed Jan 16, 2025
1 parent 04667f7 commit 6479d1f
Showing 1 changed file with 31 additions and 1 deletion.
32 changes: 31 additions & 1 deletion codebase-pipelines/iam.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -175,12 +175,23 @@ data "aws_iam_policy_document" "ecr_access_for_codebase_pipeline" {
statement {
effect = "Allow"
actions = [
"ecr:DescribeImages"
"ecr:DescribeImages",
"ecr:BatchGetImage",
"ecr:GetDownloadUrlForLayer"
]
resources = [
aws_ecr_repository.this.arn
]
}
statement {
effect = "Allow"
actions = [
"ecr:GetAuthorizationToken"
]
resources = [
"*"
]
}
}

resource "aws_iam_role_policy" "artifact_store_access_for_codebase_pipeline" {
Expand Down Expand Up @@ -274,3 +285,22 @@ data "aws_iam_policy_document" "environment_deploy_role_access" {
]
}
}

resource "aws_iam_role_policy" "ssm_access" {
name = "ssm-access"
role = aws_iam_role.codebase_deploy.name
policy = data.aws_iam_policy_document.ssm_access.json
}

data "aws_iam_policy_document" "ssm_access" {
statement {
effect = "Allow"
actions = [
"ssm:GetParameter",
"ssm:GetParameters"
]
resources = [
"arn:aws:ssm:${local.account_region}:parameter/codebuild/slack_*"
]
}
}

0 comments on commit 6479d1f

Please sign in to comment.