Bitbucket Pipelines for Terraform with OIDC Access to AWS

bitbucket-pipelines.yml

image: hashicorp/terraform:1.0.7

definitions: 
  scripts:
    - script: &aws-context
        export AWS_REGION=REPLACE_WITH_REGION_TO_USE;
        export AWS_WEB_IDENTITY_TOKEN_FILE=$(pwd)/web-identity-token;
        export AWS_ROLE_SESSION_NAME=build-session;
        export AWS_ROLE_ARN=REPLACE_WITH_ROLE_ARN_TO_USE;
        echo $BITBUCKET_STEP_OIDC_TOKEN > $(pwd)/web-identity-token

  steps:
    - step: &validate
        name: Validate Terraform config
        oidc: true
        script:
          - terraform init -backend=false
          - terraform validate
    - step: &plan
        name: Terraform Plan
        oidc: true
        script:
          - *aws-context
          - terraform init
          - terraform plan -input=false -out=tfplan.out
        artifacts: 
          - tfplan.out
    - step: &apply
        name: Terraform Apply
        oidc: true
        trigger: manual
        script:
          - *aws-context
          - terraform init
          - terraform apply -input=false -auto-approve tfplan.out

pipelines:
  branches:
    main:
      - step: *validate
      - step: *plan
      - step: *apply
    default:
      - step: *validate

cloudformation-stack.yaml

AWSTemplateFormatVersion: 2010-09-09

Description: Basic resources for Terraform

Resources:

  TFBucket:
    Type: AWS::S3::Bucket
    Properties:
      AccessControl: Private
      BucketEncryption:
        ServerSideEncryptionConfiguration:
          - ServerSideEncryptionByDefault:
              SSEAlgorithm: AES256
      PublicAccessBlockConfiguration:
        BlockPublicAcls: true
        BlockPublicPolicy: true
        IgnorePublicAcls: true
        RestrictPublicBuckets: true
      VersioningConfiguration:
        Status: Enabled
      Tags:
        - Key: Purpose
          Value: "Terraform state file remote storage"

  TFDynamoDBTable:
    Type: AWS::DynamoDB::Table
    Properties:
      BillingMode: PAY_PER_REQUEST
      SSESpecification:
        SSEEnabled: true
      TableName: terraform-remote-state
      AttributeDefinitions:
        - AttributeName: LockID
          AttributeType: S
      KeySchema:
         - AttributeName: LockID
           KeyType: HASH
      Tags:
        - Key: Purpose
          Value: "Terraform state file remote storage"

  BBOidc:
    Type: AWS::IAM::OIDCProvider
    Properties:
      ClientIdList:
        - 'AUDIENCE'
      Tags:
        - Key: Purpose
          Value: "Bitbucket pipelines to assume IAM role"
      ThumbprintList:
        - 'THUMBPRINT'
      Url: 'IDENTITY PROVIDER URL'

  TFRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Principal:
              Federated:
                - !Ref BBOidc
            Action:
              - 'sts:AssumeRoleWithWebIdentity'

      RoleName: terraform-iam-role
      Tags:
        - Key: Purpose
          Value: "Access for Bitbucket Pipelines"

  TFPolicy:
    Type: AWS::IAM::Policy
    Properties:
      PolicyName: terraform-base-policy
      Roles:
        - !Ref TFRole
      PolicyDocument:
        Version: '2012-10-17'
        Statement:
        - Effect: Allow
          Action:
            - 's3:ListBucket'
            - 's3:GetObject'
            - 's3:PutObject'
            - 's3:PutObjectAcl'
          Resource:
            - !Sub 'arn:aws:s3:::${TFBucket}'
            - !Sub 'arn:aws:s3:::${TFBucket}/*'
        - Effect: Allow
          Action:
            - 'dynamodb:GetItem'
            - 'dynamodb:PutItem'
            - 'dynamodb:DeleteItem'
          Resource:
            - !Sub 'arn:aws:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${TFDynamoDBTable}'

  CBPolicy:
    Type: AWS::IAM::Policy
    Properties:
      PolicyName: codebuild-access-policy
      Roles:
        - !Ref TFRole
      PolicyDocument:
        Version: '2012-10-17'
        Statement:
        - Effect: Allow
          Action:
            - 'codebuild:CreateProject'
            - 'codebuild:DeleteProject'
            - 'codebuild:UpdateProject'
            - 'codebuild:CreateWebhook'
            - 'codebuild:DeleteWebhook'
            - 'codebuild:UpdateWebhook'
            - 'codebuild:BatchGetProjects'
          Resource:
            - !Sub 'arn:aws:codebuild:${AWS::Region}:${AWS::AccountId}:project/*'
        - Effect: Allow
          Action:
            - 'codebuild:ImportSourceCredentials'
            - 'codebuild:DeleteSourceCredentials'
            - 'codebuild:ListProjects'
            - 'codebuild:ListCuratedEnvironmentImages'
          Resource: '*'

  IAMPolicy:
    Type: AWS::IAM::Policy
    Properties:
      PolicyName: iam-access-policy
      Roles:
        - !Ref TFRole
      PolicyDocument:
        Version: '2012-10-17'
        Statement:
        - Effect: Allow
          Action:
            - 'iam:List*'
            - 'iam:PassRole'
            - 'iam:GetRole*'
          Resource:
            - !Sub 'arn:aws:iam::${AWS::AccountId}:role/*'

  S3Policy:
    Type: AWS::IAM::Policy
    Properties:
      PolicyName: s3-access-policy
      Roles:
        - !Ref TFRole
      PolicyDocument:
        Version: '2012-10-17'
        Statement:
        - Effect: Allow
          Action:
            - 's3:List*'
            - 's3:GetObject*'
            - 's3:PutObject'
            - 's3:PutObjectAcl'
          Resource:
            - 'arn:aws:s3:::bucket'
            - 'arn:aws:s3:::bucket/*'

provider.tf

#
# Backend config for remote_state
#
terraform {
  backend "s3" {
    bucket         = "BUCKET_FROM_CFTEMPLATE"
    key            = "DYNAMODB_KEY"
    region         = "REPLACE_WITH_REGION_TO_USE"
    encrypt        = true
    dynamodb_table = "DYNAMODB_FROM_CFTEMPLATE"
  }
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 3.0"
    }
  }
}


#
# Configure aws provider
#
provider "aws" {
  region = "REPLACE_WITH_REGION_TO_USE"
}