Last active
September 30, 2021 09:06
-
-
Save abiydv/7bdbf542b151b6b2b5a29a643c09eebd to your computer and use it in GitHub Desktop.
Bitbucket Pipelines for Terraform with OIDC Access to AWS
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
image: hashicorp/terraform:1.0.7 | |
definitions: | |
scripts: | |
- script: &aws-context | |
export AWS_REGION=REPLACE_WITH_REGION_TO_USE; | |
export AWS_WEB_IDENTITY_TOKEN_FILE=$(pwd)/web-identity-token; | |
export AWS_ROLE_SESSION_NAME=build-session; | |
export AWS_ROLE_ARN=REPLACE_WITH_ROLE_ARN_TO_USE; | |
echo $BITBUCKET_STEP_OIDC_TOKEN > $(pwd)/web-identity-token | |
steps: | |
- step: &validate | |
name: Validate Terraform config | |
oidc: true | |
script: | |
- terraform init -backend=false | |
- terraform validate | |
- step: &plan | |
name: Terraform Plan | |
oidc: true | |
script: | |
- *aws-context | |
- terraform init | |
- terraform plan -input=false -out=tfplan.out | |
artifacts: | |
- tfplan.out | |
- step: &apply | |
name: Terraform Apply | |
oidc: true | |
trigger: manual | |
script: | |
- *aws-context | |
- terraform init | |
- terraform apply -input=false -auto-approve tfplan.out | |
pipelines: | |
branches: | |
main: | |
- step: *validate | |
- step: *plan | |
- step: *apply | |
default: | |
- step: *validate |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
AWSTemplateFormatVersion: 2010-09-09 | |
Description: Basic resources for Terraform | |
Resources: | |
TFBucket: | |
Type: AWS::S3::Bucket | |
Properties: | |
AccessControl: Private | |
BucketEncryption: | |
ServerSideEncryptionConfiguration: | |
- ServerSideEncryptionByDefault: | |
SSEAlgorithm: AES256 | |
PublicAccessBlockConfiguration: | |
BlockPublicAcls: true | |
BlockPublicPolicy: true | |
IgnorePublicAcls: true | |
RestrictPublicBuckets: true | |
VersioningConfiguration: | |
Status: Enabled | |
Tags: | |
- Key: Purpose | |
Value: "Terraform state file remote storage" | |
TFDynamoDBTable: | |
Type: AWS::DynamoDB::Table | |
Properties: | |
BillingMode: PAY_PER_REQUEST | |
SSESpecification: | |
SSEEnabled: true | |
TableName: terraform-remote-state | |
AttributeDefinitions: | |
- AttributeName: LockID | |
AttributeType: S | |
KeySchema: | |
- AttributeName: LockID | |
KeyType: HASH | |
Tags: | |
- Key: Purpose | |
Value: "Terraform state file remote storage" | |
BBOidc: | |
Type: AWS::IAM::OIDCProvider | |
Properties: | |
ClientIdList: | |
- 'AUDIENCE' | |
Tags: | |
- Key: Purpose | |
Value: "Bitbucket pipelines to assume IAM role" | |
ThumbprintList: | |
- 'THUMBPRINT' | |
Url: 'IDENTITY PROVIDER URL' | |
TFRole: | |
Type: AWS::IAM::Role | |
Properties: | |
AssumeRolePolicyDocument: | |
Version: "2012-10-17" | |
Statement: | |
- Effect: Allow | |
Principal: | |
Federated: | |
- !Ref BBOidc | |
Action: | |
- 'sts:AssumeRoleWithWebIdentity' | |
RoleName: terraform-iam-role | |
Tags: | |
- Key: Purpose | |
Value: "Access for Bitbucket Pipelines" | |
TFPolicy: | |
Type: AWS::IAM::Policy | |
Properties: | |
PolicyName: terraform-base-policy | |
Roles: | |
- !Ref TFRole | |
PolicyDocument: | |
Version: '2012-10-17' | |
Statement: | |
- Effect: Allow | |
Action: | |
- 's3:ListBucket' | |
- 's3:GetObject' | |
- 's3:PutObject' | |
- 's3:PutObjectAcl' | |
Resource: | |
- !Sub 'arn:aws:s3:::${TFBucket}' | |
- !Sub 'arn:aws:s3:::${TFBucket}/*' | |
- Effect: Allow | |
Action: | |
- 'dynamodb:GetItem' | |
- 'dynamodb:PutItem' | |
- 'dynamodb:DeleteItem' | |
Resource: | |
- !Sub 'arn:aws:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${TFDynamoDBTable}' | |
CBPolicy: | |
Type: AWS::IAM::Policy | |
Properties: | |
PolicyName: codebuild-access-policy | |
Roles: | |
- !Ref TFRole | |
PolicyDocument: | |
Version: '2012-10-17' | |
Statement: | |
- Effect: Allow | |
Action: | |
- 'codebuild:CreateProject' | |
- 'codebuild:DeleteProject' | |
- 'codebuild:UpdateProject' | |
- 'codebuild:CreateWebhook' | |
- 'codebuild:DeleteWebhook' | |
- 'codebuild:UpdateWebhook' | |
- 'codebuild:BatchGetProjects' | |
Resource: | |
- !Sub 'arn:aws:codebuild:${AWS::Region}:${AWS::AccountId}:project/*' | |
- Effect: Allow | |
Action: | |
- 'codebuild:ImportSourceCredentials' | |
- 'codebuild:DeleteSourceCredentials' | |
- 'codebuild:ListProjects' | |
- 'codebuild:ListCuratedEnvironmentImages' | |
Resource: '*' | |
IAMPolicy: | |
Type: AWS::IAM::Policy | |
Properties: | |
PolicyName: iam-access-policy | |
Roles: | |
- !Ref TFRole | |
PolicyDocument: | |
Version: '2012-10-17' | |
Statement: | |
- Effect: Allow | |
Action: | |
- 'iam:List*' | |
- 'iam:PassRole' | |
- 'iam:GetRole*' | |
Resource: | |
- !Sub 'arn:aws:iam::${AWS::AccountId}:role/*' | |
S3Policy: | |
Type: AWS::IAM::Policy | |
Properties: | |
PolicyName: s3-access-policy | |
Roles: | |
- !Ref TFRole | |
PolicyDocument: | |
Version: '2012-10-17' | |
Statement: | |
- Effect: Allow | |
Action: | |
- 's3:List*' | |
- 's3:GetObject*' | |
- 's3:PutObject' | |
- 's3:PutObjectAcl' | |
Resource: | |
- 'arn:aws:s3:::bucket' | |
- 'arn:aws:s3:::bucket/*' |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# | |
# Backend config for remote_state | |
# | |
terraform { | |
backend "s3" { | |
bucket = "BUCKET_FROM_CFTEMPLATE" | |
key = "DYNAMODB_KEY" | |
region = "REPLACE_WITH_REGION_TO_USE" | |
encrypt = true | |
dynamodb_table = "DYNAMODB_FROM_CFTEMPLATE" | |
} | |
required_providers { | |
aws = { | |
source = "hashicorp/aws" | |
version = "~> 3.0" | |
} | |
} | |
} | |
# | |
# Configure aws provider | |
# | |
provider "aws" { | |
region = "REPLACE_WITH_REGION_TO_USE" | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment