File tree Expand file tree Collapse file tree
stacks/iams-developer-roles Expand file tree Collapse file tree Original file line number Diff line number Diff line change @@ -42,6 +42,25 @@ terraform: guard-env guard-stack guard-tf-command terraform-init terraform-works
4242 mkdir -p ./build
4343 terraform -chdir=./stacks/$(stack ) output -json > ./build/terraform_outputs_$(stack ) .json
4444
45+ terraform-as-github : SHELL=/bin/bash
46+ terraform-as-github : guard-env guard-stack guard-tf-command
47+ @role=$$( [ "$(stack ) " = "iams-developer-roles" ] && \
48+ echo arn:aws:iam::448049830832:role/service-roles/github-actions-iam-bootstrap-role || \
49+ echo arn:aws:iam::448049830832:role/service-roles/github-actions-api-deployment-role ); \
50+ read AK SK ST <<< $$ (aws$$ role --role-session-name local \
51+ --query ' Credentials.[AccessKeyId,SecretAccessKey,SessionToken]' ; \
52+ export AWS_ACCESS_KEY_ID=$$ AK AWS_SECRET_ACCESS_KEY=$$ SK AWS_SESSION_TOKEN=$$ ST; \
53+ echo " Caller identity after assume-role:" ; \
54+ aws sts get-caller-identity; \
55+ d=./stacks/$(stack ) ; \
56+ terraform -chdir=$$ d init -backend-config=backends/$(env ) .$(stack ) .tfbackend -upgrade; \
57+ terraform -chdir=$$ d get -update; \
58+ terraform -chdir=$$ d $(tf-command ) $(args ) -var=" environment=$( env) " \
59+ $$( [ "$(tf-command ) " != "init" ] && echo --parallelism=30 ) \
60+ $$( [ "$(tf-command ) " = "apply" ] && echo -auto-approve ) ; \
61+ mkdir -p build; \
62+ terraform -chdir=$$ d output -json > build/terraform_outputs_$(stack ) .json
63+
4564# ##################
4665# ### Bootstrap ####
4766# ##################
Original file line number Diff line number Diff line change @@ -704,6 +704,21 @@ data "aws_iam_policy_document" "github_actions_assume_role" {
704704 values = " sts.amazonaws.com"
705705 }
706706 }
707+ dynamic "statement" {
708+ for_each = . environment == " dev" ? [1 ] : []
709+ content {
710+ sid = " AllowDevSSORoleToAssumeIamBootstrap"
711+ effect = " Allow"
712+ actions = " sts:AssumeRole"
713+
714+ principals {
715+ type = " AWS"
716+ identifiers =
717+ local . dev_role_arn
718+ ]
719+ }
720+ }
721+ }
707722}
708723
709724resource "aws_iam_policy" "stream_management" {
Original file line number Diff line number Diff line change @@ -91,4 +91,19 @@ data "aws_iam_policy_document" "github_actions_iam_bootstrap_assume_role" {
9191 ]
9292 }
9393 }
94+ dynamic "statement" {
95+ for_each = . environment == " dev" ? [1 ] : []
96+ content {
97+ sid = " AllowDevSSORoleToAssumeIamBootstrap"
98+ effect = " Allow"
99+ actions = " sts:AssumeRole"
100+
101+ principals {
102+ type = " AWS"
103+ identifiers =
104+ local . dev_role_arn
105+ ]
106+ }
107+ }
108+ }
94109}
Original file line number Diff line number Diff line change 11locals {
22 stack_name = " iams-developer-roles"
3+ dev_role_arn = " arn:aws:iam::${ data . aws_caller_identity . current . account_id } :role/aws-reserved/sso.amazonaws.com/${ var . default_aws_region } /AWSReservedSSO_vdselid_${ var . environment } _d92ae328ac8d84c7"
34 lambda_signing_profile_name = " ${ terraform . workspace == " default" ? " " : " ${ terraform . workspace } " } EligibilityApiLambdaSigningProfile"
45 lambda_signing_profile_arn = " arn:aws:signer:${ var . default_aws_region } :${ data . aws_caller_identity . current . account_id } :/signing-profiles/${ local . lambda_signing_profile_name } "
56}
You can’t perform that action at this time.
0 commit comments