Merge pull request #5 from Intelliflo/update-policies

fix: update policies

Author: rgomes-ifl

images/ubuntu-focal/github_agent.ubuntu.pkr.hcl

@@ -104,7 +104,7 @@ source "amazon-ebs" "githubrunner" {
   associate_public_ip_address               = var.associate_public_ip_address
   temporary_security_group_source_public_ip = var.temporary_security_group_source_public_ip
 
-  ssh_interface        = "session_manager"
+  ssh_interface        = "session_manager" # needed because tower control is blocking port 22
   iam_instance_profile = "AmazonSSMRoleForInstancesQuickSetup"
 
   source_ami_filter {

modules/runners/policies-custom.tf

@@ -0,0 +1,73 @@
+resource "aws_iam_role_policy" "gh_artifacts_bucket" {
+  name = "github-ci-loop-artifacts-bucket"
+  role = aws_iam_role.runner.name
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Sid = "githubActionArtifacts",
+        Action = [
+          "s3:ListBucket",
+          "s3:GetObject",
+          "s3:GetObjectTagging",
+          "s3:DeleteObject",
+          "s3:PutObject",
+          "s3:PutObjectAcl",
+          "s3:PutObjectTagging"
+        ]
+        Effect = "Allow"
+        Resource = [
+          "arn:aws:s3:::github-ci-loop-artifacts/*",
+          "arn:aws:s3:::github-ci-loop-artifacts",
+          "arn:aws:s3:::packages.shs-ie-01.intelliflo.services/*",
+          "arn:aws:s3:::packages.shs-ie-01.intelliflo.services",
+          "arn:aws:s3:::mssql-migrations.shs-ie-01.intelliflo.services/*",
+          "arn:aws:s3:::mssql-migrations.shs-ie-01.intelliflo.services"
+        ]
+      }
+    ]
+  })
+}
+
+resource "aws_iam_role_policy" "runner_ecr_scan_push_access" {
+  name = "ecr-scan-push-access"
+  role = aws_iam_role.runner.name
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Sid = "githubActionEcr",
+        Action = [
+          "ecr:DescribeImageScanFindings",
+          "ecr:StartImageScan",
+          "ecr:GetDownloadUrlForLayer",
+          "ecr:DescribeRegistry",
+          "ecr:GetAuthorizationToken",
+          "ecr:ListTagsForResource",
+          "ecr:UploadLayerPart",
+          "ecr:BatchDeleteImage",
+          "ecr:ListImages",
+          "ecr:PutImage",
+          "ecr:BatchGetImage",
+          "ecr:CompleteLayerUpload",
+          "ecr:DescribeImages",
+          "ecr:DescribeRepositories",
+          "ecr:InitiateLayerUpload",
+          "ecr:BatchCheckLayerAvailability"
+        ]
+        Effect   = "Allow"
+        Resource = "*"
+      }
+    ]
+  })
+}
+
+resource "aws_iam_role_policy_attachment" "runner_code_artifact_admin_access" {
+  role       = aws_iam_role.runner.name
+  policy_arn = "arn:aws:iam::aws:policy/AWSCodeArtifactAdminAccess"
+}
+
+resource "aws_iam_role_policy_attachment" "runner_basic_ecr_access" {
+  role       = aws_iam_role.runner.name
+  policy_arn = "arn:aws:iam::aws:policy/service-role/AWSAppRunnerServicePolicyForECRAccess"
+}

modules/runners/policies-runner.tf

@@ -71,30 +71,3 @@ resource "aws_iam_role_policy" "ec2" {
 }
 
 # see also logging.tf for logging and metrics policies
-
-resource "aws_iam_role_policy" "gh_artifacts_bucket" {
-  name = "github-ci-loop-artifacts-bucket"
-  role = aws_iam_role.runner.name
-  policy = templatefile("${path.module}/policies/instance-s3-gh-policy.json",
-    {
-      s3_arn          = "arn:aws:s3:::github-ci-loop-artifacts"
-      s3_packages_arn = "arn:aws:s3:::packages.shs-ie-01.intelliflo.services"
-    }
-  )
-}
-
-resource "aws_iam_role_policy" "runner_ecr_scan_push_access" {
-  name   = "ecr-scan-push-access"
-  role   = aws_iam_role.runner.name
-  policy = file("${path.module}/policies/instance-ecr-gh-policy.json")
-}
-
-resource "aws_iam_role_policy_attachment" "runner_code_artifact_admin_access" {
-  role       = aws_iam_role.runner.name
-  policy_arn = "arn:aws:iam::aws:policy/AWSCodeArtifactAdminAccess"
-}
-
-resource "aws_iam_role_policy_attachment" "runner_basic_ecr_access" {
-  role       = aws_iam_role.runner.name
-  policy_arn = "arn:aws:iam::aws:policy/service-role/AWSAppRunnerServicePolicyForECRAccess"
-}