From 5fb7d87b8c0fd203b6dcadadb38de506e51c0351 Mon Sep 17 00:00:00 2001 From: pm-trey <127399938+pm-trey@users.noreply.github.com> Date: Sat, 11 Mar 2023 14:30:31 -0600 Subject: [PATCH 01/10] Use forked version of codebuild TF --- main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/main.tf b/main.tf index c908b66..7864ef2 100644 --- a/main.tf +++ b/main.tf @@ -203,7 +203,7 @@ data "aws_iam_policy_document" "codebuild" { } module "codebuild" { - source = "cloudposse/codebuild/aws" + source = "github.com/PharmacyMarketplace/terraform-aws-codebuild" version = "1.0.0" build_image = var.build_image build_compute_type = var.build_compute_type From 7432b161df1df770c94b5b2996c248b1adbf6868 Mon Sep 17 00:00:00 2001 From: pm-trey <127399938+pm-trey@users.noreply.github.com> Date: Sat, 11 Mar 2023 14:32:03 -0600 Subject: [PATCH 02/10] No version needed --- main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/main.tf b/main.tf index 7864ef2..8194fd8 100644 --- a/main.tf +++ b/main.tf @@ -204,7 +204,7 @@ data "aws_iam_policy_document" "codebuild" { module "codebuild" { source = "github.com/PharmacyMarketplace/terraform-aws-codebuild" - version = "1.0.0" +# version = "1.0.0" build_image = var.build_image build_compute_type = var.build_compute_type buildspec = var.buildspec From 53b752539d084e116b03ed053b229acb4ea6ad31 Mon Sep 17 00:00:00 2001 From: pm-trey <127399938+pm-trey@users.noreply.github.com> Date: Sat, 11 Mar 2023 20:37:06 -0600 Subject: [PATCH 03/10] Add Github token type for compatibility --- main.tf | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/main.tf b/main.tf index 8194fd8..d199820 100644 --- a/main.tf +++ b/main.tf @@ -203,8 +203,8 @@ data "aws_iam_policy_document" "codebuild" { } module "codebuild" { - source = "github.com/PharmacyMarketplace/terraform-aws-codebuild" -# version = "1.0.0" + source = "cloudposse/codebuild/aws" + version = "1.0.0" build_image = var.build_image build_compute_type = var.build_compute_type buildspec = var.buildspec @@ -215,6 +215,7 @@ module "codebuild" { image_repo_name = var.image_repo_name image_tag = var.image_tag github_token = var.github_oauth_token + github_token_type = "PLAINTEXT" environment_variables = var.environment_variables cache_bucket_suffix_enabled = var.codebuild_cache_bucket_suffix_enabled cache_type = var.cache_type From 874f6a0cc94f7089a6c405408ba564d331ff6155 Mon Sep 17 00:00:00 2001 From: Trey McMeans Date: Sat, 18 Mar 2023 12:12:13 -0500 Subject: [PATCH 04/10] Block public access --- main.tf | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/main.tf b/main.tf index d199820..763780d 100644 --- a/main.tf +++ b/main.tf @@ -48,6 +48,15 @@ resource "aws_s3_bucket" "default" { } +resource "aws_s3_bucket_public_access_block" "example" { + bucket = aws_s3_bucket.default.id + + block_public_acls = true + block_public_policy = true + ignore_public_acls = true + restrict_public_buckets = true +} + resource "aws_iam_role" "default" { count = local.enabled ? 1 : 0 name = module.this.id From 5b222f6487956d94f175d254bfbba1635d583394 Mon Sep 17 00:00:00 2001 From: Trey McMeans Date: Sat, 18 Mar 2023 13:32:10 -0500 Subject: [PATCH 05/10] Handle outside of module --- main.tf | 9 --------- 1 file changed, 9 deletions(-) diff --git a/main.tf b/main.tf index 763780d..d199820 100644 --- a/main.tf +++ b/main.tf @@ -48,15 +48,6 @@ resource "aws_s3_bucket" "default" { } -resource "aws_s3_bucket_public_access_block" "example" { - bucket = aws_s3_bucket.default.id - - block_public_acls = true - block_public_policy = true - ignore_public_acls = true - restrict_public_buckets = true -} - resource "aws_iam_role" "default" { count = local.enabled ? 1 : 0 name = module.this.id From 66942d445a59d6ae9dc6b986fa475b85b1e3681c Mon Sep 17 00:00:00 2001 From: Trey McMeans Date: Sat, 16 Sep 2023 18:12:31 -0500 Subject: [PATCH 06/10] Add approval stage --- main.tf | 20 ++++++++++++++++++++ variables.tf | 10 ++++++++++ 2 files changed, 30 insertions(+) diff --git a/main.tf b/main.tf index d199820..8eafcbb 100644 --- a/main.tf +++ b/main.tf @@ -278,6 +278,26 @@ resource "aws_codepipeline" "default" { } } + dynamic "stage" { + for_each = var.approve_sns_arn != "" && var.approve_sns_arn != "" ? ["true"] : [] + + content { + name = "Approval" + action { + name = "Approval" + category = "Approval" + owner = "AWS" + provider = "Manual" + version = "1" + + configuration { + NotificationArn = "${var.approve_sns_arn}" + CustomData = "${var.approve_comment}" + } + } + } + } + stage { name = "Build" diff --git a/variables.tf b/variables.tf index ab13297..2cf3892 100644 --- a/variables.tf +++ b/variables.tf @@ -191,3 +191,13 @@ variable "website_bucket_acl" { default = "public-read" description = "Canned ACL of the S3 bucket objects that get served as a website, can be private if using CloudFront with OAI" } + +variable "approve_comment" { + type = string + default = "Approval needed for deployment" +} + +variable "approve_sns_arn" { + type = string + default = "" +} \ No newline at end of file From a916daa8669007ed5e37cf6ff8d3493842040353 Mon Sep 17 00:00:00 2001 From: Trey McMeans Date: Sat, 16 Sep 2023 18:22:46 -0500 Subject: [PATCH 07/10] Adding approval stage --- main.tf | 20 ++++++++++++++++++++ variables.tf | 10 ++++++++++ 2 files changed, 30 insertions(+) diff --git a/main.tf b/main.tf index d199820..8eafcbb 100644 --- a/main.tf +++ b/main.tf @@ -278,6 +278,26 @@ resource "aws_codepipeline" "default" { } } + dynamic "stage" { + for_each = var.approve_sns_arn != "" && var.approve_sns_arn != "" ? ["true"] : [] + + content { + name = "Approval" + action { + name = "Approval" + category = "Approval" + owner = "AWS" + provider = "Manual" + version = "1" + + configuration { + NotificationArn = "${var.approve_sns_arn}" + CustomData = "${var.approve_comment}" + } + } + } + } + stage { name = "Build" diff --git a/variables.tf b/variables.tf index ab13297..2cf3892 100644 --- a/variables.tf +++ b/variables.tf @@ -191,3 +191,13 @@ variable "website_bucket_acl" { default = "public-read" description = "Canned ACL of the S3 bucket objects that get served as a website, can be private if using CloudFront with OAI" } + +variable "approve_comment" { + type = string + default = "Approval needed for deployment" +} + +variable "approve_sns_arn" { + type = string + default = "" +} \ No newline at end of file From bd67e22b589af282aca136a88bf27d2d0e4d39d1 Mon Sep 17 00:00:00 2001 From: Trey McMeans Date: Sat, 16 Sep 2023 18:26:45 -0500 Subject: [PATCH 08/10] Correct block type --- main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/main.tf b/main.tf index 8eafcbb..2f70656 100644 --- a/main.tf +++ b/main.tf @@ -290,7 +290,7 @@ resource "aws_codepipeline" "default" { provider = "Manual" version = "1" - configuration { + configuration = { NotificationArn = "${var.approve_sns_arn}" CustomData = "${var.approve_comment}" } From c63af8ac6bebb33bcd14e2c01a029557d4944cc3 Mon Sep 17 00:00:00 2001 From: Trey McMeans Date: Mon, 18 Sep 2023 17:20:52 -0500 Subject: [PATCH 09/10] Block S3 public ACLs --- main.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/main.tf b/main.tf index 2f70656..3794379 100644 --- a/main.tf +++ b/main.tf @@ -21,6 +21,7 @@ resource "aws_s3_bucket" "default" { acl = "private" force_destroy = var.force_destroy tags = module.this.tags + block_public_acls = true versioning { enabled = var.versioning_enabled From a511c17d24a2c1d7e465be425adc76d96f5fb36b Mon Sep 17 00:00:00 2001 From: pm-trey <127399938+pm-trey@users.noreply.github.com> Date: Fri, 22 Sep 2023 14:10:59 +0000 Subject: [PATCH 10/10] Do not block public ACLs --- main.tf | 1 - 1 file changed, 1 deletion(-) diff --git a/main.tf b/main.tf index 3794379..2f70656 100644 --- a/main.tf +++ b/main.tf @@ -21,7 +21,6 @@ resource "aws_s3_bucket" "default" { acl = "private" force_destroy = var.force_destroy tags = module.this.tags - block_public_acls = true versioning { enabled = var.versioning_enabled