add policy to start codebuild

packages/app/docker/codebuild/codebuild.tf

@@ -11,18 +11,12 @@ module "codebuild" {
   source_version      = "refs/heads/support/build-with-codebuild"
   git_clone_depth     = 1
 
-
   buildspec           = "packages/app/docker/codebuild/buildspec/root.yml"
 
   # https://docs.aws.amazon.com/codebuild/latest/userguide/build-env-ref-available.html
   build_image         = "aws/codebuild/standard:6.0"
   build_compute_type  = "BUILD_GENERAL1_LARGE"
 
-  # These attributes are optional, used as ENV variables when building Docker images and pushing them to ECR
-  # For more info:
-  # http://docs.aws.amazon.com/codebuild/latest/userguide/sample-docker.html
-  # https://www.terraform.io/docs/providers/aws/r/codebuild_project.html
-
   privileged_mode     = true
 
   cache_type          = "LOCAL"

packages/app/docker/codebuild/oidc.tf

@@ -1,7 +1,31 @@
+resource "aws_iam_policy" "policy" {
+  policy = <<POLICY
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Action": [
+        "codebuild:StartBuild",
+        "codebuild:StopBuild",
+        "codebuild:RetryBuild"
+      ],
+      "Resource": [
+        "*"
+      ]
+    }
+  ]
+}
+POLICY
+}
+
 module "oidc_github" {
   source  = "unfunco/oidc-github/aws"
 
   iam_role_name = "GitHubOIDC-for-growi"
+  iam_role_policy_arns = [
+    aws_iam_policy.policy.arn
+  ]
 
   github_repositories = [
     "weseek/growi",

packages/app/docker/codebuild/terraform.tfstate

@@ -1,10 +1,35 @@
 {
   "version": 4,
   "terraform_version": "1.3.7",
-  "serial": 162,
+  "serial": 170,
   "lineage": "7413839f-c67c-02f5-4933-fcb84251bb29",
   "outputs": {},
   "resources": [
+    {
+      "mode": "managed",
+      "type": "aws_iam_policy",
+      "name": "policy",
+      "provider": "provider[\"registry.terraform.io/hashicorp/aws\"]",
+      "instances": [
+        {
+          "schema_version": 0,
+          "attributes": {
+            "arn": "arn:aws:iam::259692501178:policy/terraform-20230117075546916900000001",
+            "description": "",
+            "id": "arn:aws:iam::259692501178:policy/terraform-20230117075546916900000001",
+            "name": "terraform-20230117075546916900000001",
+            "name_prefix": null,
+            "path": "/",
+            "policy": "{\"Statement\":[{\"Action\":[\"codebuild:StartBuild\",\"codebuild:StopBuild\",\"codebuild:RetryBuild\"],\"Effect\":\"Allow\",\"Resource\":[\"*\"]}],\"Version\":\"2012-10-17\"}",
+            "policy_id": "ANPATY5XBDC5MRV6GEQHJ",
+            "tags": null,
+            "tags_all": {}
+          },
+          "sensitive_attributes": [],
+          "private": "bnVsbA=="
+        }
+      ]
+    },
     {
       "mode": "managed",
       "type": "aws_secretsmanager_secret",
@@ -411,10 +436,7 @@
           "sensitive_attributes": [],
           "private": "bnVsbA==",
           "dependencies": [
-            "module.codebuild.data.aws_iam_policy_document.combined_permissions",
-            "module.codebuild.data.aws_iam_policy_document.permissions",
-            "module.codebuild.data.aws_iam_policy_document.vpc_permissions",
-            "module.codebuild.data.aws_s3_bucket.secondary_artifact"
+            "module.codebuild.data.aws_iam_policy_document.combined_permissions"
           ]
         }
       ]
@@ -691,20 +713,49 @@
             "force_detach_policies": false,
             "id": "GitHubOIDC-for-growi",
             "inline_policy": [],
-            "managed_policy_arns": [],
+            "managed_policy_arns": [
+              "arn:aws:iam::aws:policy/ReadOnlyAccess"
+            ],
             "max_session_duration": 3600,
             "name": "GitHubOIDC-for-growi",
             "name_prefix": "",
             "path": "/",
             "permissions_boundary": "",
-            "tags": null,
+            "tags": {},
             "tags_all": {},
             "unique_id": "AROATY5XBDC5JJ573R2X5"
           },
           "sensitive_attributes": [],
           "private": "bnVsbA==",
           "dependencies": [
-            "module.oidc_github.data.aws_iam_policy_document.assume_role"
+            "module.oidc_github.aws_iam_openid_connect_provider.github",
+            "module.oidc_github.data.aws_iam_openid_connect_provider.github",
+            "module.oidc_github.data.aws_iam_policy_document.assume_role",
+            "module.oidc_github.data.tls_certificate.github"
+          ]
+        }
+      ]
+    },
+    {
+      "module": "module.oidc_github",
+      "mode": "managed",
+      "type": "aws_iam_role_policy_attachment",
+      "name": "custom",
+      "provider": "provider[\"registry.terraform.io/hashicorp/aws\"]",
+      "instances": [
+        {
+          "index_key": 0,
+          "schema_version": 0,
+          "attributes": {
+            "id": "GitHubOIDC-for-growi-20230117075548501900000002",
+            "policy_arn": "arn:aws:iam::259692501178:policy/terraform-20230117075546916900000001",
+            "role": "GitHubOIDC-for-growi"
+          },
+          "sensitive_attributes": [],
+          "private": "bnVsbA==",
+          "dependencies": [
+            "aws_iam_policy.policy",
+            "module.oidc_github.aws_iam_role.github"
           ]
         }
       ]
@@ -727,9 +778,12 @@
           "sensitive_attributes": [],
           "private": "bnVsbA==",
           "dependencies": [
+            "module.oidc_github.aws_iam_openid_connect_provider.github",
             "module.oidc_github.aws_iam_role.github",
+            "module.oidc_github.data.aws_iam_openid_connect_provider.github",
             "module.oidc_github.data.aws_iam_policy_document.assume_role",
-            "module.oidc_github.data.aws_partition.current"
+            "module.oidc_github.data.aws_partition.current",
+            "module.oidc_github.data.tls_certificate.github"
           ]
         }
       ]