Home Explore Help
Sign In
wiki
/
weseek__growi
mirror of https://github.com/weseek/growi
2
0
Fork 0
Files Issues 0 Wiki
Browse Source

Update OIDC role session name and add log permissions for CodeBuild

Yuki Takei 3 months ago
parent
759ab4d488
commit
9280d4b663
2 changed files with 9 additions and 1 deletions
Unified View Show Diff Stats
  1. 1 1
      .github/workflows/reusable-app-build-image.yml
  2. 8 0
      apps/app/docker/codebuild/oidc.tf

+ 1 - 1
.github/workflows/reusable-app-build-image.yml
View File 

@@ -40,7 +40,7 @@ jobs:
 
       with:
 
       with:
 
         aws-region: ap-northeast-1
 
         aws-region: ap-northeast-1
 
         role-to-assume: ${{ secrets.AWS_ROLE_TO_ASSUME_FOR_OIDC }}
 
         role-to-assume: ${{ secrets.AWS_ROLE_TO_ASSUME_FOR_OIDC }}
 
-        role-session-name: SessionForReleaseGROWI-RC
 
+        role-session-name: GitHubActions-SessionForReleaseGROWI-${{ github.run_id }}
 
 
 
     - name: Run CodeBuild
 
     - name: Run CodeBuild
 
       uses: dark-mechanicum/aws-codebuild@v1
 
       uses: dark-mechanicum/aws-codebuild@v1

+ 8 - 0
apps/app/docker/codebuild/oidc.tf
View File 

@@ -23,4 +23,12 @@ data "aws_iam_policy_document" "policy_document" {
 
       module.codebuild.project_arn
 
       module.codebuild.project_arn
 
     ]
 
     ]
 
   }
 
   }
 
+  statement {
 
+    actions = [
 
+      "logs:GetLogEvents"
 
+    ]
 
+    resources = [
 
+      "arn:aws:logs:*:*:log-group:/aws/codebuild/${module.codebuild.project_name}:*"
 
+    ]
 
+  }
 
 }
 
 }