From 6ec31b1d918fc7539c0e33766dde0f9d980810ac Mon Sep 17 00:00:00 2001 From: Matt Gowie Date: Wed, 7 Jul 2021 12:36:21 -0600 Subject: [PATCH] feat: adds support for amplify service role --- README.md | 3 +++ main.tf | 24 ++++++++++++++++++++++++ variables.tf | 6 ++++++ 3 files changed, 33 insertions(+) diff --git a/README.md b/README.md index 8921191..a486a36 100644 --- a/README.md +++ b/README.md @@ -78,12 +78,15 @@ module "amplify" { | [aws_amplify_domain_association.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/amplify_domain_association) | resource | | [aws_amplify_webhook.develop](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/amplify_webhook) | resource | | [aws_amplify_webhook.master](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/amplify_webhook) | resource | +| [aws_iam_role.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | +| [aws_iam_policy_document.assume_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | ## Inputs | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| | [additional\_tag\_map](#input\_additional\_tag\_map) | Additional tags for appending to tags\_as\_list\_of\_maps. Not added to `tags`. | `map(string)` | `{}` | no | +| [amplify\_service\_role\_enabled](#input\_amplify\_service\_role\_enabled) | Whether to enable the IAM Service Role for Amplify or not. See https://docs.aws.amazon.com/amplify/latest/userguide/how-to-service-role-amplify-console.html for full details. | `bool` | `false` | no | | [attributes](#input\_attributes) | Additional attributes (e.g. `1`) | `list(string)` | `[]` | no | | [basic\_auth\_password](#input\_basic\_auth\_password) | The password to use for the basic auth configuration. | `string` | n/a | yes | | [basic\_auth\_username](#input\_basic\_auth\_username) | The username to use for the basic auth configuration. | `string` | n/a | yes | diff --git a/main.tf b/main.tf index c84ec51..57463cd 100644 --- a/main.tf +++ b/main.tf @@ -20,6 +20,29 @@ module "develop_branch_label" { context = module.this.context } +data "aws_iam_policy_document" "assume_role" { + count = module.this.enabled && var.amplify_service_role_enabled ? 1 : 0 + + statement { + effect = "Allow" + actions = ["sts:AssumeRole"] + + principals { + type = "Service" + identifiers = ["amplify.amazonaws.com"] + } + } +} + +resource "aws_iam_role" "default" { + count = module.this.enabled && var.amplify_service_role_enabled ? 1 : 0 + + name = module.this.id + assume_role_policy = join("", data.aws_iam_policy_document.assume_role.*.json) + managed_policy_arns = ["arn:aws:iam::aws:policy/AdministratorAccess"] + tags = module.this.tags +} + resource "aws_amplify_app" "this" { name = module.this.id description = var.description != null ? var.description : "Amplify App for the github.com/${var.organization}/${var.repo} project." @@ -28,6 +51,7 @@ resource "aws_amplify_app" "this" { enable_branch_auto_build = true build_spec = var.build_spec_content != "" ? var.build_spec_content : null environment_variables = var.global_environment_variables + iam_service_role_arn = var.amplify_service_role_enabled ? aws_iam_role.default[0].arn : null tags = module.this.tags enable_basic_auth = var.enable_basic_auth_globally diff --git a/variables.tf b/variables.tf index 813e7c2..58651dc 100644 --- a/variables.tf +++ b/variables.tf @@ -8,6 +8,12 @@ variable "repo" { description = "The name of the repo that the Amplify App will be created around." } +variable "amplify_service_role_enabled" { + default = false + type = bool + description = "Whether to enable the IAM Service Role for Amplify or not. See https://docs.aws.amazon.com/amplify/latest/userguide/how-to-service-role-amplify-console.html for full details." +} + variable "global_environment_variables" { default = {} type = map(string)