-
Notifications
You must be signed in to change notification settings - Fork 1
/
iam-roles.tf
122 lines (98 loc) · 4.78 KB
/
iam-roles.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
# ---------------------------------------------------------------------------------------------------------------------
# IPFS ENS LAMBDA ROLE
# ---------------------------------------------------------------------------------------------------------------------
resource "aws_iam_role" "ipfs_ens_lambda_iam" {
name = "ipfs-ens-lambda-iam-${local.sanitized_subdomain}"
assume_role_policy = data.aws_iam_policy_document.lambda_assume_role.json
tags = local.default_tags
}
# Cloudwatch (Logs)
resource "aws_iam_role_policy_attachment" "ipfs_ens_api_cloudwatch" {
role = aws_iam_role.ipfs_ens_lambda_iam.id
policy_arn = aws_iam_policy.lambda_allow_write_cloudwatch_logs.arn
}
# DynamoDB
resource "aws_iam_role_policy_attachment" "ipfs_ens_api_dynamodb_deployments" {
role = aws_iam_role.ipfs_ens_lambda_iam.id
policy_arn = aws_iam_policy.dynamodb_deployments_table_read_write.arn
}
resource "aws_iam_role_policy_attachment" "ipfs_ens_api_dynamodb_users" {
role = aws_iam_role.ipfs_ens_lambda_iam.id
policy_arn = aws_iam_policy.dynamodb_users_table_read_write.arn
}
resource "aws_iam_role_policy_attachment" "ipfs_ens_api_dynamodb_nonce" {
role = aws_iam_role.ipfs_ens_lambda_iam.id
policy_arn = aws_iam_policy.dynamodb_nonce_table_read_write.arn
}
#S3
resource "aws_iam_role_policy_attachment" "ipfs_ens_api_manage_s3" {
role = aws_iam_role.ipfs_ens_lambda_iam.id
policy_arn = aws_iam_policy.manage_s3_pipeline_src_and_artifacts.arn
}
# CodePipeline
resource "aws_iam_role_policy_attachment" "ipfs_ens_api_create_codepipeline" {
role = aws_iam_role.ipfs_ens_lambda_iam.id
policy_arn = aws_iam_policy.codepipeline_create_delete_pipeline.arn
}
resource "aws_iam_role_policy_attachment" "ipfs_ens_api_put_codepipeline_result" {
role = aws_iam_role.ipfs_ens_lambda_iam.id
policy_arn = aws_iam_policy.codepipeline_put_job_result.arn
}
resource "aws_iam_role_policy_attachment" "ipfs_ens_api_pass_role" {
role = aws_iam_role.ipfs_ens_lambda_iam.id
policy_arn = aws_iam_policy.iam_pass_role_to_codepipeline.arn
}
# SQS Send & Consume Messages
resource "aws_iam_role_policy_attachment" "sqs_send_message_ipfs_ens" {
role = aws_iam_role.ipfs_ens_lambda_iam.id
policy_arn = aws_iam_policy.sqs_send_message_ipfs_ens.arn
}
resource "aws_iam_role_policy_attachment" "sqs_consume_message_ipfs_ens" {
role = aws_iam_role.ipfs_ens_lambda_iam.id
policy_arn = aws_iam_policy.sqs_consume_message_ipfs_ens.arn
}
# ---------------------------------------------------------------------------------------------------------------------
# CODEPIPELINE IAM ROLE
# ---------------------------------------------------------------------------------------------------------------------
resource "aws_iam_role" "ipfs_ens_codepipeline_iam" {
name = "ipfs-ens-codepipeline-role-${local.sanitized_subdomain}"
assume_role_policy = data.aws_iam_policy_document.codepipeline_assume_role.json
tags = local.default_tags
}
# Cloudwatch (Logs)
resource "aws_iam_role_policy_attachment" "ipfs_ens_codepipeline_cloudwatch_logs" {
role = aws_iam_role.ipfs_ens_codepipeline_iam.id
policy_arn = aws_iam_policy.lambda_allow_write_cloudwatch_logs.arn
}
# Lambda (Invoke)
resource "aws_iam_role_policy_attachment" "ipfs_ens_codepipeline_invoke" {
role = aws_iam_role.ipfs_ens_codepipeline_iam.id
policy_arn = aws_iam_policy.lambda_invoke.arn
}
# S3
resource "aws_iam_role_policy_attachment" "ipfs_ens_codepipeline_s3" {
role = aws_iam_role.ipfs_ens_codepipeline_iam.id
policy_arn = aws_iam_policy.s3_full_access_managed_buckets.arn
}
# Codebuild
resource "aws_iam_role_policy_attachment" "ipfs_ens_codepipeline_codebuild" {
role = aws_iam_role.ipfs_ens_codepipeline_iam.id
policy_arn = aws_iam_policy.codebuild_build_part.arn
}
# ECR
resource "aws_iam_role_policy_attachment" "ipfs_ens_codepipeline_ecr" {
role = aws_iam_role.ipfs_ens_codepipeline_iam.id
policy_arn = aws_iam_policy.ecr_read_only.arn
}
# ---------------------------------------------------------------------------------------------------------------------
# API GATEWAY AUTHORIZER ROLE
# ---------------------------------------------------------------------------------------------------------------------
resource "aws_iam_role" "ipfs_ens_gateway_authorizer" {
name = "ipfs-ens-gateway-authorizer-role-${local.sanitized_subdomain}"
assume_role_policy = data.aws_iam_policy_document.api_gateway_assume_role.json
tags = local.default_tags
}
resource "aws_iam_role_policy_attachment" "ipfs_ens_gateway_authorizer_invoke" {
role = aws_iam_role.ipfs_ens_gateway_authorizer.id
policy_arn = aws_iam_policy.lambda_invoke.arn
}