chore: add new permissions for tf_role on aws

rcmonteiro · Jun 14, 2024 · f565ed0 · f565ed0
1 parent 0eb9c97
commit f565ed0
Show file tree

Hide file tree

Showing 3 changed files with 27 additions and 13 deletions.
diff --git a/README.md b/README.md
@@ -11,7 +11,7 @@ https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html
 **AWS SSO**
 
 ```bash
-aws sso configure
+aws sso configure --profile {$profileName}
 aws sso login --profile {$profileName}
 ```
 
@@ -54,18 +54,12 @@ You can create them in the Github UI:
 Now we need to apply the changes locally, and get the ARN of the role that we will use in the next step.
 
 ```bash
-terraform apply -var-file=secret.tfvars
+AWS_PROFILE={your_aws_profile} terraform apply -var-file="secret.tfvars"
 ```
 
 Type `yes` to apply the changes.
 
-Go to your AWS console and open the IAM console.
-On Roles, click in the new role that was created `tf_role` and copy the ARN.
-
-![alt text](assets/tf_role.png)
-
-Now we need to create a Github Secret with the ARN of the role, and the name `ARN_TF_ROLE`.
-You can follow the same steps as in the previous section.
+Now we have deployed the App on App Runner, but, we still have work to do, to make the CD process automated.
 
 ## Deployment
 

diff --git a/iam.tf b/iam.tf
@@ -29,14 +29,34 @@ resource "aws_iam_role" "tf_role" {
               "sts.amazonaws.com"
             ],
             "token.actions.githubusercontent.com:sub" : [
-              var.github_iac_repo
+              var.gh_iac_repo
             ]
           }
         }
       }
     ]
   })
 
+  inline_policy {
+    name = "tf-iac-permission"
+
+    policy = jsonencode({
+      "Version" : "2012-10-17",
+      "Statement" : [
+        {
+          "Action" : "ecr:*"
+          "Effect" : "Allow",
+          "Resource" : "*"
+        },
+        {
+          "Action" : "iam:*"
+          "Effect" : "Allow",
+          "Resource" : "*"
+        },
+      ]
+    })
+  }
+
   tags = {
     IaC = "True"
   }
@@ -60,7 +80,7 @@ resource "aws_iam_role" "ecr_role" {
               "sts.amazonaws.com"
             ],
             "token.actions.githubusercontent.com:sub" : [
-              var.github_app_repo
+              var.gh_app_repo
             ]
           }
         }

diff --git a/variables.tf b/variables.tf
@@ -10,13 +10,13 @@ variable "thumbprint" {
   sensitive   = true
 }
 
-variable "github_iac_repo" {
+variable "gh_iac_repo" {
   description = "Github repository, e.g. repo:{username}/{repo}:ref:refs/heads/{branch}"
   type        = string
   sensitive   = true
 }
 
-variable "github_app_repo" {
+variable "gh_app_repo" {
   description = "Github repository, e.g. repo:{username}/{repo}:ref:refs/heads/{branch}"
   type        = string
   sensitive   = true