uktrade · JohnStainsby · May 2, 2024 · Apr 17, 2024 · Apr 17, 2024 · Apr 17, 2024
@@ -35,9 +35,14 @@ phases:
 
   build:
     commands:
-      - echo "Build Phase"
+      - echo "Terraform Plan Phase"
+      - echo "Working on environment ${ENVIRONMENT}"
+      - cd terraform/${ENVIRONMENT}
+      - terraform init
+      - terraform plan -out=plan.tfplan
   post_build:
     commands:
       - echo "Post Build Phase"
 artifacts:
-  files: []
+  files:
+    - terraform/${ENVIRONMENT}/plan.tfplan
@@ -15,10 +15,9 @@ resource "aws_codebuild_project" "environment_pipeline" {
 
   environment {
     compute_type                = "BUILD_GENERAL1_SMALL"
-    image                       = "amazonlinux:2023"
+    image                       = "aws/codebuild/amazonlinux2-x86_64-standard:5.0"
     type                        = "LINUX_CONTAINER"
     image_pull_credentials_type = "CODEBUILD"
-
   }
 
   logs_config {

@@ -3,8 +3,9 @@ data "aws_codestarconnections_connection" "github_codestar_connection" {
 }
 
 resource "aws_codepipeline" "environment_pipeline" {
-  name     = "${var.application}-environment-pipeline"
-  role_arn = aws_iam_role.environment_pipeline_codepipeline.arn
+  name       = "${var.application}-environment-pipeline"
+  role_arn   = aws_iam_role.environment_pipeline_codepipeline.arn
+  depends_on = [aws_iam_role_policy.artifact_store_access_for_environment_codebuild]
 
   artifact_store {
     location = module.artifact_store.bucket_name
@@ -25,30 +26,41 @@ resource "aws_codepipeline" "environment_pipeline" {
       owner            = "AWS"
       provider         = "CodeStarSourceConnection"
       version          = "1"
-      output_artifacts = ["source_output"]
+      output_artifacts = ["project_deployment_source"]
 
       configuration = {
         ConnectionArn    = data.aws_codestarconnections_connection.github_codestar_connection.arn
         FullRepositoryId = var.repository
-        BranchName       = "main"
+        BranchName       = var.branch
       }
     }
   }
 
-  stage {
-    name = "Build"
 
-    action {
-      name             = "InstallTools"
-      category         = "Build"
-      owner            = "AWS"
-      provider         = "CodeBuild"
-      input_artifacts  = ["source_output"]
-      output_artifacts = ["build_output"]
-      version          = "1"
+  dynamic "stage" {
+    for_each = local.stages
+    content {
+      name = "Build"
 
-      configuration = {
-        ProjectName = "${var.application}-environment-pipeline"
+      action {
+        name             = "InstallTools"
+        category         = "Build"
+        owner            = "AWS"
+        provider         = "CodeBuild"
+        input_artifacts  = ["project_deployment_source"]
+        output_artifacts = ["terraform_plan"]
+        version          = "1"
+
+        configuration = {
+          ProjectName   = "${var.application}-environment-pipeline"
+          PrimarySource = "project_deployment_source"
+          EnvironmentVariables = jsonencode([
+            {
+              name  = "ENVIRONMENT"
+              value = stage.value.env
+            }
+          ])
+        }
       }
     }
   }

@@ -1,3 +1,6 @@
+data "aws_caller_identity" "current" {}
+data "aws_region" "current" {}
+
 data "aws_iam_policy_document" "assume_codepipeline_role" {
   statement {
     effect = "Allow"
@@ -87,6 +90,100 @@ data "aws_iam_policy_document" "write_environment_pipeline_codebuild_logs" {
   }
 }
 
+data "aws_s3_bucket" "state_bucket" {
+  bucket = "terraform-platform-state-${local.stages[0].accounts.deploy.name}"
+}
+
+data "aws_iam_policy_document" "state_bucket_access" {
+  statement {
+    actions = [
+      "s3:ListBucket",
+      "s3:GetObject",
+      "s3:PutObject"
+    ]
+    resources = [
+      data.aws_s3_bucket.state_bucket.arn,
+      "${data.aws_s3_bucket.state_bucket.arn}/*"
+    ]
+  }
+}
+
+data "aws_kms_key" "state_kms_key" {
+  key_id = "alias/terraform-platform-state-s3-key-${local.stages[0].accounts.deploy.name}"
+}
+
+data "aws_iam_policy_document" "state_kms_key_access" {
+  statement {
+    actions = [
+      "kms:ListKeys",
+      "kms:Decrypt"
+    ]
+    resources = [
+      data.aws_kms_key.state_kms_key.arn
+    ]
+  }
+}
+
+data "aws_iam_policy_document" "state_dynamo_db_access" {
+  statement {
+    actions = [
+      "dynamodb:DescribeTable",
+      "dynamodb:GetItem",
+      "dynamodb:PutItem",
+      "dynamodb:DeleteItem"
+    ]
+    resources = [
+      "arn:aws:dynamodb:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:table/terraform-platform-lockdb-${local.stages[0].accounts.deploy.name}"
+    ]
+  }
+}
+
+data "aws_iam_policy_document" "ec2_read_access" {
+  statement {
+    actions = [
+      "ec2:DescribeVpcs",
+      "ec2:DescribeSubnets",
+      "ec2:DescribeSecurityGroups"
+    ]
+    resources = [
+      "*"
+    ]
+  }
+
+  statement {
+    actions = [
+      "ec2:DescribeVpcAttribute"
+    ]
+    resources = [
+      "arn:aws:ec2:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:vpc/*"
+    ]
+  }
+}
+
+data "aws_ssm_parameter" "central_log_group_parameter" {
+  name = "/copilot/tools/central_log_groups"
+}
+
+data "aws_iam_policy_document" "ssm_read_access" {
+  statement {
+    actions = [
+      "ssm:GetParameter",
+    ]
+    resources = [
+      data.aws_ssm_parameter.central_log_group_parameter.arn
+    ]
+  }
+}
+
+data "aws_iam_policy_document" "dns_account_assume_role" {
+  statement {
+    actions = [
+      "sts:AssumeRole",
+    ]
+    resources = tolist(toset([for stage in local.stages : "arn:aws:iam::${stage.accounts.dns.id}:role/sandbox-codebuild-assume-role"]))
+  }
+}
+
 resource "aws_iam_role" "environment_pipeline_codepipeline" {
   name               = "${var.application}-environment-pipeline-codepipeline"
   assume_role_policy = data.aws_iam_policy_document.assume_codepipeline_role.json
@@ -117,3 +214,41 @@ resource "aws_iam_role_policy" "log_access_for_environment_codebuild" {
   policy = data.aws_iam_policy_document.write_environment_pipeline_codebuild_logs.json
 }
 
+# Terraform state access
+resource "aws_iam_role_policy" "state_bucket_access_for_environment_codebuild" {
+  name   = "${var.application}-state-bucket-access-for-environment-codebuild"
+  role   = aws_iam_role.environment_pipeline_codebuild.name
+  policy = data.aws_iam_policy_document.state_bucket_access.json
+}
+
+resource "aws_iam_role_policy" "state_kms_key_access_for_environment_codebuild" {
+  name   = "${var.application}-state-kms-key-access-for-environment-codebuild"
+  role   = aws_iam_role.environment_pipeline_codebuild.name
+  policy = data.aws_iam_policy_document.state_kms_key_access.json
+}
+
+resource "aws_iam_role_policy" "state_dynamo_db_access_for_environment_codebuild" {
+  name   = "${var.application}-state-dynamo-db-access-for-environment-codebuild"
+  role   = aws_iam_role.environment_pipeline_codebuild.name
+  policy = data.aws_iam_policy_document.state_dynamo_db_access.json
+}
+
+# VPC and Subnets
+resource "aws_iam_role_policy" "ec2_read_access_for_environment_codebuild" {
+  name   = "${var.application}-ec2-read-access-for-environment-codebuild"
+  role   = aws_iam_role.environment_pipeline_codebuild.name
+  policy = data.aws_iam_policy_document.ec2_read_access.json
+}
+
+resource "aws_iam_role_policy" "ssm_read_access_for_environment_codebuild" {
+  name   = "${var.application}-ssm-read-access-for-environment-codebuild"
+  role   = aws_iam_role.environment_pipeline_codebuild.name
+  policy = data.aws_iam_policy_document.ssm_read_access.json
+}
+
+# Assume DNS account role
+resource "aws_iam_role_policy" "dns_account_assume_role_for_environment_codebuild" {
+  name   = "${var.application}-dns-account-assume-role-for-environment-codebuild"
+  role   = aws_iam_role.environment_pipeline_codebuild.name
+  policy = data.aws_iam_policy_document.dns_account_assume_role.json
+}
@@ -4,4 +4,8 @@ locals {
     copilot-application = var.application
     managed-by          = "DBT Platform - Terraform"
   }
+
+  stage_config = yamldecode(file("${path.module}/stage_config.yml"))
+
+  stages = [for env in var.environments : { type : "plan", env : env.name, approval : env.requires_approval, accounts : env.accounts }]
 }
@@ -0,0 +1,20 @@
+---
+plan:
+  name: "Plan"
+  category: "Build"
+  owner: "AWS"
+  provider: "CodeBuild"
+  input_artifacts: ["source_output"]
+  output_artifacts: ["build_output"]
+  version: "1"
+approve:
+  run_order: 1
+  name: "AWS-Admin-Approval"
+  category: "Approval"
+  owner: "AWS"
+  provider: "Manual"
+  version: "1"
+  input_artifacts: []
+  output_artifacts: []
+
+apply: