From 22d85bb3ca089756d35cd1081ec568e46cf5f574 Mon Sep 17 00:00:00 2001
From: Farhan Angullia <angullia@amazon.com>
Date: Wed, 20 Jul 2022 17:04:09 +0800
Subject: [PATCH] feat: parameterized codebuild role

---
 examples/mwaa/environment/main.tf       |  10 +-
 examples/mwaa/switch/config.auto.tfvars |   4 +-
 examples/mwaa/switch/main.tf            | 139 ++++++++++++++++++++++--
 examples/mwaa/switch/variables.tf       |  10 ++
 main.tf                                 | 117 +-------------------
 variables.tf                            |   8 ++
 6 files changed, 158 insertions(+), 130 deletions(-)

diff --git a/examples/mwaa/environment/main.tf b/examples/mwaa/environment/main.tf
index 8fa580f..49a480a 100644
--- a/examples/mwaa/environment/main.tf
+++ b/examples/mwaa/environment/main.tf
@@ -10,9 +10,9 @@ resource "aws_vpc" "mwaa_vpc" {
   enable_dns_hostnames = true
 }
 
-# resource "aws_default_security_group" "default" {
-#   vpc_id = aws_vpc.mwaa_vpc.id
-# }
+resource "aws_default_security_group" "default" {
+  vpc_id = aws_vpc.mwaa_vpc.id
+}
 
 resource "aws_subnet" "mwaa_private_subnets" {
   count = length(var.pri_sub_cidrs)
@@ -102,8 +102,8 @@ resource "aws_route_table_association" "pubrt_associations" {
 }
 
 resource "aws_security_group" "this" {
-  vpc_id      = aws_vpc.mwaa_vpc.id
-  name        = "mwaa-no-ingress-sg"
+  vpc_id = aws_vpc.mwaa_vpc.id
+  name   = "mwaa-no-ingress-sg"
   tags = merge({
     Name = "mwaa-no-ingress-sg"
   }, var.tags)
diff --git a/examples/mwaa/switch/config.auto.tfvars b/examples/mwaa/switch/config.auto.tfvars
index 2b41b3f..62cefe7 100644
--- a/examples/mwaa/switch/config.auto.tfvars
+++ b/examples/mwaa/switch/config.auto.tfvars
@@ -3,4 +3,6 @@ kill_resources_schedule   = "cron(0 1/3 * * ? *)"
 revive_resources_schedule = "cron(0 1/2 * * ? *)"
 init_command              = "terraform -chdir=examples/mwaa/environment init -backend-config=\\\"bucket=REPLACE_ME\\\" -backend-config=\\\"key=REPLACE_ME\\\" -backend-config=\\\"region=REPLACE_ME\\\" -input=false" # Replace all fields of REPLACE_ME with your s3 backend configuration values that is used to deploy the MWAA environment.
 kill_command              = "terraform -chdir=examples/mwaa/environment apply -input=false -target=aws_mwaa_environment.this -var enabled=false -auto-approve"
-revive_command            = "terraform -chdir=examples/mwaa/environment apply -input=false -target=aws_mwaa_environment.this -var enabled=true -auto-approve"
\ No newline at end of file
+revive_command            = "terraform -chdir=examples/mwaa/environment apply -input=false -target=aws_mwaa_environment.this -var enabled=true -auto-approve"
+tf_backend_bucket         = "REPLACE_ME"
+tf_backend_key            = "REPLACE_ME"
\ No newline at end of file
diff --git a/examples/mwaa/switch/main.tf b/examples/mwaa/switch/main.tf
index b319d0f..c5df875 100644
--- a/examples/mwaa/switch/main.tf
+++ b/examples/mwaa/switch/main.tf
@@ -1,18 +1,133 @@
 # Copyright © 2022 Amazon Web Services, Inc. or its affiliates. All Rights Reserved. This AWS Content is provided subject to the terms of the AWS Customer Agreement available at http://aws.amazon.com/agreement or other written agreement between Customer and either Amazon Web Services, Inc. or Amazon Web Services EMEA SARL or both."
 
-#### (0) switch module ####
+#### (1) switch module ####
 module "mwaa_switch" {
   source = "../../../"
 
-  git_personal_access_token = jsondecode(data.aws_secretsmanager_secret_version.github_token_secret_version.secret_string)["TOKEN"]
-  source_type               = "GITHUB"
-  source_location           = "https://github.com/aws-samples/aws-terraform-scheduled-switch.git"
-  kill_resources_schedule   = "cron(0 1/3 * * ? *)"
-  revive_resources_schedule = "cron(0 1/2 * * ? *)"
-  init_command              = "terraform -chdir=examples/mwaa/environment init -backend-config=\\\"bucket=${var.tf_backend_bucket}\\\" -backend-config=\\\"key=${var.tf_backend_key}\\\" -backend-config=\\\"region=${var.tf_backend_region}\\\" -input=false"
-  kill_command              = "terraform -chdir=examples/mwaa/environment apply -input=false -target=aws_mwaa_environment.this -var enabled=false -auto-approve"
-  revive_command            = "terraform -chdir=examples/mwaa/environment apply -input=false -target=aws_mwaa_environment.this -var enabled=true -auto-approve"
-  terraform_version         = var.terraform_version
-  tf_backend_bucket         = var.tf_backend_bucket
-  tf_backend_key            = var.tf_backend_key
+  git_personal_access_token    = jsondecode(data.aws_secretsmanager_secret_version.github_token_secret_version.secret_string)["TOKEN"]
+  source_type                  = "GITHUB"
+  switch_additional_policy_arn = aws_iam_policy.mwaa_switch_policy.arn
+  source_location              = var.source_location
+  kill_resources_schedule      = var.kill_resources_schedule
+  revive_resources_schedule    = var.revive_resources_schedule
+  init_command                 = var.init_command
+  kill_command                 = var.kill_command
+  revive_command               = var.revive_command
+  terraform_version            = var.terraform_version
+  tf_backend_bucket            = var.tf_backend_bucket
+  tf_backend_key               = var.tf_backend_key
+}
+
+#### (0) Switch Policy for MWAA ####
+resource "aws_iam_policy" "mwaa_switch_policy" {
+  name        = "MWAASwitchPolicy"
+  description = "A policy for MWAA operations."
+
+  policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Resource": [
+        "*"
+      ],
+      "Action": [
+        "logs:CreateLogGroup",
+        "logs:CreateLogStream",
+        "logs:PutLogEvents"
+      ]
+    },
+    {
+        "Effect": "Allow",
+        "Action": [
+          "iam:ListRolePolicies",
+          "iam:GetRole",
+          "iam:GetRolePolicy",
+          "iam:ListAttachedRolePolicies"
+        ],
+        "Resource": "*"
+    },
+    {
+        "Effect": "Allow",
+        "Action": "airflow:*",
+        "Resource": "*"
+    },
+    {
+        "Effect": "Allow",
+        "Action": [
+            "iam:CreateServiceLinkedRole"
+        ],
+        "Resource": "arn:aws:iam::*:role/aws-service-role/airflow.amazonaws.com/AWSServiceRoleForAmazonMWAA"
+    },
+    {
+        "Effect": "Allow",
+        "Action": [
+            "ec2:DescribeSecurityGroups",
+            "ec2:DescribeSubnets",
+            "ec2:DescribeVpcs",
+            "ec2:DescribeRouteTables",
+            "ec2:DescribeAvailabilityZones",
+            "ec2:DescribeVpcClassicLink",
+            "ec2:DescribeVpcClassicLinkDnsSupport",
+            "ec2:DescribeVpcAttribute"
+        ],
+        "Resource": "*"
+    },
+    {
+        "Effect": "Allow",
+        "Action": [
+            "kms:DescribeKey",
+            "kms:ListGrants",
+            "kms:CreateGrant",
+            "kms:RevokeGrant",
+            "kms:Decrypt",
+            "kms:Encrypt",
+            "kms:GenerateDataKey*",
+            "kms:ReEncrypt*"
+        ],
+        "Resource": "arn:aws:kms:*:${data.aws_caller_identity.current.account_id}:key/aws/airflow"
+    },
+    {
+        "Effect": "Allow",
+        "Action": [
+            "iam:PassRole"
+        ],
+        "Resource": "*",
+        "Condition": {
+            "StringLike": {
+                "iam:PassedToService": "airflow.amazonaws.com"
+            }
+        }
+    },
+    {
+        "Effect": "Allow",
+        "Action": [
+            "s3:GetEncryptionConfiguration"
+        ],
+        "Resource": "arn:aws:s3:::*"
+    },
+    {
+        "Effect": "Allow",
+        "Action": "ec2:CreateVpcEndpoint",
+        "Resource": [
+            "arn:aws:ec2:*:*:vpc-endpoint/*",
+            "arn:aws:ec2:*:*:vpc/*",
+            "arn:aws:ec2:*:*:subnet/*",
+            "arn:aws:ec2:*:*:security-group/*"
+        ]
+    },
+    {
+        "Effect": "Allow",
+        "Action": [
+            "ec2:CreateNetworkInterface"
+        ],
+        "Resource": [
+            "arn:aws:ec2:*:*:subnet/*",
+            "arn:aws:ec2:*:*:network-interface/*"
+        ]
+    }
+  ]
+}
+EOF  
 }
\ No newline at end of file
diff --git a/examples/mwaa/switch/variables.tf b/examples/mwaa/switch/variables.tf
index 487827e..c77583c 100644
--- a/examples/mwaa/switch/variables.tf
+++ b/examples/mwaa/switch/variables.tf
@@ -5,6 +5,16 @@ variable "region" {
 
 #### switch ####
 
+variable "tf_backend_bucket" {
+  type        = string
+  description = "S3 Backend bucket name"
+}
+
+variable "tf_backend_key" {
+  type        = string
+  description = "S3 object key to terraform state file"
+}
+
 variable "source_location" {
   type        = string
   description = "Information about the location of the source code of the Terraform configuration that is being managed."
diff --git a/main.tf b/main.tf
index b429b31..d9a31a5 100644
--- a/main.tf
+++ b/main.tf
@@ -57,118 +57,6 @@ resource "aws_iam_role" "switch_codebuild_role" {
 EOF
 }
 
-resource "aws_iam_role_policy" "switch_codebuild_policy" {
-  role = aws_iam_role.switch_codebuild_role.name
-
-  policy = <<POLICY
-{
-  "Version": "2012-10-17",
-  "Statement": [
-    {
-      "Effect": "Allow",
-      "Resource": [
-        "*"
-      ],
-      "Action": [
-        "logs:CreateLogGroup",
-        "logs:CreateLogStream",
-        "logs:PutLogEvents"
-      ]
-    },
-    {
-        "Effect": "Allow",
-        "Action": [
-          "iam:ListRolePolicies",
-          "iam:GetRole",
-          "iam:GetRolePolicy",
-          "iam:ListAttachedRolePolicies"
-        ],
-        "Resource": "*"
-    },
-    {
-        "Effect": "Allow",
-        "Action": "airflow:*",
-        "Resource": "*"
-    },
-    {
-        "Effect": "Allow",
-        "Action": [
-            "iam:CreateServiceLinkedRole"
-        ],
-        "Resource": "arn:aws:iam::*:role/aws-service-role/airflow.amazonaws.com/AWSServiceRoleForAmazonMWAA"
-    },
-    {
-        "Effect": "Allow",
-        "Action": [
-            "ec2:DescribeSecurityGroups",
-            "ec2:DescribeSubnets",
-            "ec2:DescribeVpcs",
-            "ec2:DescribeRouteTables",
-            "ec2:DescribeAvailabilityZones",
-            "ec2:DescribeVpcClassicLink",
-            "ec2:DescribeVpcClassicLinkDnsSupport",
-            "ec2:DescribeVpcAttribute"
-        ],
-        "Resource": "*"
-    },
-    {
-        "Effect": "Allow",
-        "Action": [
-            "kms:DescribeKey",
-            "kms:ListGrants",
-            "kms:CreateGrant",
-            "kms:RevokeGrant",
-            "kms:Decrypt",
-            "kms:Encrypt",
-            "kms:GenerateDataKey*",
-            "kms:ReEncrypt*"
-        ],
-        "Resource": "arn:aws:kms:*:${data.aws_caller_identity.current.account_id}:key/aws/airflow"
-    },
-    {
-        "Effect": "Allow",
-        "Action": [
-            "iam:PassRole"
-        ],
-        "Resource": "*",
-        "Condition": {
-            "StringLike": {
-                "iam:PassedToService": "airflow.amazonaws.com"
-            }
-        }
-    },
-    {
-        "Effect": "Allow",
-        "Action": [
-            "s3:GetEncryptionConfiguration"
-        ],
-        "Resource": "arn:aws:s3:::*"
-    },
-    {
-        "Effect": "Allow",
-        "Action": "ec2:CreateVpcEndpoint",
-        "Resource": [
-            "arn:aws:ec2:*:*:vpc-endpoint/*",
-            "arn:aws:ec2:*:*:vpc/*",
-            "arn:aws:ec2:*:*:subnet/*",
-            "arn:aws:ec2:*:*:security-group/*"
-        ]
-    },
-    {
-        "Effect": "Allow",
-        "Action": [
-            "ec2:CreateNetworkInterface"
-        ],
-        "Resource": [
-            "arn:aws:ec2:*:*:subnet/*",
-            "arn:aws:ec2:*:*:network-interface/*"
-        ]
-    }
-  ]
-}
-POLICY  
-}
-
 resource "aws_iam_role_policy" "switch_codebuild_s3_backend_policy" {
   role = aws_iam_role.switch_codebuild_role.name
 
@@ -195,4 +83,9 @@ POLICY
 resource "aws_iam_role_policy_attachment" "s3_policy" {
   role       = aws_iam_role.switch_codebuild_role.name
   policy_arn = "arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess"
+}
+
+resource "aws_iam_role_policy_attachment" "switch_additional_policy" {
+  role       = aws_iam_role.switch_codebuild_role.name
+  policy_arn = var.switch_additional_policy_arn
 }
\ No newline at end of file
diff --git a/variables.tf b/variables.tf
index bf175a9..23ec0e9 100644
--- a/variables.tf
+++ b/variables.tf
@@ -25,6 +25,14 @@ variable "source_location" {
   description = "Information about the location of the source code of the Terraform configuration that is being managed."
 }
 
+# CodeBuild variables
+
+variable "switch_additional_policy_arn" {
+  type        = string
+  description = "ARN of additional IAM policy for CodeBuild."
+  default     = null
+}
+
 # switch EventBridge variables
 variable "kill_resources_schedule" {
   type        = string