Merge pull request #17 from sebbrandt87/feat/service-role-setable

feat: predefined service role usage
lgallard · Jul 1, 2021 · d11473b · d11473b
2 parents cf767c6 + 82f25a9
commit d11473b
Show file tree

Hide file tree

Showing 4 changed files with 41 additions and 18 deletions.
diff --git a/iam.tf b/iam.tf
@@ -1,14 +1,15 @@
 # Service role
 resource "aws_iam_role" "service_role" {
+  count              = var.create_default_service_role ? 1 : 0
   name               = "${var.name}-service-role"
-  assume_role_policy = data.aws_iam_policy_document.codebuild_assume_role_policy.json
-
+  assume_role_policy = element(data.aws_iam_policy_document.codebuild_assume_role_policy.*.json, 0)
 }
 
 # Add extra polcies
 resource "aws_iam_role_policy" "codebuild_role_extra_policies" {
-  role   = aws_iam_role.service_role.name
-  policy = data.aws_iam_policy_document.codebuild_role_extra_policies.json
+  count  = var.create_default_service_role ? 1 : 0
+  role   = element(aws_iam_role.service_role.*.name, 0)
+  policy = element(data.aws_iam_policy_document.codebuild_role_extra_policies.*.json, 0)
 }
 
 ####################
@@ -17,6 +18,7 @@ resource "aws_iam_role_policy" "codebuild_role_extra_policies" {
 
 # Assume Role
 data "aws_iam_policy_document" "codebuild_assume_role_policy" {
+  count = var.create_default_service_role ? 1 : 0
   statement {
     effect = "Allow"
 
@@ -33,6 +35,7 @@ data "aws_iam_policy_document" "codebuild_assume_role_policy" {
 
 # Extra policies
 data "aws_iam_policy_document" "codebuild_role_extra_policies" {
+  count = var.create_default_service_role ? 1 : 0
   statement {
     effect = "Allow"
 

diff --git a/main.tf b/main.tf
@@ -1,12 +1,13 @@
 resource "aws_codebuild_project" "cb_project" {
-  name           = var.name
-  badge_enabled  = var.badge_enabled
-  build_timeout  = var.build_timeout
-  description    = var.description
-  encryption_key = var.encryption_key
-  service_role   = aws_iam_role.service_role.arn
-  source_version = var.codebuild_source_version
-  queued_timeout = var.queued_timeout
+  name                   = var.name
+  badge_enabled          = var.badge_enabled
+  build_timeout          = var.build_timeout
+  description            = var.description
+  encryption_key         = var.encryption_key
+  service_role           = local.service_role_arn
+  source_version         = var.codebuild_source_version
+  queued_timeout         = var.queued_timeout
+  concurrent_build_limit = var.concurrent_build_limit
 
   # Artifacts
   dynamic "artifacts" {
@@ -277,4 +278,5 @@ locals {
     security_group_ids = lookup(var.vpc_config, "security_group_ids", null) == null ? var.vpc_config_security_group_ids : lookup(var.vpc_config, "security_group_ids")
   }
 
+  service_role_arn = var.create_default_service_role ? element(aws_iam_role.service_role.*.arn, 0) : var.service_role_arn
 }
diff --git a/outputs.tf b/outputs.tf
@@ -15,15 +15,15 @@ output "name" {
 
 output "service_role_name" {
   description = "Name of the Service Role created for CodeBuild."
-  value       = aws_iam_role.service_role.name
+  value       = var.create_default_service_role ? element(aws_iam_role.service_role.*.name, 0) : null
 }
 
 output "service_role_arn" {
   description = "Amazon Resource Name (ARN) of the Service Role for CodeBuild."
-  value       = aws_iam_role.service_role.arn
+  value       = var.create_default_service_role ? element(aws_iam_role.service_role.*.arn, 0) : null
 }
 
 output "service_role_id" {
   description = "ID of the Service Role created for CodeBuild."
-  value       = aws_iam_role.service_role.id
+  value       = var.create_default_service_role ? element(aws_iam_role.service_role.*.id, 0) : null
 }
diff --git a/variables.tf b/variables.tf
@@ -152,7 +152,7 @@ variable "environment_type" {
 }
 
 variable "environment_image_pull_credentials_type" {
-  description = "The type of credentials AWS CodeBuild uses to pull images in your build. Available values for this parameter are `CODEBUID` or `SERVICE_ROLE`. When you use a cross-account or private registry image, you must use SERVICE_ROLE credentials. When you use an AWS CodeBuild curated image, you must use CODEBUILD credentials."
+  description = "The type of credentials AWS CodeBuild uses to pull images in your build. Available values for this parameter are `CODEBUILD` or `SERVICE_ROLE`. When you use a cross-account or private registry image, you must use SERVICE_ROLE credentials. When you use an AWS CodeBuild curated image, you must use CODEBUILD credentials."
   type        = string
   default     = "CODEBUILD"
 }
@@ -371,7 +371,7 @@ variable "codebuild_secondary_source_report_build_status" {
 
 variable "codebuild_secondary_source_auth" {
   description = "Information about the authorization settings for AWS CodeBuild to access the source code to be built."
-  type        = map
+  type        = map(any)
   default     = {}
 }
 
@@ -389,7 +389,7 @@ variable "codebuild_secondary_source_auth_resource" {
 
 variable "codebuild_secondary_source_git_submodules_config" {
   description = "Information about the Git submodules configuration for an AWS CodeBuild build project. Git submodules config blocks are documented below. This option is only valid when the type is `CODECOMMIT`."
-  type        = map
+  type        = map(any)
   default     = {}
 }
 
@@ -436,3 +436,21 @@ variable "tags" {
   type        = map(string)
   default     = {}
 }
+
+variable "create_default_service_role" {
+  description = "Should the default service role be created?"
+  type        = bool
+  default     = true
+}
+
+variable "service_role_arn" {
+  description = "A predefined service role to be used"
+  type        = string
+  default     = null
+}
+
+variable "concurrent_build_limit" {
+  description = "Specify a maximum number of concurrent builds for the project."
+  type        = number
+  default     = 1
+}