search

aws-ia / terraform-aws-control_tower_account_factory

AWS Control Tower Account Factory
Apache License 2.0
605 stars 386 forks source link

Custom CodeCommit repository names causes IAM Policy errors for codepipeline #326

Open apmantha opened 1 year ago

apmantha commented 1 year ago

AFT Version: 1.9.1

Terraform Version & Provider Versions

terraform version

✗ terraform version
Terraform v1.3.9
on darwin_arm64
+ provider registry.terraform.io/hashicorp/archive v2.3.0
+ provider registry.terraform.io/hashicorp/aws v4.57.0
+ provider registry.terraform.io/hashicorp/local v2.3.0
+ provider registry.terraform.io/hashicorp/random v3.4.3
+ provider registry.terraform.io/hashicorp/time v0.9.1

terraform providers

✗ terraform providers

Providers required by configuration:
.
├── provider[registry.terraform.io/hashicorp/aws] ~> 4.0
└── module.control_tower_account_factory
    ├── provider[registry.terraform.io/hashicorp/aws] >= 4.9.0, < 5.0.0
    ├── provider[registry.terraform.io/hashicorp/local]
    ├── module.aft_backend
    │   └── provider[registry.terraform.io/hashicorp/aws] >= 4.9.0
    ├── module.aft_lambda_layer
    │   ├── provider[registry.terraform.io/hashicorp/aws] >= 4.9.0
    │   ├── provider[registry.terraform.io/hashicorp/random]
    │   └── provider[registry.terraform.io/hashicorp/local]
    ├── module.aft_account_request_framework
    │   ├── provider[registry.terraform.io/hashicorp/aws] >= 4.9.0
    │   └── provider[registry.terraform.io/hashicorp/time]
    ├── module.aft_code_repositories
    │   ├── provider[registry.terraform.io/hashicorp/local]
    │   └── provider[registry.terraform.io/hashicorp/aws] >= 4.9.0
    ├── module.aft_account_provisioning_framework
    │   └── provider[registry.terraform.io/hashicorp/aws] >= 4.9.0
    ├── module.packaging
    │   └── provider[registry.terraform.io/hashicorp/archive]
    ├── module.aft_customizations
    │   ├── provider[registry.terraform.io/hashicorp/aws] >= 4.9.0
    │   └── provider[registry.terraform.io/hashicorp/local]
    ├── module.aft_feature_options
    │   └── provider[registry.terraform.io/hashicorp/aws] >= 4.9.0
    ├── module.aft_iam_roles
    │   ├── provider[registry.terraform.io/hashicorp/aws] >= 4.9.0
    │   ├── module.log_archive_exec_role
    │       └── provider[registry.terraform.io/hashicorp/aws] >= 4.9.0
    │   ├── module.log_archive_service_role
    │       └── provider[registry.terraform.io/hashicorp/aws] >= 4.9.0
    │   ├── module.aft_exec_role
    │       └── provider[registry.terraform.io/hashicorp/aws] >= 4.9.0
    │   ├── module.aft_service_role
    │       └── provider[registry.terraform.io/hashicorp/aws] >= 4.9.0
    │   ├── module.audit_exec_role
    │       └── provider[registry.terraform.io/hashicorp/aws] >= 4.9.0
    │   ├── module.audit_service_role
    │       └── provider[registry.terraform.io/hashicorp/aws] >= 4.9.0
    │   ├── module.ct_management_exec_role
    │       └── provider[registry.terraform.io/hashicorp/aws] >= 4.9.0
    │   └── module.ct_management_service_role
    │       └── provider[registry.terraform.io/hashicorp/aws] >= 4.9.0
    └── module.aft_ssm_parameters
        ├── provider[registry.terraform.io/hashicorp/aws] >= 4.9.0
        └── provider[registry.terraform.io/hashicorp/random]

Providers required by state:

    provider[registry.terraform.io/hashicorp/local]

    provider[registry.terraform.io/hashicorp/time]

    provider[registry.terraform.io/hashicorp/aws]

    provider[registry.terraform.io/hashicorp/archive]

    provider[registry.terraform.io/hashicorp/random]

Bug Description Using custom codecommit repo names breaks the IAM roles for the CodePipeline execution.

To Reproduce Steps to reproduce the behavior:

  1. Deploy AFT with vcs_provider = codecommit and a custom account_request_repo_name value (such as example_repo)
  2. Add an account request to the above repo
  3. Review the CodePipeline that triggers
  4. Review the IAM Policy attached to the role ct-aft-codepipeline-account-request-role

Expected behavior Code Pipeline should execute successfully and read from the codecommit repo. The IAM policy should have permissions for codecommit:GetBranch against the codecommit repo that was created.

Additional context IAM Policy is described in these two files. It has a static resource string that assumes a default "account-request" name.

https://github.com/aws-ia/terraform-aws-control_tower_account_factory/blob/main/modules/aft-code-repositories/iam.tf#L11-L22

https://github.com/aws-ia/terraform-aws-control_tower_account_factory/blob/main/modules/aft-code-repositories/iam/role-policies/ct_aft_account_request_codepipeline_policy.tpl#L38

Codecommit repo creation has the repo name based on a variable completely in user control.

https://github.com/aws-ia/terraform-aws-control_tower_account_factory/blob/main/modules/aft-code-repositories/codecommit.tf#L18-L23

snebhu3 commented 1 year ago

@apmantha thank you for bringing this to our attention. I have created a backlog to align on the naming pattern.