Bug Description
Using custom codecommit repo names breaks the IAM roles for the CodePipeline execution.
To Reproduce
Steps to reproduce the behavior:
Deploy AFT with vcs_provider = codecommit and a custom account_request_repo_name value (such as example_repo)
Add an account request to the above repo
Review the CodePipeline that triggers
Review the IAM Policy attached to the role ct-aft-codepipeline-account-request-role
Expected behavior
Code Pipeline should execute successfully and read from the codecommit repo. The IAM policy should have permissions for codecommit:GetBranch against the codecommit repo that was created.
Additional context
IAM Policy is described in these two files. It has a static resource string that assumes a default "account-request" name.
AFT Version: 1.9.1
Terraform Version & Provider Versions
terraform version
terraform providers
Bug Description Using custom codecommit repo names breaks the IAM roles for the CodePipeline execution.
To Reproduce Steps to reproduce the behavior:
vcs_provider
=codecommit
and a customaccount_request_repo_name
value (such asexample_repo
)ct-aft-codepipeline-account-request-role
Expected behavior Code Pipeline should execute successfully and read from the codecommit repo. The IAM policy should have permissions for codecommit:GetBranch against the codecommit repo that was created.
Additional context IAM Policy is described in these two files. It has a static resource string that assumes a default "account-request" name.
https://github.com/aws-ia/terraform-aws-control_tower_account_factory/blob/main/modules/aft-code-repositories/iam.tf#L11-L22
https://github.com/aws-ia/terraform-aws-control_tower_account_factory/blob/main/modules/aft-code-repositories/iam/role-policies/ct_aft_account_request_codepipeline_policy.tpl#L38
Codecommit repo creation has the repo name based on a variable completely in user control.
https://github.com/aws-ia/terraform-aws-control_tower_account_factory/blob/main/modules/aft-code-repositories/codecommit.tf#L18-L23