From 9bcf9ab75d6ac3d80fbfcb7ed54c6bade6fc29fb Mon Sep 17 00:00:00 2001
From: Igor Rodionov <goruha@gmail.com>
Date: Thu, 10 Aug 2017 00:53:56 +0600
Subject: [PATCH] Add Support for CodeBuild (#3)

* Added code buil

* Added code build

* Added code build

* Remove provider vars

* Added outputs

* Added outputs

* Added default image

* Grant perms to trigger build

* Grant perms

* Fix bump version

* Update main.tf

* Bind right versions
---
 main.tf      | 133 +++++++++++++++++++++++++++++++++++++++------------
 variables.tf |   8 ++++
 2 files changed, 110 insertions(+), 31 deletions(-)

diff --git a/main.tf b/main.tf
index 342205f..1108cca 100644
--- a/main.tf
+++ b/main.tf
@@ -1,43 +1,52 @@
 # Define composite variables for resources
 module "label" {
-  source    = "git::https://github.com/cloudposse/tf_label.git"
+  source    = "git::https://github.com/cloudposse/tf_label.git?ref=tags/0.1.0"
   namespace = "${var.namespace}"
   name      = "${var.name}"
   stage     = "${var.stage}"
 }
 
-
 resource "aws_s3_bucket" "default" {
   bucket = "${module.label.id}"
   acl    = "private"
 
-  tags {
-    Name      = "${module.label.id}"
-    Namespace = "${var.namespace}"
-    Stage     = "${var.stage}"
-  }
+  tags = "${module.label.tags}"
 }
 
-data "aws_iam_policy_document" "codepipeline" {
+resource "aws_iam_role" "default" {
+  name = "${module.label.id}"
+
+  assume_role_policy = "${data.aws_iam_policy_document.assume.json}"
+}
+
+data "aws_iam_policy_document" "assume" {
   statement {
     sid = ""
 
     actions = [
-      "s3:GetObject",
-      "s3:GetObjectVersion",
-      "s3:GetBucketVersioning",
-      "s3:PutObject",
+      "sts:AssumeRole",
     ]
 
-    resources = [
-      "${aws_s3_bucket.default.arn}",
-      "${aws_s3_bucket.default.arn}/*",
-      "arn:aws:s3:::elasticbeanstalk*",
-    ]
+    principals {
+      type        = "Service"
+      identifiers = ["codepipeline.amazonaws.com"]
+    }
 
     effect = "Allow"
   }
+}
+
+resource "aws_iam_role_policy_attachment" "default" {
+  role   = "${aws_iam_role.default.id}"
+  policy_arn = "${aws_iam_policy.default.arn}"
+}
 
+resource "aws_iam_policy" "default" {
+  name   = "${module.label.id}"
+  policy = "${data.aws_iam_policy_document.default.json}"
+}
+
+data "aws_iam_policy_document" "default" {
   statement {
     sid = ""
 
@@ -61,33 +70,74 @@ data "aws_iam_policy_document" "codepipeline" {
   }
 }
 
-data "aws_iam_policy_document" "assume" {
+resource "aws_iam_role_policy_attachment" "s3" {
+  role   = "${aws_iam_role.default.id}"
+  policy_arn = "${aws_iam_policy.s3.arn}"
+}
+
+resource "aws_iam_policy" "s3" {
+  name   = "${module.label.id}-s3"
+  policy = "${data.aws_iam_policy_document.s3.json}"
+}
+
+data "aws_iam_policy_document" "s3" {
   statement {
     sid = ""
 
     actions = [
-      "sts:AssumeRole",
+      "s3:GetObject",
+      "s3:GetObjectVersion",
+      "s3:GetBucketVersioning",
+      "s3:PutObject",
     ]
 
-    principals {
-      type        = "Service"
-      identifiers = ["codepipeline.amazonaws.com"]
-    }
+    resources = [
+      "${aws_s3_bucket.default.arn}",
+      "${aws_s3_bucket.default.arn}/*",
+      "arn:aws:s3:::elasticbeanstalk*",
+    ]
 
     effect = "Allow"
   }
 }
 
-resource "aws_iam_role" "default" {
-  name = "${module.label.id}"
+resource "aws_iam_role_policy_attachment" "codebuild" {
+  role   = "${aws_iam_role.default.id}"
+  policy_arn = "${aws_iam_policy.codebuild.arn}"
+}
 
-  assume_role_policy = "${data.aws_iam_policy_document.assume.json}"
+
+resource "aws_iam_policy" "codebuild" {
+  name   = "${module.label.id}-codebuild"
+  policy = "${data.aws_iam_policy_document.codebuild.json}"
 }
 
-resource "aws_iam_role_policy" "codepipeline" {
-  name   = "${module.label.id}"
-  role   = "${aws_iam_role.default.id}"
-  policy = "${data.aws_iam_policy_document.codepipeline.json}"
+data "aws_iam_policy_document" "codebuild" {
+  statement {
+    sid = ""
+
+    actions = [
+      "codebuild:*",
+    ]
+
+    resources = ["${module.build.project_id}"]
+    effect    = "Allow"
+  }
+}
+
+module "build" {
+  source    = "git::https://github.com/cloudposse/tf_codebuild.git?ref=tags/0.1.0"
+  namespace = "${var.namespace}"
+  name      = "${var.name}-build"
+  stage     = "${var.stage}"
+
+  image         = "${var.build_image}"
+  instance_size = "${var.build_instance_size}"
+}
+
+resource "aws_iam_role_policy_attachment" "codebuild_s3" {
+  role   = "${module.build.role_arn}"
+  policy_arn = "${aws_iam_policy.s3.arn}"
 }
 
 resource "aws_codepipeline" "default" {
@@ -120,6 +170,25 @@ resource "aws_codepipeline" "default" {
     }
   }
 
+  stage {
+    name = "Build"
+
+    action {
+      name     = "Compose"
+      category = "Build"
+      owner    = "AWS"
+      provider = "CodeBuild"
+      version  = "1"
+
+      input_artifacts  = ["code"]
+      output_artifacts = ["package"]
+
+      configuration {
+        ProjectName = "${module.build.project_name}"
+      }
+    }
+  }
+
   stage {
     name = "Deploy"
 
@@ -128,7 +197,7 @@ resource "aws_codepipeline" "default" {
       category        = "Deploy"
       owner           = "AWS"
       provider        = "ElasticBeanstalk"
-      input_artifacts = ["code"]
+      input_artifacts = ["package"]
       version         = "1"
 
       configuration {
@@ -137,4 +206,6 @@ resource "aws_codepipeline" "default" {
       }
     }
   }
+
+  tags = "${module.label.tags}"
 }
diff --git a/variables.tf b/variables.tf
index 8fadd61..c50abf3 100644
--- a/variables.tf
+++ b/variables.tf
@@ -25,3 +25,11 @@ variable "repo_owner" {}
 variable "repo_name" {}
 
 variable "branch" {}
+
+variable "build_image" {
+  default = "alpine"
+}
+
+variable "build_instance_size" {
+  default = "BUILD_GENERAL1_SMALL"
+}