Added terraform files to create cross-account codepipeline

.gitignore

@@ -0,0 +1,4 @@
+terraform.tfstate*
+.terraform/
+.build-harness
+build-harness

conf.auto.tfvars

@@ -0,0 +1,13 @@
+accounts = {
+  pipeline = "111222333444"
+  target   = "555666777888"
+}
+
+github = {
+  owner  = ""
+  repo   = ""
+  branch = ""
+}
+
+region         = "eu-west-1"
+terraform_role = "TerraformUser"

main.tf

@@ -0,0 +1,29 @@
+module "pipeline" {
+  source = "./pipeline-account"
+
+  github             = var.github
+  region             = var.region
+  target_role_arn    = module.target.target_role_arn
+  target_bucket_name = var.target_bucket_name
+  target_kms_key_arn = module.target.kms_key_arn
+
+  providers = {
+    "aws" = "aws.pipeline"
+  }
+}
+
+module "target" {
+  source = "./target-account"
+
+  artifact_bucket_arn   = module.pipeline.artifact_bucket_arn
+  bucket_name           = var.target_bucket_name
+  codepipeline_role_arn = module.pipeline.codepipeline_role_arn
+
+  providers = {
+    "aws" = "aws.target"
+  }
+}
+
+output "test" {
+  value = module.pipeline.pipeline_arn
+}

pipeline-account/codepipeline.tf

@@ -0,0 +1,56 @@
+resource "aws_codepipeline" "pipeline" {
+  name     = var.pipeline_name
+  role_arn = aws_iam_role.codepipeline.arn
+
+  artifact_store {
+    location = aws_s3_bucket.artifact-bucket.bucket
+    type     = "S3"
+
+    encryption_key {
+      id   = aws_kms_key.artifacts.arn
+      type = "KMS"
+    }
+  }
+
+  stage {
+    name = "Source"
+
+    action {
+      category = "Source"
+      name     = "Source"
+      owner    = "ThirdParty"
+      provider = "GitHub"
+      version  = "1"
+
+      output_artifacts = ["SourceArtifact"]
+
+      configuration = {
+        Owner  = var.github["owner"]
+        Repo   = var.github["repo"]
+        Branch = var.github["branch"]
+      }
+    }
+  }
+
+  stage {
+    name = "Deploy"
+
+    action {
+      name            = "Deploy"
+      category        = "Deploy"
+      owner           = "AWS"
+      provider        = "S3"
+      version         = "1"
+      run_order       = "1"
+      role_arn        = var.target_role_arn
+      input_artifacts = ["SourceArtifact"]
+
+      configuration = {
+        ObjectKey           = "DeployedArtifacts"
+        Extract             = "false"
+        BucketName          = var.target_bucket_name
+        KMSEncryptionKeyARN = var.target_kms_key_arn
+      }
+    }
+  }
+}

pipeline-account/data.tf

@@ -0,0 +1 @@
+data "aws_caller_identity" "current" {}

pipeline-account/iam_policy.tf

@@ -0,0 +1,3 @@
+resource "aws_iam_policy" "codepipeline" {
+  policy = data.aws_iam_policy_document.codepipeline.json
+}

pipeline-account/iam_policy_attachment.tf

@@ -0,0 +1,5 @@
+resource "aws_iam_policy_attachment" "codepipeline" {
+  name       = "codepipeline-role-attachment"
+  roles      = [aws_iam_role.codepipeline.name]
+  policy_arn = aws_iam_policy.codepipeline.arn
+}

pipeline-account/iam_policy_document.tf

@@ -0,0 +1,129 @@
+data "aws_iam_policy_document" "kms-usage" {
+  statement {
+    sid    = "Enable IAM User Permissions"
+    effect = "Allow"
+
+    actions = [
+      "kms:*"
+    ]
+
+    principals {
+      type        = "AWS"
+      identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
+    }
+
+    resources = ["*"]
+  }
+
+  statement {
+    sid    = "Allow use of the key"
+    effect = "Allow"
+
+    actions = [
+      "kms:Encrypt",
+      "kms:Decrypt",
+      "kms:ReEncrypt*",
+      "kms:GenerateDataKey*",
+      "kms:DescribeKey"
+    ]
+
+    principals {
+      type = "AWS"
+      identifiers = [
+        # local.pipeline_arn
+        "*"
+      ]
+    }
+
+    resources = ["*"]
+  }
+
+  statement {
+    sid    = "Allow attachment of persistent resources"
+    effect = "Allow"
+
+    actions = [
+      "kms:CreateGrant",
+      "kms:ListGrants",
+      "kms:RevokeGrant"
+    ]
+
+    principals {
+      type = "AWS"
+      identifiers = [
+        # local.pipeline_arn
+        "*"
+      ]
+    }
+
+    resources = ["*"]
+
+    condition {
+      test     = "Bool"
+      variable = "kms:GrantIsForAWSResource"
+      values   = ["true"]
+    }
+  }
+}
+
+data "aws_iam_policy_document" "codepipeline" {
+  statement {
+    actions = [
+      "sts:AssumeRole",
+    ]
+
+    resources = [
+      var.target_role_arn,
+    ]
+  }
+
+  statement {
+    actions = [
+      "s3:GetObject",
+      "s3:PutObject"
+    ]
+
+    resources = [
+      aws_s3_bucket.artifact-bucket.arn,
+      "${aws_s3_bucket.artifact-bucket.arn}/*",
+    ]
+  }
+
+  statement {
+    actions = [
+      "logs:CreateLogGroup",
+      "logs:CreateLogStream",
+      "logs:PutLogEvents"
+    ]
+
+    resources = ["*"]
+  }
+
+  statement {
+    effect = "Allow"
+
+    actions = [
+      "s3:PutObject",
+      "s3:GetObject",
+      "s3:ListBucket",
+    ]
+
+    resources = [
+      "arn:aws:s3:::${var.target_bucket_name}/*",
+      "arn:aws:s3:::${var.target_bucket_name}"
+    ]
+  }
+
+  statement {
+    effect = "Allow"
+
+    actions = [
+      "kms:Encrypt",
+      "kms:Decrypt"
+    ]
+
+    resources = [
+      var.target_kms_key_arn,
+    ]
+  }
+}

pipeline-account/iam_role.tf

@@ -0,0 +1,25 @@
+resource "aws_iam_role" "codepipeline" {
+  name = "ExamplePipeline"
+
+  assume_role_policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Principal": {
+        "Service": "codepipeline.amazonaws.com"
+      },
+      "Action": "sts:AssumeRole"
+    },
+    {
+      "Effect": "Allow",
+      "Principal": {
+        "Service": "codebuild.amazonaws.com"
+      },
+      "Action": "sts:AssumeRole"
+    }
+  ]
+}
+EOF
+}

pipeline-account/kms_key.tf

@@ -0,0 +1,3 @@
+resource "aws_kms_key" "artifacts" {
+  policy = data.aws_iam_policy_document.kms-usage.json
+}

pipeline-account/output.tf

@@ -0,0 +1,15 @@
+output "artifact_bucket_arn" {
+  value = aws_s3_bucket.artifact-bucket.arn
+}
+
+output "codepipeline_role_arn" {
+  value = aws_iam_role.codepipeline.arn
+}
+
+output "kms_policy" {
+  value = data.aws_iam_policy_document.kms-usage.json
+}
+
+output "pipeline_arn" {
+  value = local.pipeline_arn
+}

pipeline-account/providers.tf

@@ -0,0 +1 @@
+provider "aws" {}

pipeline-account/s3_bucket.tf

@@ -0,0 +1,8 @@
+resource "aws_s3_bucket" "artifact-bucket" {
+  bucket = var.artifact_bucket_name
+  acl    = "private"
+
+  versioning {
+    enabled = true
+  }
+}

pipeline-account/variables.tf

@@ -0,0 +1,33 @@
+variable "github" {
+  type = "map"
+}
+
+variable "region" {
+  type = "string"
+}
+
+variable "target_role_arn" {
+  type = "string"
+}
+
+variable "target_bucket_name" {
+  type = "string"
+}
+
+variable "target_kms_key_arn" {
+  type = "string"
+}
+
+variable "artifact_bucket_name" {
+  type    = "string"
+  default = "example-codepipeline-cross-account-pipeline-artifact-bucket"
+}
+
+variable "pipeline_name" {
+  type    = "string"
+  default = "ExamplePipeline"
+}
+
+locals {
+  pipeline_arn = "arn:aws:codepipeline:${replace(var.region, "-", "")}:${data.aws_caller_identity.current.account_id}:${var.pipeline_name}"
+}

providers.tf

@@ -0,0 +1,17 @@
+provider "aws" {
+  alias  = "target"
+  region = "${var.region}"
+
+  assume_role {
+    role_arn = "arn:aws:iam::${var.accounts["target"]}:role/${var.terraform_role}"
+  }
+}
+
+provider "aws" {
+  alias  = "pipeline"
+  region = "${var.region}"
+
+  assume_role {
+    role_arn = "arn:aws:iam::${var.accounts["pipeline"]}:role/${var.terraform_role}"
+  }
+}

target-account/data.tf

@@ -0,0 +1 @@
+data "aws_caller_identity" "current" {}

target-account/iam_policy.tf

@@ -0,0 +1,3 @@
+resource "aws_iam_policy" "target" {
+  policy = data.aws_iam_policy_document.target.json
+}

target-account/iam_policy_attachment.tf

@@ -0,0 +1,5 @@
+resource "aws_iam_policy_attachment" "target" {
+  name       = "target-role-attachment"
+  roles      = [aws_iam_role.target.name]
+  policy_arn = aws_iam_policy.target.arn
+}