feat: Add additional deployment roles and permissions. (#21)

Author: jamesiarmes

.github/workflows/deploy.yaml

@@ -38,6 +38,7 @@ jobs:
       TF_VAR_APPLY_DATABASE_UPDATES_IMMEDIATELY: ${{ secrets.TF_VAR_APPLY_DATABASE_UPDATES_IMMEDIATELY }}
       TF_VAR_DATABASE_SKIP_FINAL_SNAPSHOT: ${{ secrets.TF_VAR_DATABASE_SKIP_FINAL_SNAPSHOT }}
       TF_VAR_DELETION_PROTECTION: ${{ secrets.TF_VAR_DELETION_PROTECTION }}
+      TF_VAR_DEPLOYMENT_ENVIRONMENTS: ${{ secrets.TF_VAR_DEPLOYMENT_ENVIRONMENTS }}
       TF_VAR_ENVIRONMENT: ${{ secrets.TF_VAR_ENVIRONMENT }}
       TF_VAR_EXPORT_EXPIRATION: ${{ secrets.TF_VAR_EXPORT_EXPIRATION }}
       TF_VAR_KEY_RECOVERY_PERIOD: ${{ secrets.TF_VAR_KEY_RECOVERY_PERIOD }}
@@ -82,6 +83,7 @@ jobs:
           APPLY_DATABASE_UPDATES_IMMEDIATELY: ${{ secrets.TF_VAR_APPLY_DATABASE_UPDATES_IMMEDIATELY }}
           DATABASE_SKIP_FINAL_SNAPSHOT: ${{ secrets.TF_VAR_DATABASE_SKIP_FINAL_SNAPSHOT }}
           DELETION_PROTECTION: ${{ secrets.TF_VAR_DELETION_PROTECTION }}
+          DEPLOYMENT_ENVIRONMENTS: ${{ secrets.TF_VAR_DEPLOYMENT_ENVIRONMENTS }}
           ENVIRONMENT: ${{ secrets.TF_VAR_ENVIRONMENT }}
           EXPORT_EXPIRATION: ${{ secrets.TF_VAR_EXPORT_EXPIRATION }}
           KEY_RECOVERY_PERIOD: ${{ secrets.TF_VAR_KEY_RECOVERY_PERIOD }}
@@ -91,8 +93,9 @@ jobs:
         run: |
           variables=(
             "apply_database_updates_immediately" "database_skip_final_snapshot"
-            "deletion_protection" "environment" "export_expiration"
-            "key_recovery_period" "program" "project" "repository"
+            "deletion_protection" "deployment_environments" "environment"
+            "export_expiration" "key_recovery_period" "program" "project"
+            "repository"
           )
           for var in ${variables[@]}; do
             name="$(echo $var | tr '[:lower:]' '[:upper:]')"

.github/workflows/plan.yaml

@@ -22,6 +22,8 @@ on:
         required: false
       TF_VAR_DELETION_PROTECTION:
         required: false
+      TF_VAR_DEPLOYMENT_ENVIRONMENTS:
+        required: false
       TF_VAR_ENVIRONMENT:
         required: false
       TF_VAR_EXPORT_EXPIRATION:
@@ -92,6 +94,7 @@ jobs:
           APPLY_DATABASE_UPDATES_IMMEDIATELY: ${{ secrets.TF_VAR_APPLY_DATABASE_UPDATES_IMMEDIATELY }}
           DATABASE_SKIP_FINAL_SNAPSHOT: ${{ secrets.TF_VAR_DATABASE_SKIP_FINAL_SNAPSHOT }}
           DELETION_PROTECTION: ${{ secrets.TF_VAR_DELETION_PROTECTION }}
+          DEPLOYMENT_ENVIRONMENTS: ${{ secrets.TF_VAR_DEPLOYMENT_ENVIRONMENTS }}
           ENVIRONMENT: ${{ secrets.TF_VAR_ENVIRONMENT }}
           EXPORT_EXPIRATION: ${{ secrets.TF_VAR_EXPORT_EXPIRATION }}
           KEY_RECOVERY_PERIOD: ${{ secrets.TF_VAR_KEY_RECOVERY_PERIOD }}
@@ -101,8 +104,9 @@ jobs:
         run: |
           variables=(
             "apply_database_updates_immediately" "database_skip_final_snapshot"
-            "deletion_protection" "environment" "export_expiration"
-            "key_recovery_period" "program" "project" "repository"
+            "deletion_protection" "deployment_environments" "environment"
+            "export_expiration" "key_recovery_period" "program" "project"
+            "repository"
           )
           for var in ${variables[@]}; do
             name="$(echo $var | tr '[:lower:]' '[:upper:]')"

.github/workflows/pull-request.yaml

@@ -67,10 +67,12 @@ jobs:
       TF_VAR_APPLY_DATABASE_UPDATES_IMMEDIATELY: ${{ secrets.TF_VAR_APPLY_DATABASE_UPDATES_IMMEDIATELY }}
       TF_VAR_DATABASE_SKIP_FINAL_SNAPSHOT: ${{ secrets.TF_VAR_DATABASE_SKIP_FINAL_SNAPSHOT }}
       TF_VAR_DELETION_PROTECTION: ${{ secrets.TF_VAR_DELETION_PROTECTION }}
+      TF_VAR_DEPLOYMENT_ENVIRONMENTS: ${{ secrets.TF_VAR_DEPLOYMENT_ENVIRONMENTS }}
       TF_VAR_EXPORT_EXPIRATION: ${{ secrets.TF_VAR_EXPORT_EXPIRATION }}
       TF_VAR_KEY_RECOVERY_PERIOD: ${{ secrets.TF_VAR_KEY_RECOVERY_PERIOD }}
       TF_VAR_PROGRAM: ${{ secrets.TF_VAR_PROGRAM }}
       TF_VAR_REPO_OIDC_ARN: ${{ secrets.TF_VAR_REPO_OIDC_ARN }}
+      TF_VAR_REPOSITORY: ${{ secrets.TF_VAR_REPOSITORY }}
       TF_VAR_VPC_CIDR: ${{ secrets.TF_VAR_VPC_CIDR }}
       TF_VAR_VPC_PRIVATE_SUBNET_CIDRS: ${{ secrets.TF_VAR_VPC_PRIVATE_SUBNET_CIDRS }}
       TF_VAR_VPC_PUBLIC_SUBNET_CIDRS: ${{ secrets.TF_VAR_VPC_PUBLIC_SUBNET_CIDRS }}

tofu/config/foundation/main.tf

@@ -41,6 +41,19 @@ module "deployment" {
   tags        = resource.aws_servicecatalogappregistry_application.application.application_tag
 }
 
+# Create deployment resources for any deployment environments specified.
+module "deployment_environments" {
+  source = "../../modules/deployment"
+  for_each = toset(var.deployment_environments)
+
+  environment = "development"
+  system_environment = each.value
+  oidc_arn    = var.repo_oidc_arn
+  project     = var.project
+  repository  = var.repository
+  tags        = resource.aws_servicecatalogappregistry_application.application.application_tag
+}
+
 module "outputs" {
   source = "../../modules/outputs"
 

tofu/config/foundation/outputs.tf

@@ -8,6 +8,11 @@ output "deployment_role_arn" {
   description = "The ARN of the deployment role for system components."
 }
 
+output "environment_deployment_roles" {
+  value       = { for env, mod in module.deployment_environments : env => mod.role_arn }
+  description = "The ARN of the deployment role for the dev-cdii environment."
+}
+
 output "logging_bucket" {
   value       = module.logging.bucket
   description = "The name of the S3 bucket for logging."

tofu/config/foundation/variables.tf

@@ -1,3 +1,9 @@
+variable "deployment_environments" {
+  type        = list(string)
+  description = "List of deployment environments to create permissions for. This is useful if you'll be deploying multiple service environments within the same infrastructure environment."
+  default     = []
+}
+
 variable "environment" {
   type        = string
   description = "Environment for the deployment."

tofu/modules/deployment/locals.tf

@@ -0,0 +1,3 @@
+locals {
+  system_environment = coalesce(var.system_environment, var.environment)
+}

tofu/modules/deployment/main.tf

@@ -1,5 +1,5 @@
 resource "aws_iam_role" "deployment" {
-  name = "${var.project}-${var.environment}-deployment-role"
+  name = "${var.project}-${local.system_environment}-deployment-role"
   assume_role_policy = jsonencode(yamldecode(templatefile("${path.module}/templates/assume-policy.yaml.tftpl", {
     oidc_arn : var.oidc_arn
     repository : var.repository
@@ -9,7 +9,7 @@ resource "aws_iam_role" "deployment" {
 }
 
 resource "aws_iam_role_policy" "deployment" {
-  name = "${var.project}-${var.environment}-deployment-policy"
+  name = "${var.project}-${local.system_environment}-deployment-policy"
   role = aws_iam_role.deployment.name
 
   policy = jsonencode(yamldecode(templatefile("${path.module}/templates/iam-policy.yaml.tftpl", {
@@ -18,5 +18,6 @@ resource "aws_iam_role_policy" "deployment" {
     region : data.aws_region.current.region
     partition : data.aws_partition.current.partition
     project : var.project
+    system_environment : local.system_environment
   })))
 }

tofu/modules/deployment/templates/iam-policy.yaml.tftpl

@@ -1,5 +1,79 @@
 Version: "2012-10-17"
 Statement:
+- Sid: InfraStateAccess
+  Effect: Allow
+  Action:
+    - s3:CreateBucket
+    - s3:ListBucket
+    - s3:GetBucketLocation
+    - s3:GetObject
+    - s3:PutObject
+    - s3:DeleteObject
+  Resource:
+    - arn:${partition}:s3:::${project}-${environment}-tfstate
+    - arn:${partition}:s3:::${project}-${environment}-tfstate/*
+- Sid: InfraLockAccess
+  Effect: Allow
+  Action:
+    - dynamodb:CreateTable
+    - dynamodb:DescribeTable
+    - dynamodb:DeleteTable
+    - dynamodb:UpdateTable
+    - dynamodb:GetItem
+    - dynamodb:PutItem
+    - dynamodb:DeleteItem
+  Resource:
+    - arn:${partition}:dynamodb:${region}:${account_id}:table/${environment}.tfstate
+
+- Sid: ServiceCatalogAccess
+  Effect: Allow
+  Action:
+  - servicecatalog:CreateApplication
+  - servicecatalog:GetApplication
+  - servicecatalog:DeleteApplication
+  - servicecatalog:ListTagsForResource
+  - servicecatalog:TagResource
+  - servicecatalog:UntagResource
+  - servicecatalog:UpdateApplication
+  Resource: "*"
+  Condition:
+    ForAnyValue:StringEquals:
+      aws:ResourceTag/project: sqs-senzing
+
+- Sid: SQSAccess
+  Effect: Allow
+  Action:
+  - sqs:CreateQueue
+  - sqs:DeleteQueue
+  - sqs:GetQueueAttributes
+  - sqs:GetQueueUrl
+  - sqs:ListQueues
+  - sqs:ListQueueTags
+  - sqs:SetQueueAttributes
+  - sqs:TagQueue
+  - sqs:UntagQueue
+  Resource: arn:${partition}:sqs:${region}:${account_id}:${project}-${system_environment}-*
+
+- Sid: S3Access
+  Effect: Allow
+  Action:
+  - s3:CreateBucket
+  - s3:DeleteBucket
+  - s3:DeleteObject
+  - s3:GetBucketAcl
+  - s3:GetBucketLocation
+  - s3:GetBucketPolicy
+  - s3:GetBucketTagging
+  - s3:GetObject
+  - s3:ListBucket
+  - s3:PutBucketAcl
+  - s3:PutBucketPolicy
+  - s3:PutBucketTagging
+  - s3:PutObject
+  Resource:
+  - arn:${partition}:s3:::${project}-${system_environment}-*
+  - arn:${partition}:s3:::${project}-${system_environment}-*/*
+
 - Effect: Allow
   Action:
   - ec2:DescribeAddresses

tofu/modules/deployment/variables.tf

@@ -4,6 +4,12 @@ variable "environment" {
   default     = "development"
 }
 
+variable "system_environment" {
+  type        = string
+  description = "Environment name for the system, if different from the deployment environment."
+  default     = null
+}
+
 variable "oidc_arn" {
   type        = string
   description = "ARN of the OpenID Connect provider for the GitHub repository."