Introduce elastio-iam-policies terraform module

Author: Veetaha

.editorconfig

@@ -0,0 +1,2 @@
+[*.ts]
+indent_size = 2

.githooks/pre-commit

@@ -42,6 +42,11 @@ if command_exists terraform-docs; then
   done
 fi
 
+if command_exists npm; then
+  npm run codegen
+  files="$files $script_dir/../iam-policies/terraform/policies"
+fi
+
 if command_exists ./node_modules/.bin/prettier; then
   echo "$files" | xargs ./node_modules/.bin/prettier --ignore-unknown --write
 fi

.github/actions/collect-meta/action.yaml

@@ -0,0 +1,29 @@
+name: Collect metadata about the repository
+description: >
+  Looks for modules and examples in the repository and outputs their paths.
+
+outputs:
+  tf-modules:
+    description: Paths to the Terraform modules found in the repository
+    value: ${{ steps.find-modules.outputs.tf-modules }}
+
+  tf-examples:
+    description: Paths to the Terraform examples found in the repository
+    value: ${{ steps.find-examples.outputs.tf-examples }}
+
+runs:
+  using: composite
+  steps:
+    - name: Find modules
+      id: find-modules
+      run: |
+        tf_modules=$(./.github/scripts/collect-modules.sh | jq -cnR '[inputs]')
+        echo "tf-modules=$tf_modules" > "$GITHUB_OUTPUT"
+      shell: bash
+
+    - name: Find examples
+      id: find-examples
+      run: |
+        tf_examples=$(./.github/scripts/collect-examples.sh | jq -cnR '[inputs]')
+        echo "tf-examples=$tf_examples" > "$GITHUB_OUTPUT"
+      shell: bash

.github/actions/collect-modules/action.yaml

@@ -0,0 +1,8 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+git ls-files --cached --others --exclude-standard \
+    | grep '/examples/' \
+    | xargs -I{} dirname {} \
+    | sort -u

.github/scripts/collect-examples.sh

@@ -10,7 +10,6 @@ while IFS= read -r -d '' module_cfg; do
         exit 1
         ;;
     terraform)
-        echo "Found Terraform module in $module_cfg" >&2
         tf_modules+=("$(dirname "$module_cfg")")
         ;;
     esac

.github/scripts/collect-modules.sh

@@ -6,16 +6,16 @@ on:
   pull_request:
 
 jobs:
-  collect-modules:
+  meta:
     runs-on: ubuntu-latest
     outputs:
-      tf-modules: ${{ steps.collect-modules.outputs.tf-modules }}
+      tf-modules: ${{ steps.meta.outputs.tf-modules }}
+      tf-examples: ${{ steps.meta.outputs.tf-examples }}
 
     steps:
       - uses: actions/checkout@v4
-
-      - uses: ./.github/actions/collect-modules
-        id: collect-modules
+      - uses: ./.github/actions/collect-meta
+        id: meta
 
   typos:
     runs-on: ubuntu-latest
@@ -37,13 +37,11 @@ jobs:
 
   terraform-validate:
     runs-on: ubuntu-latest
+    needs: [meta]
 
     strategy:
       matrix:
-        project:
-          - asset-account/terraform/stack-set/examples/self-managed
-          - asset-account/terraform/stack-set/examples/service-managed
-          - connector/terraform/examples/basic
+        terraform_example: ${{fromJson(needs.meta.outputs.tf-modules)}}
 
     steps:
       - uses: actions/checkout@v4
@@ -54,19 +52,18 @@ jobs:
           terraform_wrapper: false
 
       - run: terraform init -input=false
-        working-directory: ${{ matrix.project }}
+        working-directory: ${{ matrix.terraform_example }}
 
       - run: terraform validate
-        working-directory: ${{ matrix.project }}
+        working-directory: ${{ matrix.terraform_example }}
 
   terraform-docs:
     runs-on: ubuntu-latest
-    needs:
-      - collect-modules
+    needs: [meta]
 
     strategy:
       matrix:
-        terraform_module: ${{fromJson(needs.collect-modules.outputs.tf-modules)}}
+        terraform_module: ${{fromJson(needs.meta.outputs.tf-modules)}}
 
     steps:
       - uses: actions/checkout@v4

.github/workflows/ci.yml

@@ -4,26 +4,26 @@ on:
   workflow_dispatch:
 
 jobs:
-  collect-modules:
+  meta:
     runs-on: ubuntu-latest
     outputs:
-      tf-modules: ${{ steps.collect-modules.outputs.tf-modules }}
+      tf-modules: ${{ steps.meta.outputs.tf-modules }}
+      tf-examples: ${{ steps.meta.outputs.tf-examples }}
 
     steps:
       - uses: actions/checkout@v4
-
-      - uses: ./.github/actions/collect-modules
-        id: collect-modules
+      - uses: ./.github/actions/collect-meta
+        id: meta
 
   release-module:
     runs-on: ubuntu-latest
-    needs: ["collect-modules"]
+    needs: [meta]
     permissions:
       contents: write
       actions: write
     strategy:
       matrix:
-        module: ${{fromJson(needs.collect-modules.outputs.tf-modules)}}
+        module: ${{fromJson(needs.meta.outputs.tf-modules)}}
       fail-fast: false
 
     steps:

.github/workflows/release.yml

@@ -7,7 +7,7 @@ module "elastio_asset_account" {
 
   depends_on = [
     # Needs to wait for the execution role in the asset account to be fully created
-    aws_iam_role_policy.execution_deployment,
+    aws_iam_role_policy_attachment.execution_deployment,
 
     # Needs to wait for the admin role in the admin account to be fully created
     aws_iam_role_policy.admin_execution,

asset-account/terraform/stack-set/examples/self-managed/admin.tf

@@ -18,18 +18,16 @@ data "aws_iam_policy_document" "execution_trust" {
 }
 
 # Specifies the set of permissions required for the deployment of the Cloudfomation stack
-data "aws_iam_policy_document" "execution_deployment" {
-  statement {
-    actions   = ["*"]
-    effect    = "Allow"
-    resources = ["*"]
-  }
+module "elastio_policies" {
+  # Use this module from the Cloudsmith registry via the URL:
+  # source = "terraform.cloudsmith.io/public/elastio-connector-region/aws"
+  source   = "../../../../../iam-policies/terraform"
+  policies = ["ElastioAssetAccountDeployer"]
 }
 
-resource "aws_iam_role_policy" "execution_deployment" {
+resource "aws_iam_role_policy_attachment" "execution_deployment" {
   provider = aws.asset
 
-  name   = "Deployment"
-  policy = data.aws_iam_policy_document.execution_deployment.json
-  role   = aws_iam_role.execution.name
+  policy_arn = module.elastio_policies.policies.ElastioAssetAccountDeployer.arn
+  role       = aws_iam_role.execution.name
 }