Introduce elastio-iam-policies terraform module (#101)

This PR introduces the `elastio-iam-policies` module with the initial
IAM policy code generated via the TypeScript code.
The first policy that I added lists the IAM permissions required to
deploy the Elastio Asset Account stack.


I did the codegen here for several reasons:
- I expect that we'll extend the set of IAM policies with permission
boundaries in the future and it'll be very important to have shared code
that handles them by taking subsets of the golden
`ElastioCloudConnector` role policy. Plus we may need to support CFN
variant of the same stack in the future.
- I found an [amazing `npm`
package](https://github.com/JuroOravec/aws-iam-policy-types/tree/main)
that adds type definitions for IAM actions making it impossible to fuck
up the IAM actions in IAM policy definitions

Author: Veetaha

.editorconfig

@@ -0,0 +1,2 @@
+[*.ts]
+indent_size = 2

.githooks/pre-commit

@@ -42,6 +42,11 @@ if command_exists terraform-docs; then
   done
 fi
 
+if command_exists npm; then
+  npm run codegen
+  files="$files $script_dir/../iam-policies/terraform/policies"
+fi
+
 if command_exists ./node_modules/.bin/prettier; then
   echo "$files" | xargs ./node_modules/.bin/prettier --ignore-unknown --write
 fi

.github/actions/collect-meta/action.yaml

@@ -0,0 +1,29 @@
+name: Collect metadata about the repository
+description: >
+  Looks for modules and examples in the repository and outputs their paths.
+
+outputs:
+  tf-modules:
+    description: Paths to the Terraform modules found in the repository
+    value: ${{ steps.find-modules.outputs.tf-modules }}
+
+  tf-examples:
+    description: Paths to the Terraform examples found in the repository
+    value: ${{ steps.find-examples.outputs.tf-examples }}
+
+runs:
+  using: composite
+  steps:
+    - name: Find modules
+      id: find-modules
+      run: |
+        tf_modules=$(./.github/scripts/collect-modules.sh | jq -cnR '[inputs]')
+        echo "tf-modules=$tf_modules" > "$GITHUB_OUTPUT"
+      shell: bash
+
+    - name: Find examples
+      id: find-examples
+      run: |
+        tf_examples=$(./.github/scripts/collect-examples.sh | jq -cnR '[inputs]')
+        echo "tf-examples=$tf_examples" > "$GITHUB_OUTPUT"
+      shell: bash

.github/actions/collect-modules/action.yaml

@@ -0,0 +1,8 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+git ls-files --cached --others --exclude-standard \
+    | grep '/examples/' \
+    | xargs -I{} dirname {} \
+    | sort -u

.github/scripts/collect-examples.sh

@@ -10,7 +10,6 @@ while IFS= read -r -d '' module_cfg; do
         exit 1
         ;;
     terraform)
-        echo "Found Terraform module in $module_cfg" >&2
         tf_modules+=("$(dirname "$module_cfg")")
         ;;
     esac

.github/scripts/collect-modules.sh

@@ -6,16 +6,16 @@ on:
   pull_request:
 
 jobs:
-  collect-modules:
+  meta:
     runs-on: ubuntu-latest
     outputs:
-      tf-modules: ${{ steps.collect-modules.outputs.tf-modules }}
+      tf-modules: ${{ steps.meta.outputs.tf-modules }}
+      tf-examples: ${{ steps.meta.outputs.tf-examples }}
 
     steps:
       - uses: actions/checkout@v4
-
-      - uses: ./.github/actions/collect-modules
-        id: collect-modules
+      - uses: ./.github/actions/collect-meta
+        id: meta
 
   typos:
     runs-on: ubuntu-latest
@@ -37,13 +37,11 @@ jobs:
 
   terraform-validate:
     runs-on: ubuntu-latest
+    needs: [meta]
 
     strategy:
       matrix:
-        project:
-          - asset-account/terraform/stack-set/examples/self-managed
-          - asset-account/terraform/stack-set/examples/service-managed
-          - connector/terraform/examples/basic
+        terraform_example: ${{fromJson(needs.meta.outputs.tf-modules)}}
 
     steps:
       - uses: actions/checkout@v4
@@ -54,19 +52,18 @@ jobs:
           terraform_wrapper: false
 
       - run: terraform init -input=false
-        working-directory: ${{ matrix.project }}
+        working-directory: ${{ matrix.terraform_example }}
 
       - run: terraform validate
-        working-directory: ${{ matrix.project }}
+        working-directory: ${{ matrix.terraform_example }}
 
   terraform-docs:
     runs-on: ubuntu-latest
-    needs:
-      - collect-modules
+    needs: [meta]
 
     strategy:
       matrix:
-        terraform_module: ${{fromJson(needs.collect-modules.outputs.tf-modules)}}
+        terraform_module: ${{fromJson(needs.meta.outputs.tf-modules)}}
 
     steps:
       - uses: actions/checkout@v4
@@ -129,3 +126,21 @@ jobs:
           cache: "npm"
       - run: npm ci --ignore-scripts
       - run: npx prettier --check .
+
+  codegen-freshness:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
+        with:
+          node-version: "22"
+          cache: "npm"
+
+      - run: npm ci --ignore-scripts
+      - run: cd codegen && npm ci --ignore-scripts
+      - run: npm run codegen
+
+      - run: >-
+          git diff --exit-code --color=always || ( echo "Generated code is
+          out-of-date. See the diff above." && exit 1 )

.github/workflows/ci.yml

@@ -4,26 +4,26 @@ on:
   workflow_dispatch:
 
 jobs:
-  collect-modules:
+  meta:
     runs-on: ubuntu-latest
     outputs:
-      tf-modules: ${{ steps.collect-modules.outputs.tf-modules }}
+      tf-modules: ${{ steps.meta.outputs.tf-modules }}
+      tf-examples: ${{ steps.meta.outputs.tf-examples }}
 
     steps:
       - uses: actions/checkout@v4
-
-      - uses: ./.github/actions/collect-modules
-        id: collect-modules
+      - uses: ./.github/actions/collect-meta
+        id: meta
 
   release-module:
     runs-on: ubuntu-latest
-    needs: ["collect-modules"]
+    needs: [meta]
     permissions:
       contents: write
       actions: write
     strategy:
       matrix:
-        module: ${{fromJson(needs.collect-modules.outputs.tf-modules)}}
+        module: ${{fromJson(needs.meta.outputs.tf-modules)}}
       fail-fast: false
 
     steps:

.github/workflows/release.yml

@@ -7,7 +7,7 @@ module "elastio_asset_account" {
 
   depends_on = [
     # Needs to wait for the execution role in the asset account to be fully created
-    aws_iam_role_policy.execution_deployment,
+    aws_iam_role_policy_attachment.execution_deployment,
 
     # Needs to wait for the admin role in the admin account to be fully created
     aws_iam_role_policy.admin_execution,

asset-account/terraform/stack-set/examples/self-managed/admin.tf

@@ -18,18 +18,16 @@ data "aws_iam_policy_document" "execution_trust" {
 }
 
 # Specifies the set of permissions required for the deployment of the Cloudfomation stack
-data "aws_iam_policy_document" "execution_deployment" {
-  statement {
-    actions   = ["*"]
-    effect    = "Allow"
-    resources = ["*"]
-  }
+module "elastio_policies" {
+  # Use this module from the Cloudsmith registry via the URL in real code:
+  # source = "terraform.cloudsmith.io/public/elastio-iam-policies/aws"
+  source   = "../../../../../iam-policies/terraform"
+  policies = ["ElastioAssetAccountDeployer"]
 }
 
-resource "aws_iam_role_policy" "execution_deployment" {
+resource "aws_iam_role_policy_attachment" "execution_deployment" {
   provider = aws.asset
 
-  name   = "Deployment"
-  policy = data.aws_iam_policy_document.execution_deployment.json
-  role   = aws_iam_role.execution.name
+  policy_arn = module.elastio_policies.policies.ElastioAssetAccountDeployer.arn
+  role       = aws_iam_role.execution.name
 }