File tree Expand file tree Collapse file tree 5 files changed +23
-10
lines changed
examples/single-account-k8s
modules/infrastructure/permissions Expand file tree Collapse file tree 5 files changed +23
-10
lines changed Original file line number Diff line number Diff line change @@ -3,6 +3,7 @@ module "iam_user" {
3
3
name = var. name
4
4
5
5
deploy_image_scanning = local. deploy_image_scanning
6
+ use_standalone_scanner = var. use_standalone_scanner
6
7
7
8
ssm_secure_api_token_arn = module. ssm . secure_api_token_secret_arn
8
9
cloudtrail_s3_bucket_arn = length (module. cloudtrail ) > 0 ? module. cloudtrail [0 ]. s3_bucket_arn : " *"
Original file line number Diff line number Diff line change 1
1
resource "aws_iam_user_policy" "cloud_scanner" {
2
+
2
3
name = " ${ var . name } -cs"
3
4
user = data. aws_iam_user . this . user_name
4
5
policy = data. aws_iam_policy_document . cloud_scanner . json
@@ -17,16 +18,18 @@ data "aws_iam_policy_document" "cloud_scanner" {
17
18
resources = [var . cloudtrail_subscribed_sqs_arn ]
18
19
}
19
20
20
- statement {
21
- sid = " AllowScanningCodeBuildStartBuild"
22
- effect = " Allow"
23
- actions = [
24
- " codebuild:StartBuild"
25
- ]
26
- resources = [var . scanning_codebuild_project_arn ]
21
+ dynamic "statement" {
22
+ for_each = var. use_standalone_scanner ? [1 ] : []
23
+ content {
24
+ sid = " AllowScanningCodeBuildStartBuild"
25
+ effect = " Allow"
26
+ actions = [
27
+ " codebuild:StartBuild"
28
+ ]
29
+ resources = [var . scanning_codebuild_project_arn ]
30
+ }
27
31
}
28
32
29
-
30
33
statement {
31
34
sid = " AllowScanningECRRead"
32
35
effect = " Allow"
Original file line number Diff line number Diff line change @@ -14,6 +14,11 @@ variable "scanning_codebuild_project_arn" {
14
14
description = " ARN of codebuild to launch the image scanning process"
15
15
}
16
16
17
+ variable "use_standalone_scanner" {
18
+ type = bool
19
+ description = " true/false whether use inline scanner or not"
20
+ default = false
21
+ }
17
22
18
23
# ---------------------------------
19
24
# optionals - with default
Original file line number Diff line number Diff line change 1
-
2
1
resource "aws_iam_user" "this" {
3
2
name = var. name
4
3
force_destroy = true
@@ -12,7 +11,6 @@ resource "aws_iam_access_key" "this" {
12
11
}
13
12
14
13
15
-
16
14
module "credentials_general" {
17
15
source = " ../general"
18
16
name = var. name
@@ -43,6 +41,7 @@ module "credentials_cloud_scanning" {
43
41
sfc_user_name = aws_iam_user. this . name
44
42
scanning_codebuild_project_arn = var. scanning_codebuild_project_arn
45
43
cloudtrail_subscribed_sqs_arn = var. cloudtrail_subscribed_sqs_arn
44
+ use_standalone_scanner = var. use_standalone_scanner
46
45
47
46
depends_on = [aws_iam_user . this ]
48
47
}
Original file line number Diff line number Diff line change @@ -8,6 +8,11 @@ variable "deploy_image_scanning" {
8
8
default = true
9
9
}
10
10
11
+ variable "use_standalone_scanner" {
12
+ type = bool
13
+ description = " true/false whether use inline scanner or not"
14
+ default = false
15
+ }
11
16
12
17
# permission defaults to all resources; ARN *
13
18
You can’t perform that action at this time.
0 commit comments