Skip to content

Commit be40cda

Browse files
committed
feat: permission are created based on binary scanner use
1 parent 0631890 commit be40cda

File tree

5 files changed

+23
-10
lines changed

5 files changed

+23
-10
lines changed

examples/single-account-k8s/credentials.tf

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -3,6 +3,7 @@ module "iam_user" {
33
name = var.name
44

55
deploy_image_scanning = local.deploy_image_scanning
6+
use_standalone_scanner = var.use_standalone_scanner
67

78
ssm_secure_api_token_arn = module.ssm.secure_api_token_secret_arn
89
cloudtrail_s3_bucket_arn = length(module.cloudtrail) > 0 ? module.cloudtrail[0].s3_bucket_arn : "*"

modules/infrastructure/permissions/cloud-scanning/main.tf

Lines changed: 11 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,5 @@
11
resource "aws_iam_user_policy" "cloud_scanner" {
2+
23
name = "${var.name}-cs"
34
user = data.aws_iam_user.this.user_name
45
policy = data.aws_iam_policy_document.cloud_scanner.json
@@ -17,16 +18,18 @@ data "aws_iam_policy_document" "cloud_scanner" {
1718
resources = [var.cloudtrail_subscribed_sqs_arn]
1819
}
1920

20-
statement {
21-
sid = "AllowScanningCodeBuildStartBuild"
22-
effect = "Allow"
23-
actions = [
24-
"codebuild:StartBuild"
25-
]
26-
resources = [var.scanning_codebuild_project_arn]
21+
dynamic "statement" {
22+
for_each = var.use_standalone_scanner ? [1] : []
23+
content {
24+
sid = "AllowScanningCodeBuildStartBuild"
25+
effect = "Allow"
26+
actions = [
27+
"codebuild:StartBuild"
28+
]
29+
resources = [var.scanning_codebuild_project_arn]
30+
}
2731
}
2832

29-
3033
statement {
3134
sid = "AllowScanningECRRead"
3235
effect = "Allow"

modules/infrastructure/permissions/cloud-scanning/variables.tf

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -14,6 +14,11 @@ variable "scanning_codebuild_project_arn" {
1414
description = "ARN of codebuild to launch the image scanning process"
1515
}
1616

17+
variable "use_standalone_scanner" {
18+
type = bool
19+
description = "true/false whether use inline scanner or not"
20+
default = false
21+
}
1722

1823
#---------------------------------
1924
# optionals - with default

modules/infrastructure/permissions/iam-user/main.tf

Lines changed: 1 addition & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,3 @@
1-
21
resource "aws_iam_user" "this" {
32
name = var.name
43
force_destroy = true
@@ -12,7 +11,6 @@ resource "aws_iam_access_key" "this" {
1211
}
1312

1413

15-
1614
module "credentials_general" {
1715
source = "../general"
1816
name = var.name
@@ -43,6 +41,7 @@ module "credentials_cloud_scanning" {
4341
sfc_user_name = aws_iam_user.this.name
4442
scanning_codebuild_project_arn = var.scanning_codebuild_project_arn
4543
cloudtrail_subscribed_sqs_arn = var.cloudtrail_subscribed_sqs_arn
44+
use_standalone_scanner = var.use_standalone_scanner
4645

4746
depends_on = [aws_iam_user.this]
4847
}

modules/infrastructure/permissions/iam-user/variables.tf

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -8,6 +8,11 @@ variable "deploy_image_scanning" {
88
default = true
99
}
1010

11+
variable "use_standalone_scanner" {
12+
type = bool
13+
description = "true/false whether use inline scanner or not"
14+
default = false
15+
}
1116

1217
# permission defaults to all resources; ARN *
1318

0 commit comments

Comments
 (0)