Adding terraform statefile policy to infraci role (#126)

chanzuckerberg · Sep 20, 2019 · 04f67e0 · 04f67e0
1 parent 3a2e69a
commit 04f67e0
Show file tree

Hide file tree

Showing 3 changed files with 25 additions and 0 deletions.
diff --git a/aws-iam-role-infraci/README.md b/aws-iam-role-infraci/README.md
@@ -10,6 +10,7 @@ Creates a role useful for running `terraform plan` in CI jobs.
 | iam\_path |  | string | `"/"` | no |
 | role\_name |  | string | `"infraci"` | no |
 | source\_account\_id |  | string | n/a | yes |
+| terraform\_state\_lock\_dynamodb\_arn | "The unique identifier (ARN) of the state file DynamoDB table" | string | `""` | yes |
 
 ## Outputs
 

diff --git a/aws-iam-role-infraci/main.tf b/aws-iam-role-infraci/main.tf
@@ -63,6 +63,24 @@ data "aws_iam_policy_document" "secrets" {
       values   = ["true"]
     }
   }
+
+  dynamic statement {
+
+    for_each = compact([var.terraform_state_lock_dynamodb_arn])
+
+
+    content {
+      sid = "statefileaccess"
+
+      actions = [
+        "dynamodb:GetItem",
+        "dynamodb:PutItem",
+        "dynamodb:DeleteItem",
+      ]
+
+      resources = [statement.value]
+    }
+  }
 }
 
 resource "aws_iam_policy" "secrets" {

diff --git a/aws-iam-role-infraci/variables.tf b/aws-iam-role-infraci/variables.tf
@@ -9,3 +9,9 @@ variable "role_name" {
 variable "iam_path" {
   default = "/"
 }
+
+variable "terraform_state_lock_dynamodb_arn" {
+  type        = "string"
+  default     = ""
+  description = "The ARN of the state file DynamoDB table"
+}