Generates S3 buckets, IAM roles and policies. These policies control access to the buckets and restrict their use to Bitbucket repositories within a Bitbucket workspace. Access is granted via OIDC roles set from within in a Bitbucket pipeline. Policies are also added that prevent public or non-secure access to the bucket.
This module is licensed under the MIT License.
The module is hosted on GitHub and can be used by referencing a tag or branch.
The example below allows the my-project
repository in the my-bitbucket-account
workspace to use the my-repository.example.com
bucket as a maven repository.
It allows reading from the whole bucket and writing to the folders
snapshots/com/example/my-project
releases/com/example/my-project
module "oidc_buckets" {
source = "github.com/NathanJAdams/aws_bb_oidc_buckets.git?ref=1.0"
bitbucket_workspace_name = "MyBitbucketWorkspace"
bitbucket_workspace_uuid = "12345678-abcd-1234-abcd-123456789012"
bitbucket_workspace_oidc = {
add_resource = true
thumbprint = "1234567890123456789012345678901234567890"
}
bucket_versioning = "Enabled"
role_name_prefix = "MyRolePrefix"
role_strategy = "PER_REPOSITORY"
permissions = [
{
repo_name = "my-project"
repo_uuid = "12345678-abcd-1234-abcd-123456789012"
bucket_name = "my-repository.example.com"
folders = [""]
actions = [
"s3:ListBucket",
"s3:GetObject",
]
},
{
repo_name = "my-project"
repo_uuid = "12345678-abcd-1234-abcd-123456789012"
bucket_name = "my-repository.example.com"
folders = [
"snapshots/com/example/my-project",
"releases/com/example/my-project"
]
actions = [
"s3:PutObject",
"s3:DeleteObject",
]
}
]
}
Variables | Required | Type | Default | Description |
---|---|---|---|---|
bitbucket_workspace_name | ✔ | string | The name of the Bitbucket workspace | |
bitbucket_workspace_uuid | ✔ | string | The UUID of the Bitbucket workspace | |
bitbucket_workspace_oidc | ✔ | object({ add_resource:bool thumbprint:string }) |
The OIDC configuration for the Bitbucket workspace. If a resource is not added, the existing resource will be used | |
role_name_prefix | ✔ | string | The prefix to use for the IAM roles. If a role_strategy of ONE is used, it will be used as the role name |
|
permissions | ✔ | list(object({ role_name:string repo_uuid:string bucket_name:string folders:list(string) actions:list(string) })) |
List of permissions to apply. Entries in the folders list allow actions on the folder (or bucket if empty) and everything inside it. |
|
role_strategy | string | ONE | Which roles to add, one of [ONE, PER_BUCKET, PER_REPOSITORY]. Policies will be added to the roles accordingly | |
bucket_versioning | string | Disabled | S3 bucket versioning option, one of [Enabled, Suspended, Disabled] |
Outputs | Type | Description |
---|---|---|
role_names | list(string) | List of IAM role names created by the module |
The module outputs a list of IAM role names.
These can be used in a Bitbucket pipeline as follows:
(this example uses the PER_REPOSITORY
role strategy)
image: amazon/aws-cli:2.x.x # TODO use a valid up-to-date image version
definitions:
scripts:
- script: &install-jq yum install -y jq
- script: &assume-role |
export AWS_ROLE="MyRolePrefix_${BITBUCKET_WORKSPACE}_${BITBUCKET_REPO_SLUG}"
export AWS_ACCOUNT_ID=123456789012
export AWS_SESSION_CREDENTIALS=$(aws sts assume-role-with-web-identity \
--role-arn "arn:aws:iam::${AWS_ACCOUNT_ID}:role/${AWS_ROLE}" \
--role-session-name "${BITBUCKET_WORKSPACE}-${BITBUCKET_REPO_SLUG}-session-${BITBUCKET_BUILD_NUMBER}" \
--web-identity-token "${BITBUCKET_STEP_OIDC_TOKEN}" \
--duration-seconds 3600)
export AWS_ACCESS_KEY_ID=$( echo "$AWS_SESSION_CREDENTIALS" | jq -r '.Credentials.AccessKeyId')
export AWS_SECRET_ACCESS_KEY=$(echo "$AWS_SESSION_CREDENTIALS" | jq -r '.Credentials.SecretAccessKey')
export AWS_SESSION_TOKEN=$( echo "$AWS_SESSION_CREDENTIALS" | jq -r '.Credentials.SessionToken')
pipelines:
default:
- step:
oidc: true # Required for OIDC authentication
name: Test
script:
- *install-jq
- *assume-role
- echo "TODO: Test the project, read/write to bucket, etc."
AWS enforces limits on the number of policies per role (20) and the size of a policy (6,144 characters).
If using many repositories or when creating many buckets, this can prevent a single role from being created with all the necessary permissions.
Therefore, the role_strategy
variable can be used to work around these limits by creating multiple roles.
The example above uses a role_strategy
set to PER_REPOSITORY
which means that a role will be created for each repository.
It can also be set to PER_BUCKET
which will create a role for each bucket or ONE
which will create a single role containing all policies.