diff --git a/codeartifact-repo/README.md b/codeartifact-repo/README.md
index a184d32..6b2062a 100644
--- a/codeartifact-repo/README.md
+++ b/codeartifact-repo/README.md
@@ -32,20 +32,29 @@ This module is intended to configure AWS CodeArtifact domains and repositories.
| [aws_codeartifact_domain_permissions_policy.domain_permissions_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/codeartifact_domain_permissions_policy) | resource |
| [aws_codeartifact_repository.repository](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/codeartifact_repository) | resource |
| [aws_codeartifact_repository_permissions_policy.repo_permissions_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/codeartifact_repository_permissions_policy) | resource |
+| [aws_iam_role.admin_access_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
+| [aws_iam_role.publisher_access_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
+| [aws_iam_role.read_access_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
+| [aws_iam_role_policy.admin_access_role_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
+| [aws_iam_role_policy.publisher_access_role_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
+| [aws_iam_role_policy.read_only_role_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
| [aws_kms_key.domain_encryption_key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource |
## Inputs
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
+| [admin\_principals](#input\_admin\_principals) | List of AWS principal ARNs that have admin access to domain and repositories | `list(string)` | `[]` | no |
| [domain\_encryption\_key\_policy\_path](#input\_domain\_encryption\_key\_policy\_path) | Path to file containing IAM policy to be applied to created encryption key | `string` | `null` | no |
| [domain\_name](#input\_domain\_name) | Domain name of the repository | `string` | n/a | yes |
| [domain\_owner](#input\_domain\_owner) | Account number of the account that owns the repository. If not set, defaults to the account running Terraform | `string` | `null` | no |
| [domain\_permissions\_policy\_revision](#input\_domain\_permissions\_policy\_revision) | Current revision of the domain permission policy to set | `string` | `null` | no |
| [domain\_policy\_document\_path](#input\_domain\_policy\_document\_path) | Path to IAM policy document applied to Codeartifact domain | `string` | `null` | no |
| [encryption\_key\_arn](#input\_encryption\_key\_arn) | ARN of KMS key used for repository encryption. If not specified, and use\_default\_ecnryption\_key is false, creates new KMS key | `string` | `null` | no |
+| [publisher\_principals](#input\_publisher\_principals) | List of AWS principal ARNS thet should have permissions to publish packages | `list(string)` | `[]` | no |
+| [reader\_principals](#input\_reader\_principals) | List of AWS principals ARNs that should have read access to domain and repositories | `list(string)` | `[]` | no |
| [repo\_region](#input\_repo\_region) | Region in which repository will be managed. If not specified, defaults to region configured for provider | `string` | `null` | no |
-| [repositories](#input\_repositories) | List of repositories within Codeartifact domain | list(object({
repository_name = string
description = optional(string, "")
region = optional(string, null)
domain_owner = optional(string, null)
upstream = optional(string, null)
external_connection = optional(string, null)
policy_document_path = optional(string, null)
default_read_access_principals = optional(list(string), null)
default_write_access_principals = optional(list(string), null)
})) | `[]` | no |
+| [repositories](#input\_repositories) | List of repositories within Codeartifact domain | list(object({
repository_name = string
description = optional(string, "")
region = optional(string, null)
domain_owner = optional(string, null)
upstream = optional(string, null)
external_connection = optional(string, null)
policy_document_path = optional(string, null)
})) | `[]` | no |
| [tags](#input\_tags) | Tags to be applied to resources | `map(string)` | `{}` | no |
| [use\_default\_ecnryption\_key](#input\_use\_default\_ecnryption\_key) | Whether to use default Codeartifact KMS key (defaults to true) | `bool` | `true` | no |
@@ -54,7 +63,6 @@ This module is intended to configure AWS CodeArtifact domains and repositories.
| Name | Description |
|------|-------------|
| [created\_repositories](#output\_created\_repositories) | A list of names of the created repositories. |
-| [default\_sts\_policies](#output\_default\_sts\_policies) | Created STS policies |
| [domain](#output\_domain) | Name of the CodeArtifact domain |
| [domain\_owner](#output\_domain\_owner) | Owner account of the CodeArtifact domain |
| [policy\_documents](#output\_policy\_documents) | A map of repository names to their applied policy documents (if any). |
diff --git a/codeartifact-repo/main.tf b/codeartifact-repo/main.tf
index ec9081f..893f185 100644
--- a/codeartifact-repo/main.tf
+++ b/codeartifact-repo/main.tf
@@ -5,27 +5,10 @@
locals {
should_create_kms_key = (!var.use_default_ecnryption_key && var.encryption_key_arn == null) ? true : false
-
- repo_read_access_principals = {
- for repo in var.repositories : repo.repository_name => repo.default_read_access_principals if(repo.default_read_access_principals != null
- && length(repo.default_read_access_principals) > 0)
- }
- repo_write_access_principals = {
- for repo in var.repositories : repo.repository_name => repo.default_write_access_principals if(repo.default_write_access_principals != null
- && length(repo.default_write_access_principals) > 0)
- }
- repo_final_policy_documents = data.aws_iam_policy_document.combined_default_policies
- # repos_with_policy_files = [
- # for repo in var.repositories : repo.repository_name if repo.policy_document_path != null
- # ]
- all_sts_principals = {
- for repo in var.repositories : repo.repository_name => distinct(concat(
- repo.default_read_access_principals != null ? repo.default_read_access_principals : [],
- repo.default_write_access_principals != null ? repo.default_write_access_principals : []
- ))
- }
}
+data "aws_caller_identity" "current" {}
+
resource "aws_codeartifact_domain" "repo_domain" {
domain = var.domain_name
region = var.repo_region != null ? var.repo_region : null
@@ -66,64 +49,124 @@ resource "aws_codeartifact_repository" "repository" {
tags = var.tags
}
-data "aws_iam_policy_document" "default_readonly_repo_policy" {
- for_each = { for k, v in local.repo_read_access_principals : k => v }
+
+resource "aws_codeartifact_repository_permissions_policy" "repo_permissions_policy" {
+ for_each = { for repo in var.repositories : repo.repository_name => repo if repo.policy_document_path != null }
+ repository = aws_codeartifact_repository.repository[each.key].repository
+ domain = aws_codeartifact_domain.repo_domain.domain
+ policy_document = file(each.value.policy_document_path)
+ region = var.repo_region != null ? var.repo_region : null
+ domain_owner = each.value.domain_owner != null ? each.value.domain_owner : null
+}
+
+resource "aws_kms_key" "domain_encryption_key" {
+ count = local.should_create_kms_key ? 1 : 0
+ description = "KMS key for CodeArtifact domain ${var.domain_name}"
+ enable_key_rotation = true
+ policy = var.domain_encryption_key_policy_path != null ? file(var.domain_encryption_key_policy_path) : null
+ tags = var.tags
+}
+
+data "aws_iam_policy_document" "read_only_policy_document" {
+ count = var.reader_principals != null && length(var.reader_principals) > 0 ? 1 : 0
statement {
effect = "Allow"
actions = [
- "codeartifact:DescribePackageVersion",
- "codeartifact:DescribeRepository",
- "codeartifact:GetPackageVersionReadme",
- "codeartifact:GetRepositoryEndpoint",
- "codeartifact:ListPackageVersionAssets",
- "codeartifact:ListPackageVersionDependencies",
- "codeartifact:ListPackageVersions",
- "codeartifact:ListPackages",
"codeartifact:ReadFromRepository",
+ "codeartifact:Get*",
+ "codeartifact:Describe*",
+ "codeartifact:List*"
]
- resources = [aws_codeartifact_repository.repository[each.key].arn]
+ resources = [aws_codeartifact_domain.repo_domain.arn, "${aws_codeartifact_domain.repo_domain.arn}/*"]
+ }
+ statement {
+ effect = "Allow"
+ actions = ["sts:GetServiceBearerToken"]
+ resources = [
+ aws_codeartifact_domain.repo_domain.arn,
+ "${aws_codeartifact_domain.repo_domain.arn}/*",
+ "arn:aws:sts::${data.aws_caller_identity.current.account_id}:assumed-role/${aws_iam_role.read_access_role[0].name}/*"
+ ]
+ condition {
+ variable = "sts:AWSServiceName"
+ values = ["codeartifact.amazonaws.com"]
+ test = "StringEquals"
+ }
+ }
+}
+
+data "aws_iam_policy_document" "assume_read_only_role_document" {
+ statement {
+ effect = "Allow"
principals {
type = "AWS"
- identifiers = each.value
+ identifiers = var.reader_principals
}
+ actions = ["sts:AssumeRole"]
}
}
-data "aws_iam_policy_document" "default_write_access_repo_policy" {
- for_each = { for k, v in local.repo_write_access_principals : k => v }
+data "aws_iam_policy_document" "publisher_policy_document" {
+ count = var.publisher_principals != null && length(var.publisher_principals) > 0 ? 1 : 0
statement {
effect = "Allow"
actions = [
- "codeartifact:DescribePackageVersion",
- "codeartifact:DescribeRepository",
- "codeartifact:GetPackageVersionReadme",
- "codeartifact:GetRepositoryEndpoint",
- "codeartifact:ListPackageVersionAssets",
- "codeartifact:ListPackageVersionDependencies",
- "codeartifact:ListPackageVersions",
- "codeartifact:ListPackages",
+ "codeartifact:ReadFromRepository",
+ "codeartifact:Get*",
+ "codeartifact:Describe*",
+ "codeartifact:List*",
"codeartifact:PublishPackageVersion",
"codeartifact:PutPackageMetadata",
- "codeartifact:ReadFromRepository",
+ "codeartifact:CreatePackageGroup",
+ "coeedartifact:UpdatePackageGroup",
+ "codeartifact:CopyPackageVersions"
+ ]
+ resources = [
+ aws_codeartifact_domain.repo_domain.arn,
+ "${aws_codeartifact_domain.repo_domain.arn}/*",
+ replace("${aws_codeartifact_domain.repo_domain.arn}/*", ":domain/", ":package/")
]
- resources = [aws_codeartifact_repository.repository[each.key].arn]
+ }
+ statement {
+ effect = "Allow"
+ actions = ["sts:GetServiceBearerToken"]
+ resources = [
+ aws_codeartifact_domain.repo_domain.arn,
+ "${aws_codeartifact_domain.repo_domain.arn}/*",
+ "arn:aws:sts::${data.aws_caller_identity.current.account_id}:assumed-role/${aws_iam_role.publisher_access_role[0].name}/*"
+ ]
+ condition {
+ variable = "sts:AWSServiceName"
+ values = ["codeartifact.amazonaws.com"]
+ test = "StringEquals"
+ }
+ }
+}
+
+data "aws_iam_policy_document" "assume_publisher_role_document" {
+ statement {
+ effect = "Allow"
principals {
type = "AWS"
- identifiers = each.value
+ identifiers = var.publisher_principals
}
+ actions = ["sts:AssumeRole"]
}
}
-data "aws_iam_policy_document" "default_sts_policy" {
- for_each = local.all_sts_principals
+data "aws_iam_policy_document" "admin_policy_document" {
+ count = var.admin_principals != null && length(var.admin_principals) > 0 ? 1 : 0
+ statement {
+ effect = "Allow"
+ actions = [
+ "codeartifact:*",
+ ]
+ resources = ["*"]
+ }
statement {
effect = "Allow"
actions = ["sts:GetServiceBearerToken"]
- resources = [aws_codeartifact_repository.repository[each.key].arn]
- principals {
- type = "AWS"
- identifiers = each.value
- }
+ resources = ["*"]
condition {
variable = "sts:AWSServiceName"
values = ["codeartifact.amazonaws.com"]
@@ -132,31 +175,55 @@ data "aws_iam_policy_document" "default_sts_policy" {
}
}
-data "aws_iam_policy_document" "combined_default_policies" {
- for_each = { for repo in var.repositories : repo.repository_name => repo if contains(keys(local.repo_read_access_principals), repo.repository_name) || contains(keys(local.repo_write_access_principals), repo.repository_name) }
+data "aws_iam_policy_document" "assume_admin_role_document" {
+ statement {
+ effect = "Allow"
+ principals {
+ type = "AWS"
+ identifiers = var.admin_principals
+ }
+ actions = ["sts:AssumeRole"]
+ }
+}
+
+resource "aws_iam_role" "read_access_role" {
+ count = var.reader_principals != null && length(var.reader_principals) > 0 ? 1 : 0
+ name = "CodeArtifactReadAccessRole-${aws_codeartifact_domain.repo_domain.domain}"
+ description = "Role providing read access to CodeArtifact domain ${aws_codeartifact_domain.repo_domain.domain}"
+ assume_role_policy = data.aws_iam_policy_document.assume_read_only_role_document.json
+ tags = var.tags
+}
- source_policy_documents = compact(
- [
- try(data.aws_iam_policy_document.default_readonly_repo_policy[each.key].json, null),
- try(data.aws_iam_policy_document.default_write_access_repo_policy[each.key].json, null),
- try(data.aws_iam_policy_document.default_sts_policy[each.key].json, null)
- ]
- )
+resource "aws_iam_role_policy" "read_only_role_policy" {
+ count = var.reader_principals != null && length(var.reader_principals) > 0 ? 1 : 0
+ policy = data.aws_iam_policy_document.read_only_policy_document[0].json
+ role = aws_iam_role.read_access_role[0].name
}
-resource "aws_codeartifact_repository_permissions_policy" "repo_permissions_policy" {
- for_each = { for repo in var.repositories : repo.repository_name => repo if repo.policy_document_path != null || contains(keys(local.repo_final_policy_documents), repo.repository_name) }
- repository = aws_codeartifact_repository.repository[each.key].repository
- domain = aws_codeartifact_domain.repo_domain.domain
- policy_document = each.value.policy_document_path != null ? file(each.value.policy_document_path) : local.repo_final_policy_documents[each.key].json
- region = var.repo_region != null ? var.repo_region : null
- domain_owner = each.value.domain_owner != null ? each.value.domain_owner : null
+resource "aws_iam_role" "publisher_access_role" {
+ count = var.publisher_principals != null && length(var.publisher_principals) > 0 ? 1 : 0
+ name = "CodeArtifactPublisherAccessRole-${aws_codeartifact_domain.repo_domain.domain}"
+ description = "Role providing publisher access to CodeArtifact domain ${aws_codeartifact_domain.repo_domain.domain}"
+ assume_role_policy = data.aws_iam_policy_document.assume_publisher_role_document.json
+ tags = var.tags
}
-resource "aws_kms_key" "domain_encryption_key" {
- count = local.should_create_kms_key ? 1 : 0
- description = "KMS key for CodeArtifact domain ${var.domain_name}"
- enable_key_rotation = true
- policy = var.domain_encryption_key_policy_path != null ? file(var.domain_encryption_key_policy_path) : null
- tags = var.tags
-}
\ No newline at end of file
+resource "aws_iam_role_policy" "publisher_access_role_policy" {
+ count = var.publisher_principals != null && length(var.publisher_principals) > 0 ? 1 : 0
+ policy = data.aws_iam_policy_document.publisher_policy_document[0].json
+ role = aws_iam_role.publisher_access_role[0].name
+}
+
+resource "aws_iam_role" "admin_access_role" {
+ count = var.admin_principals != null && length(var.admin_principals) > 0 ? 1 : 0
+ name = "CodeArtifactAdminAccessRole-${aws_codeartifact_domain.repo_domain.domain}"
+ description = "Role providing administrative access to CodeArtifact domain ${aws_codeartifact_domain.repo_domain.domain}"
+ assume_role_policy = data.aws_iam_policy_document.assume_admin_role_document.json
+ tags = var.tags
+}
+
+resource "aws_iam_role_policy" "admin_access_role_policy" {
+ count = var.admin_principals != null && length(var.admin_principals) > 0 ? 1 : 0
+ policy = data.aws_iam_policy_document.admin_policy_document[0].json
+ role = aws_iam_role.admin_access_role[0].name
+}
diff --git a/codeartifact-repo/outputs.tf b/codeartifact-repo/outputs.tf
index 6c55eaf..9ea557c 100644
--- a/codeartifact-repo/outputs.tf
+++ b/codeartifact-repo/outputs.tf
@@ -20,8 +20,3 @@ output "policy_documents" {
description = "A map of repository names to their applied policy documents (if any)."
value = { for repo_name, repo_policy in aws_codeartifact_repository_permissions_policy.repo_permissions_policy : repo_name => repo_policy.policy_document }
}
-
-output "default_sts_policies" {
- description = "Created STS policies"
- value = { for repo_name, sts_policy in data.aws_iam_policy_document.default_sts_policy : repo_name => sts_policy.json }
-}
\ No newline at end of file
diff --git a/codeartifact-repo/tests/domain.tftest.hcl b/codeartifact-repo/tests/domain.tftest.hcl
index 55217a4..fe18f35 100644
--- a/codeartifact-repo/tests/domain.tftest.hcl
+++ b/codeartifact-repo/tests/domain.tftest.hcl
@@ -2,9 +2,7 @@
// SPDX-License-Identifier: MPL-2.0
-mock_provider "aws" {
-
-}
+mock_provider "aws" {}
run "invalid_encryption_key_arn_should_produce_error" {
command = plan
@@ -153,4 +151,4 @@ run "domain_permissions_policy_is_not_created_when_path_is_not_provided" {
condition = length(aws_codeartifact_domain_permissions_policy.domain_permissions_policy) == 0
error_message = "The domain permissions policy was created despite no policy document path being provided."
}
-}
\ No newline at end of file
+}
diff --git a/codeartifact-repo/tests/policies.tftest.hcl b/codeartifact-repo/tests/policies.tftest.hcl
deleted file mode 100644
index f12d8dc..0000000
--- a/codeartifact-repo/tests/policies.tftest.hcl
+++ /dev/null
@@ -1,137 +0,0 @@
-// Copyright 2025 Bitshift
-// SPDX-License-Identifier: MPL-2.0
-
-mock_provider "aws" {
- override_data {
- target = data.aws_iam_policy_document.default_readonly_repo_policy
- values = {
- json = "{}"
- }
- }
- override_data {
- target = data.aws_iam_policy_document.default_write_access_repo_policy
- values = {
- json = "{}"
- }
- }
- override_data {
- target = data.aws_iam_policy_document.combined_default_policies
- values = {
- json = "{}"
- }
- }
-}
-
-run "default_policy_should_be_created_when_principals_specified" {
- command = plan
-
- variables {
- domain_name = "test-domain"
- repositories = [
- {
- repository_name = "repo-with-policies"
- default_read_access_principals = ["arn:aws:iam::123456789012:role/ReadRole"]
- default_write_access_principals = ["arn:aws:iam::123456789012:role/WriteRole"]
- }
- ]
- }
-
- assert {
- condition = length(data.aws_iam_policy_document.default_readonly_repo_policy) == 1
- error_message = "Default read-only policy document was not created."
- }
-
- assert {
- condition = length(data.aws_iam_policy_document.default_write_access_repo_policy) == 1
- error_message = "Default write-access policy document was not created."
- }
-
- assert {
- condition = length(data.aws_iam_policy_document.default_sts_policy) == 1
- error_message = "Default STS policy document was not created."
- }
-}
-
-run "no_default_policy_when_no_principals" {
- command = plan
-
- variables {
- domain_name = "test-domain"
- repositories = [
- {
- repository_name = "repo-without-policies"
- }
- ]
- }
-
- assert {
- condition = length(data.aws_iam_policy_document.default_readonly_repo_policy) == 0
- error_message = "Default read-only policy document was created despite no principals being specified."
- }
-
- assert {
- condition = length(data.aws_iam_policy_document.default_write_access_repo_policy) == 0
- error_message = "Default write-access policy document was created despite no principals being specified."
- }
-}
-
-run "combined_policy_created_when_either_principal_specified" {
- command = plan
-
- variables {
- domain_name = "test-domain"
- repositories = [
- {
- repository_name = "repo-with-read-policy"
- default_read_access_principals = ["arn:aws:iam::123456789012:role/ReadRole"]
- },
- {
- repository_name = "repo-with-write-policy"
- default_write_access_principals = ["arn:aws:iam::123456789012:role/WriteRole"]
- }
- ]
- }
-
- assert {
- condition = length(data.aws_iam_policy_document.combined_default_policies) == 2
- error_message = "Combined default policies were not created correctly when either read or write principals were specified."
- }
-}
-
-run "no_combined_policy_when_no_principals" {
- command = plan
-
- variables {
- domain_name = "test-domain"
- repositories = [
- {
- repository_name = "repo-without-policies"
- }
- ]
- }
-
- assert {
- condition = length(data.aws_iam_policy_document.combined_default_policies) == 0
- error_message = "Combined default policy was created despite no principals being specified."
- }
-}
-
-run "policy_file_should_override_default_policy" {
- command = plan
-
- variables {
- domain_name = "test-domain"
- repositories = [
- {
- repository_name = "repo-with-policy-file"
- policy_document_path = "tests/test-repo-policy.json"
- default_read_access_principals = ["arn:aws:iam::123456789012:role/ReadRole"]
- }
- ]
- }
-
- assert {
- condition = length(aws_codeartifact_repository_permissions_policy.repo_permissions_policy) == 1
- error_message = "Repository permissions policy was not created when a policy document path was provided."
- }
-}
\ No newline at end of file
diff --git a/codeartifact-repo/tests/roles.tftest.hcl b/codeartifact-repo/tests/roles.tftest.hcl
new file mode 100644
index 0000000..75e91ea
--- /dev/null
+++ b/codeartifact-repo/tests/roles.tftest.hcl
@@ -0,0 +1,112 @@
+// Copyright 2025 Bitshift
+// SPDX-License-Identifier: MPL-2.0
+
+mock_provider "aws" {
+ override_data {
+ target = data.aws_iam_policy_document.read_only_policy_document
+ values = {
+ json = "{}"
+ }
+ }
+ override_data {
+ target = data.aws_iam_policy_document.assume_read_only_role_document
+ values = {
+ json = "{}"
+ }
+ }
+ override_data {
+ target = data.aws_iam_policy_document.assume_publisher_role_document
+ values = {
+ json = "{}"
+ }
+ }
+}
+
+run "read_access_role_should_be_created_when_specified" {
+ command = plan
+
+ variables {
+ domain_name = "test-domain"
+ repositories = [
+ {
+ repository_name = "repo-with-read-role"
+ }
+ ]
+ reader_principals = ["arn:aws:iam::123456789012:role/ReadRole"]
+ }
+
+ assert {
+ condition = length(aws_iam_role.read_access_role) == 1
+ error_message = "Default read-only policy document was not created when read access principals were specified."
+ }
+ assert {
+ condition = length(aws_iam_role_policy.read_only_role_policy) == 1
+ error_message = "Read access role policy was not created when read access principals were specified."
+ }
+}
+
+run "no_read_access_role_when_no_principals" {
+ command = plan
+
+ variables {
+ domain_name = "test-domain"
+ repositories = [
+ {
+ repository_name = "repo-without-read-role"
+ }
+ ]
+ }
+
+ assert {
+ condition = length(aws_iam_role.read_access_role) == 0
+ error_message = "Read access role was created despite no read access principals being specified."
+ }
+ assert {
+ condition = length(aws_iam_role_policy.read_only_role_policy) == 0
+ error_message = "Read access role policy created when read access principals were not specified."
+ }
+}
+
+run "publisher_access_role_should_be_created_when_specified" {
+ command = plan
+
+ variables {
+ domain_name = "test-domain"
+ repositories = [
+ {
+ repository_name = "repo-with-publisher-role"
+ }
+ ]
+ publisher_principals = ["arn:aws:iam::123456789012:role/PublishRole"]
+ }
+
+ assert {
+ condition = length(aws_iam_role.publisher_access_role) == 1
+ error_message = "Publisher access role was not created when publisher principals were specified."
+ }
+ assert {
+ condition = length(aws_iam_role_policy.publisher_access_role_policy) == 1
+ error_message = "Publisher access role policy was not created when publisher principals were specified."
+ }
+}
+run "no_publisher_access_role_when_no_principals" {
+ command = plan
+
+ variables {
+ domain_name = "test-domain"
+ repositories = [
+ {
+ repository_name = "repo-without-publisher-role"
+ }
+ ]
+ }
+
+ assert {
+ condition = length(aws_iam_role.publisher_access_role) == 0
+ error_message = "Publisher access role was created despite no publisher principals being specified."
+ }
+ assert {
+ condition = length(aws_iam_role_policy.publisher_access_role_policy) == 0
+ error_message = "Publisher access role policy created when publisher principals were not specified."
+ }
+}
\ No newline at end of file
diff --git a/codeartifact-repo/variables.tf b/codeartifact-repo/variables.tf
index c5a8b1d..4992fc5 100644
--- a/codeartifact-repo/variables.tf
+++ b/codeartifact-repo/variables.tf
@@ -48,17 +48,33 @@ variable "domain_permissions_policy_revision" {
default = null
}
+variable "reader_principals" {
+ type = list(string)
+ description = "List of AWS principals ARNs that should have read access to domain and repositories"
+ default = []
+}
+
+variable "publisher_principals" {
+ type = list(string)
+ description = "List of AWS principal ARNS thet should have permissions to publish packages"
+ default = []
+}
+
+variable "admin_principals" {
+ type = list(string)
+ description = "List of AWS principal ARNs that have admin access to domain and repositories"
+ default = []
+}
+
variable "repositories" {
type = list(object({
- repository_name = string
- description = optional(string, "")
- region = optional(string, null)
- domain_owner = optional(string, null)
- upstream = optional(string, null)
- external_connection = optional(string, null)
- policy_document_path = optional(string, null)
- default_read_access_principals = optional(list(string), null)
- default_write_access_principals = optional(list(string), null)
+ repository_name = string
+ description = optional(string, "")
+ region = optional(string, null)
+ domain_owner = optional(string, null)
+ upstream = optional(string, null)
+ external_connection = optional(string, null)
+ policy_document_path = optional(string, null)
}))
description = "List of repositories within Codeartifact domain"
default = []