From 102722dfb59bef91d40b8b85781ce7a57795b64a Mon Sep 17 00:00:00 2001
From: Vladimir Djurovic <vdjurovic@bitshifted.co>
Date: Wed, 3 Dec 2025 17:36:12 +0100
Subject: [PATCH] feat: domain level roles and permissions

---
 codeartifact-repo/README.md                 |  12 +-
 codeartifact-repo/main.tf                   | 215 +++++++++++++-------
 codeartifact-repo/outputs.tf                |   5 -
 codeartifact-repo/tests/domain.tftest.hcl   |   6 +-
 codeartifact-repo/tests/policies.tftest.hcl | 137 -------------
 codeartifact-repo/tests/roles.tftest.hcl    | 112 ++++++++++
 codeartifact-repo/variables.tf              |  34 +++-
 7 files changed, 290 insertions(+), 231 deletions(-)
 delete mode 100644 codeartifact-repo/tests/policies.tftest.hcl
 create mode 100644 codeartifact-repo/tests/roles.tftest.hcl

diff --git a/codeartifact-repo/README.md b/codeartifact-repo/README.md
index a184d32..6b2062a 100644
--- a/codeartifact-repo/README.md
+++ b/codeartifact-repo/README.md
@@ -32,20 +32,29 @@ This module is intended to configure AWS CodeArtifact domains and repositories.
 | [aws_codeartifact_domain_permissions_policy.domain_permissions_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/codeartifact_domain_permissions_policy) | resource |
 | [aws_codeartifact_repository.repository](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/codeartifact_repository) | resource |
 | [aws_codeartifact_repository_permissions_policy.repo_permissions_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/codeartifact_repository_permissions_policy) | resource |
+| [aws_iam_role.admin_access_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
+| [aws_iam_role.publisher_access_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
+| [aws_iam_role.read_access_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
+| [aws_iam_role_policy.admin_access_role_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
+| [aws_iam_role_policy.publisher_access_role_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
+| [aws_iam_role_policy.read_only_role_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
 | [aws_kms_key.domain_encryption_key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource |
 
 ## Inputs
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
+| <a name="input_admin_principals"></a> [admin\_principals](#input\_admin\_principals) | List of AWS principal ARNs that have admin access to domain and repositories | `list(string)` | `[]` | no |
 | <a name="input_domain_encryption_key_policy_path"></a> [domain\_encryption\_key\_policy\_path](#input\_domain\_encryption\_key\_policy\_path) | Path to file containing IAM policy to be applied to created encryption key | `string` | `null` | no |
 | <a name="input_domain_name"></a> [domain\_name](#input\_domain\_name) | Domain name of the repository | `string` | n/a | yes |
 | <a name="input_domain_owner"></a> [domain\_owner](#input\_domain\_owner) | Account number of the account that owns the repository. If not set, defaults to the account running Terraform | `string` | `null` | no |
 | <a name="input_domain_permissions_policy_revision"></a> [domain\_permissions\_policy\_revision](#input\_domain\_permissions\_policy\_revision) | Current revision of the domain permission policy to set | `string` | `null` | no |
 | <a name="input_domain_policy_document_path"></a> [domain\_policy\_document\_path](#input\_domain\_policy\_document\_path) | Path to IAM policy document applied to Codeartifact domain | `string` | `null` | no |
 | <a name="input_encryption_key_arn"></a> [encryption\_key\_arn](#input\_encryption\_key\_arn) | ARN of KMS key used for repository encryption. If not specified, and use\_default\_ecnryption\_key is false, creates new KMS key | `string` | `null` | no |
+| <a name="input_publisher_principals"></a> [publisher\_principals](#input\_publisher\_principals) | List of AWS principal ARNS thet should have permissions to publish packages | `list(string)` | `[]` | no |
+| <a name="input_reader_principals"></a> [reader\_principals](#input\_reader\_principals) | List of AWS principals ARNs that should have read access to domain and repositories | `list(string)` | `[]` | no |
 | <a name="input_repo_region"></a> [repo\_region](#input\_repo\_region) | Region in which repository will be managed. If not specified, defaults to region configured for provider | `string` | `null` | no |
-| <a name="input_repositories"></a> [repositories](#input\_repositories) | List of repositories within Codeartifact domain | <pre>list(object({<br/>    repository_name                 = string<br/>    description                     = optional(string, "")<br/>    region                          = optional(string, null)<br/>    domain_owner                    = optional(string, null)<br/>    upstream                        = optional(string, null)<br/>    external_connection             = optional(string, null)<br/>    policy_document_path            = optional(string, null)<br/>    default_read_access_principals  = optional(list(string), null)<br/>    default_write_access_principals = optional(list(string), null)<br/>  }))</pre> | `[]` | no |
+| <a name="input_repositories"></a> [repositories](#input\_repositories) | List of repositories within Codeartifact domain | <pre>list(object({<br/>    repository_name      = string<br/>    description          = optional(string, "")<br/>    region               = optional(string, null)<br/>    domain_owner         = optional(string, null)<br/>    upstream             = optional(string, null)<br/>    external_connection  = optional(string, null)<br/>    policy_document_path = optional(string, null)<br/>  }))</pre> | `[]` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | Tags to be applied to resources | `map(string)` | `{}` | no |
 | <a name="input_use_default_ecnryption_key"></a> [use\_default\_ecnryption\_key](#input\_use\_default\_ecnryption\_key) | Whether to use default  Codeartifact KMS key (defaults to true) | `bool` | `true` | no |
 
@@ -54,7 +63,6 @@ This module is intended to configure AWS CodeArtifact domains and repositories.
 | Name | Description |
 |------|-------------|
 | <a name="output_created_repositories"></a> [created\_repositories](#output\_created\_repositories) | A list of names of the created repositories. |
-| <a name="output_default_sts_policies"></a> [default\_sts\_policies](#output\_default\_sts\_policies) | Created STS policies |
 | <a name="output_domain"></a> [domain](#output\_domain) | Name of the CodeArtifact domain |
 | <a name="output_domain_owner"></a> [domain\_owner](#output\_domain\_owner) | Owner account of the CodeArtifact domain |
 | <a name="output_policy_documents"></a> [policy\_documents](#output\_policy\_documents) | A map of repository names to their applied policy documents (if any). |
diff --git a/codeartifact-repo/main.tf b/codeartifact-repo/main.tf
index ec9081f..893f185 100644
--- a/codeartifact-repo/main.tf
+++ b/codeartifact-repo/main.tf
@@ -5,27 +5,10 @@
 
 locals {
   should_create_kms_key = (!var.use_default_ecnryption_key && var.encryption_key_arn == null) ? true : false
-
-  repo_read_access_principals = {
-    for repo in var.repositories : repo.repository_name => repo.default_read_access_principals if(repo.default_read_access_principals != null
-    && length(repo.default_read_access_principals) > 0)
-  }
-  repo_write_access_principals = {
-    for repo in var.repositories : repo.repository_name => repo.default_write_access_principals if(repo.default_write_access_principals != null
-    && length(repo.default_write_access_principals) > 0)
-  }
-  repo_final_policy_documents = data.aws_iam_policy_document.combined_default_policies
-  # repos_with_policy_files = [
-  #   for repo in var.repositories : repo.repository_name if repo.policy_document_path != null
-  # ]
-  all_sts_principals = {
-    for repo in var.repositories : repo.repository_name => distinct(concat(
-      repo.default_read_access_principals != null ? repo.default_read_access_principals : [],
-      repo.default_write_access_principals != null ? repo.default_write_access_principals : []
-    ))
-  }
 }
 
+data "aws_caller_identity" "current" {}
+
 resource "aws_codeartifact_domain" "repo_domain" {
   domain         = var.domain_name
   region         = var.repo_region != null ? var.repo_region : null
@@ -66,64 +49,124 @@ resource "aws_codeartifact_repository" "repository" {
   tags = var.tags
 }
 
-data "aws_iam_policy_document" "default_readonly_repo_policy" {
-  for_each = { for k, v in local.repo_read_access_principals : k => v }
+
+resource "aws_codeartifact_repository_permissions_policy" "repo_permissions_policy" {
+  for_each        = { for repo in var.repositories : repo.repository_name => repo if repo.policy_document_path != null }
+  repository      = aws_codeartifact_repository.repository[each.key].repository
+  domain          = aws_codeartifact_domain.repo_domain.domain
+  policy_document = file(each.value.policy_document_path)
+  region          = var.repo_region != null ? var.repo_region : null
+  domain_owner    = each.value.domain_owner != null ? each.value.domain_owner : null
+}
+
+resource "aws_kms_key" "domain_encryption_key" {
+  count               = local.should_create_kms_key ? 1 : 0
+  description         = "KMS key for CodeArtifact domain ${var.domain_name}"
+  enable_key_rotation = true
+  policy              = var.domain_encryption_key_policy_path != null ? file(var.domain_encryption_key_policy_path) : null
+  tags                = var.tags
+}
+
+data "aws_iam_policy_document" "read_only_policy_document" {
+  count = var.reader_principals != null && length(var.reader_principals) > 0 ? 1 : 0
   statement {
     effect = "Allow"
     actions = [
-      "codeartifact:DescribePackageVersion",
-      "codeartifact:DescribeRepository",
-      "codeartifact:GetPackageVersionReadme",
-      "codeartifact:GetRepositoryEndpoint",
-      "codeartifact:ListPackageVersionAssets",
-      "codeartifact:ListPackageVersionDependencies",
-      "codeartifact:ListPackageVersions",
-      "codeartifact:ListPackages",
       "codeartifact:ReadFromRepository",
+      "codeartifact:Get*",
+      "codeartifact:Describe*",
+      "codeartifact:List*"
     ]
-    resources = [aws_codeartifact_repository.repository[each.key].arn]
+    resources = [aws_codeartifact_domain.repo_domain.arn, "${aws_codeartifact_domain.repo_domain.arn}/*"]
+  }
+  statement {
+    effect  = "Allow"
+    actions = ["sts:GetServiceBearerToken"]
+    resources = [
+      aws_codeartifact_domain.repo_domain.arn,
+      "${aws_codeartifact_domain.repo_domain.arn}/*",
+      "arn:aws:sts::${data.aws_caller_identity.current.account_id}:assumed-role/${aws_iam_role.read_access_role[0].name}/*"
+    ]
+    condition {
+      variable = "sts:AWSServiceName"
+      values   = ["codeartifact.amazonaws.com"]
+      test     = "StringEquals"
+    }
+  }
+}
+
+data "aws_iam_policy_document" "assume_read_only_role_document" {
+  statement {
+    effect = "Allow"
     principals {
       type        = "AWS"
-      identifiers = each.value
+      identifiers = var.reader_principals
     }
+    actions = ["sts:AssumeRole"]
   }
 }
 
-data "aws_iam_policy_document" "default_write_access_repo_policy" {
-  for_each = { for k, v in local.repo_write_access_principals : k => v }
+data "aws_iam_policy_document" "publisher_policy_document" {
+  count = var.publisher_principals != null && length(var.publisher_principals) > 0 ? 1 : 0
   statement {
     effect = "Allow"
     actions = [
-      "codeartifact:DescribePackageVersion",
-      "codeartifact:DescribeRepository",
-      "codeartifact:GetPackageVersionReadme",
-      "codeartifact:GetRepositoryEndpoint",
-      "codeartifact:ListPackageVersionAssets",
-      "codeartifact:ListPackageVersionDependencies",
-      "codeartifact:ListPackageVersions",
-      "codeartifact:ListPackages",
+      "codeartifact:ReadFromRepository",
+      "codeartifact:Get*",
+      "codeartifact:Describe*",
+      "codeartifact:List*",
       "codeartifact:PublishPackageVersion",
       "codeartifact:PutPackageMetadata",
-      "codeartifact:ReadFromRepository",
+      "codeartifact:CreatePackageGroup",
+      "coeedartifact:UpdatePackageGroup",
+      "codeartifact:CopyPackageVersions"
+    ]
+    resources = [
+      aws_codeartifact_domain.repo_domain.arn,
+      "${aws_codeartifact_domain.repo_domain.arn}/*",
+      replace("${aws_codeartifact_domain.repo_domain.arn}/*", ":domain/", ":package/")
     ]
-    resources = [aws_codeartifact_repository.repository[each.key].arn]
+  }
+  statement {
+    effect  = "Allow"
+    actions = ["sts:GetServiceBearerToken"]
+    resources = [
+      aws_codeartifact_domain.repo_domain.arn,
+      "${aws_codeartifact_domain.repo_domain.arn}/*",
+      "arn:aws:sts::${data.aws_caller_identity.current.account_id}:assumed-role/${aws_iam_role.publisher_access_role[0].name}/*"
+    ]
+    condition {
+      variable = "sts:AWSServiceName"
+      values   = ["codeartifact.amazonaws.com"]
+      test     = "StringEquals"
+    }
+  }
+}
+
+data "aws_iam_policy_document" "assume_publisher_role_document" {
+  statement {
+    effect = "Allow"
     principals {
       type        = "AWS"
-      identifiers = each.value
+      identifiers = var.publisher_principals
     }
+    actions = ["sts:AssumeRole"]
   }
 }
 
-data "aws_iam_policy_document" "default_sts_policy" {
-  for_each = local.all_sts_principals
+data "aws_iam_policy_document" "admin_policy_document" {
+  count = var.admin_principals != null && length(var.admin_principals) > 0 ? 1 : 0
+  statement {
+    effect = "Allow"
+    actions = [
+      "codeartifact:*",
+    ]
+    resources = ["*"]
+  }
   statement {
     effect    = "Allow"
     actions   = ["sts:GetServiceBearerToken"]
-    resources = [aws_codeartifact_repository.repository[each.key].arn]
-    principals {
-      type        = "AWS"
-      identifiers = each.value
-    }
+    resources = ["*"]
     condition {
       variable = "sts:AWSServiceName"
       values   = ["codeartifact.amazonaws.com"]
@@ -132,31 +175,55 @@ data "aws_iam_policy_document" "default_sts_policy" {
   }
 }
 
-data "aws_iam_policy_document" "combined_default_policies" {
-  for_each = { for repo in var.repositories : repo.repository_name => repo if contains(keys(local.repo_read_access_principals), repo.repository_name) || contains(keys(local.repo_write_access_principals), repo.repository_name) }
+data "aws_iam_policy_document" "assume_admin_role_document" {
+  statement {
+    effect = "Allow"
+    principals {
+      type        = "AWS"
+      identifiers = var.admin_principals
+    }
+    actions = ["sts:AssumeRole"]
+  }
+}
+
+resource "aws_iam_role" "read_access_role" {
+  count              = var.reader_principals != null && length(var.reader_principals) > 0 ? 1 : 0
+  name               = "CodeArtifactReadAccessRole-${aws_codeartifact_domain.repo_domain.domain}"
+  description        = "Role providing read access to CodeArtifact domain ${aws_codeartifact_domain.repo_domain.domain}"
+  assume_role_policy = data.aws_iam_policy_document.assume_read_only_role_document.json
+  tags               = var.tags
+}
 
-  source_policy_documents = compact(
-    [
-      try(data.aws_iam_policy_document.default_readonly_repo_policy[each.key].json, null),
-      try(data.aws_iam_policy_document.default_write_access_repo_policy[each.key].json, null),
-      try(data.aws_iam_policy_document.default_sts_policy[each.key].json, null)
-    ]
-  )
+resource "aws_iam_role_policy" "read_only_role_policy" {
+  count  = var.reader_principals != null && length(var.reader_principals) > 0 ? 1 : 0
+  policy = data.aws_iam_policy_document.read_only_policy_document[0].json
+  role   = aws_iam_role.read_access_role[0].name
 }
 
-resource "aws_codeartifact_repository_permissions_policy" "repo_permissions_policy" {
-  for_each        = { for repo in var.repositories : repo.repository_name => repo if repo.policy_document_path != null || contains(keys(local.repo_final_policy_documents), repo.repository_name) }
-  repository      = aws_codeartifact_repository.repository[each.key].repository
-  domain          = aws_codeartifact_domain.repo_domain.domain
-  policy_document = each.value.policy_document_path != null ? file(each.value.policy_document_path) : local.repo_final_policy_documents[each.key].json
-  region          = var.repo_region != null ? var.repo_region : null
-  domain_owner    = each.value.domain_owner != null ? each.value.domain_owner : null
+resource "aws_iam_role" "publisher_access_role" {
+  count              = var.publisher_principals != null && length(var.publisher_principals) > 0 ? 1 : 0
+  name               = "CodeArtifactPublisherAccessRole-${aws_codeartifact_domain.repo_domain.domain}"
+  description        = "Role providing publisher access to CodeArtifact domain ${aws_codeartifact_domain.repo_domain.domain}"
+  assume_role_policy = data.aws_iam_policy_document.assume_publisher_role_document.json
+  tags               = var.tags
 }
 
-resource "aws_kms_key" "domain_encryption_key" {
-  count               = local.should_create_kms_key ? 1 : 0
-  description         = "KMS key for CodeArtifact domain ${var.domain_name}"
-  enable_key_rotation = true
-  policy              = var.domain_encryption_key_policy_path != null ? file(var.domain_encryption_key_policy_path) : null
-  tags                = var.tags
-}
\ No newline at end of file
+resource "aws_iam_role_policy" "publisher_access_role_policy" {
+  count  = var.publisher_principals != null && length(var.publisher_principals) > 0 ? 1 : 0
+  policy = data.aws_iam_policy_document.publisher_policy_document[0].json
+  role   = aws_iam_role.publisher_access_role[0].name
+}
+
+resource "aws_iam_role" "admin_access_role" {
+  count              = var.admin_principals != null && length(var.admin_principals) > 0 ? 1 : 0
+  name               = "CodeArtifactAdminAccessRole-${aws_codeartifact_domain.repo_domain.domain}"
+  description        = "Role providing administrative access to CodeArtifact domain ${aws_codeartifact_domain.repo_domain.domain}"
+  assume_role_policy = data.aws_iam_policy_document.assume_admin_role_document.json
+  tags               = var.tags
+}
+
+resource "aws_iam_role_policy" "admin_access_role_policy" {
+  count  = var.admin_principals != null && length(var.admin_principals) > 0 ? 1 : 0
+  policy = data.aws_iam_policy_document.admin_policy_document[0].json
+  role   = aws_iam_role.admin_access_role[0].name
+}
diff --git a/codeartifact-repo/outputs.tf b/codeartifact-repo/outputs.tf
index 6c55eaf..9ea557c 100644
--- a/codeartifact-repo/outputs.tf
+++ b/codeartifact-repo/outputs.tf
@@ -20,8 +20,3 @@ output "policy_documents" {
   description = "A map of repository names to their applied policy documents (if any)."
   value       = { for repo_name, repo_policy in aws_codeartifact_repository_permissions_policy.repo_permissions_policy : repo_name => repo_policy.policy_document }
 }
-
-output "default_sts_policies" {
-  description = "Created STS policies"
-  value       = { for repo_name, sts_policy in data.aws_iam_policy_document.default_sts_policy : repo_name => sts_policy.json }
-}
\ No newline at end of file
diff --git a/codeartifact-repo/tests/domain.tftest.hcl b/codeartifact-repo/tests/domain.tftest.hcl
index 55217a4..fe18f35 100644
--- a/codeartifact-repo/tests/domain.tftest.hcl
+++ b/codeartifact-repo/tests/domain.tftest.hcl
@@ -2,9 +2,7 @@
 // SPDX-License-Identifier: MPL-2.0
 
 
-mock_provider "aws" {
-  
-}
+mock_provider "aws" {}
 
 run "invalid_encryption_key_arn_should_produce_error" {
     command = plan
@@ -153,4 +151,4 @@ run "domain_permissions_policy_is_not_created_when_path_is_not_provided" {
       condition     = length(aws_codeartifact_domain_permissions_policy.domain_permissions_policy) == 0
       error_message = "The domain permissions policy was created despite no policy document path being provided."
     }
-}
\ No newline at end of file
+}
diff --git a/codeartifact-repo/tests/policies.tftest.hcl b/codeartifact-repo/tests/policies.tftest.hcl
deleted file mode 100644
index f12d8dc..0000000
--- a/codeartifact-repo/tests/policies.tftest.hcl
+++ /dev/null
@@ -1,137 +0,0 @@
-// Copyright 2025 Bitshift
-// SPDX-License-Identifier: MPL-2.0
-
-mock_provider "aws" {
-  override_data {
-    target = data.aws_iam_policy_document.default_readonly_repo_policy
-    values = {
-      json = "{}"
-    }
-  }
-  override_data {
-    target = data.aws_iam_policy_document.default_write_access_repo_policy
-    values = {
-      json = "{}"
-    }
-  }
-  override_data {
-    target = data.aws_iam_policy_document.combined_default_policies
-    values = {
-      json = "{}"
-    }
-  }
-}
-
-run "default_policy_should_be_created_when_principals_specified" {
-  command = plan
-
-    variables  {
-        domain_name = "test-domain"
-        repositories = [
-        {
-            repository_name                 = "repo-with-policies"
-            default_read_access_principals  = ["arn:aws:iam::123456789012:role/ReadRole"]
-            default_write_access_principals = ["arn:aws:iam::123456789012:role/WriteRole"]
-        }
-        ]
-    }
-
-    assert {
-      condition     = length(data.aws_iam_policy_document.default_readonly_repo_policy) == 1
-      error_message = "Default read-only policy document was not created."
-    }
-
-    assert {
-      condition     = length(data.aws_iam_policy_document.default_write_access_repo_policy) == 1
-      error_message = "Default write-access policy document was not created."
-    }
-
-    assert {
-      condition = length(data.aws_iam_policy_document.default_sts_policy) == 1
-      error_message = "Default STS policy document was not created."
-    }
-}
-
-run "no_default_policy_when_no_principals" {
-    command = plan
-
-    variables  {
-        domain_name = "test-domain"
-        repositories = [
-        {
-            repository_name = "repo-without-policies"
-        }
-        ]
-    }
-
-    assert {
-      condition     = length(data.aws_iam_policy_document.default_readonly_repo_policy) == 0
-      error_message = "Default read-only policy document was created despite no principals being specified."
-    }
-
-    assert {
-      condition     = length(data.aws_iam_policy_document.default_write_access_repo_policy) == 0
-      error_message = "Default write-access policy document was created despite no principals being specified."
-    }
-}
-
-run "combined_policy_created_when_either_principal_specified" {
-    command = plan
-
-    variables  {
-        domain_name = "test-domain"
-        repositories = [
-        {
-            repository_name                 = "repo-with-read-policy"
-            default_read_access_principals  = ["arn:aws:iam::123456789012:role/ReadRole"]
-        },
-        {
-            repository_name                 = "repo-with-write-policy"
-            default_write_access_principals = ["arn:aws:iam::123456789012:role/WriteRole"]
-        }
-        ]
-    }
-
-    assert {
-      condition     = length(data.aws_iam_policy_document.combined_default_policies) == 2
-      error_message = "Combined default policies were not created correctly when either read or write principals were specified."
-    }
-}
-
-run "no_combined_policy_when_no_principals" {
-    command = plan
-
-    variables  {
-        domain_name = "test-domain"
-        repositories = [
-        {
-            repository_name = "repo-without-policies"
-        }
-        ]
-    }
-
-    assert {
-      condition     = length(data.aws_iam_policy_document.combined_default_policies) == 0
-      error_message = "Combined default policy was created despite no principals being specified."
-    }
-}
-
-run "policy_file_should_override_default_policy" {
-    command = plan
-
-    variables  {
-        domain_name = "test-domain"
-        repositories = [
-        {
-            repository_name      = "repo-with-policy-file"
-            policy_document_path = "tests/test-repo-policy.json"
-            default_read_access_principals  = ["arn:aws:iam::123456789012:role/ReadRole"]
-        }
-        ]
-    }
-
-    assert {
-      condition     = length(aws_codeartifact_repository_permissions_policy.repo_permissions_policy) == 1
-      error_message = "Repository permissions policy was not created when a policy document path was provided."
-    }
-}
\ No newline at end of file
diff --git a/codeartifact-repo/tests/roles.tftest.hcl b/codeartifact-repo/tests/roles.tftest.hcl
new file mode 100644
index 0000000..75e91ea
--- /dev/null
+++ b/codeartifact-repo/tests/roles.tftest.hcl
@@ -0,0 +1,112 @@
+// Copyright 2025 Bitshift
+// SPDX-License-Identifier: MPL-2.0
+
+mock_provider "aws" {
+  override_data {
+    target = data.aws_iam_policy_document.read_only_policy_document
+    values = {
+      json = "{}"
+    }
+  }
+  override_data {
+    target = data.aws_iam_policy_document.assume_read_only_role_document
+    values = {
+      json = "{}"
+    }
+  }
+  override_data {
+    target = data.aws_iam_policy_document.assume_publisher_role_document
+    values = {
+      json = "{}"
+    }
+  }
+}
+
+run "read_access_role_should_be_created_when_specified" {
+    command = plan
+
+    variables  {
+        domain_name = "test-domain"
+        repositories = [
+            {
+                repository_name                 = "repo-with-read-role"
+            }
+        ]
+        reader_principals  = ["arn:aws:iam::123456789012:role/ReadRole"]
+    }
+
+    assert {
+      condition     = length(aws_iam_role.read_access_role) == 1
+      error_message = "Default read-only policy document was not created when read access principals were specified."
+    }
+    assert {
+      condition = length(aws_iam_role_policy.read_only_role_policy) == 1
+      error_message = "Read access role policy was not created when read access principals were specified."
+    }
+}
+
+run "no_read_access_role_when_no_principals" {
+    command = plan
+
+    variables  {
+        domain_name = "test-domain"
+        repositories = [
+            {
+                repository_name = "repo-without-read-role"
+            }
+        ]
+    }
+
+    assert {
+      condition     = length(aws_iam_role.read_access_role) == 0
+      error_message = "Read access role was created despite no read access principals being specified."
+    }
+     assert {
+      condition = length(aws_iam_role_policy.read_only_role_policy) == 0
+      error_message = "Read access role policy created when read access principals were not specified."
+    }
+}
+
+run "publisher_access_role_should_be_created_when_specified" {
+    command = plan
+
+    variables  {
+        domain_name = "test-domain"
+        repositories = [
+            {
+                repository_name                 = "repo-with-publisher-role"
+            }
+        ]
+        publisher_principals  = ["arn:aws:iam::123456789012:role/PublishRole"]
+    }
+
+    assert {
+      condition     = length(aws_iam_role.publisher_access_role) == 1
+      error_message = "Publisher access role was not created when publisher principals were specified."
+    }
+    assert {
+      condition = length(aws_iam_role_policy.publisher_access_role_policy) == 1
+      error_message = "Publisher access role policy was not created when publisher principals were specified."
+    }
+}
+run "no_publisher_access_role_when_no_principals" {
+    command = plan
+
+    variables  {
+        domain_name = "test-domain"
+        repositories = [
+            {
+                repository_name = "repo-without-publisher-role"
+            }
+        ]
+    }
+
+    assert {
+      condition     = length(aws_iam_role.publisher_access_role) == 0
+      error_message = "Publisher access role was created despite no publisher principals being specified."
+    }
+     assert {
+      condition = length(aws_iam_role_policy.publisher_access_role_policy) == 0
+      error_message = "Publisher access role policy created when publisher principals were not specified."
+    }
+}
\ No newline at end of file
diff --git a/codeartifact-repo/variables.tf b/codeartifact-repo/variables.tf
index c5a8b1d..4992fc5 100644
--- a/codeartifact-repo/variables.tf
+++ b/codeartifact-repo/variables.tf
@@ -48,17 +48,33 @@ variable "domain_permissions_policy_revision" {
   default     = null
 }
 
+variable "reader_principals" {
+  type        = list(string)
+  description = "List of AWS principals ARNs that should have read access to domain and repositories"
+  default     = []
+}
+
+variable "publisher_principals" {
+  type        = list(string)
+  description = "List of AWS principal ARNS thet should have permissions to publish packages"
+  default     = []
+}
+
+variable "admin_principals" {
+  type        = list(string)
+  description = "List of AWS principal ARNs that have admin access to domain and repositories"
+  default     = []
+}
+
 variable "repositories" {
   type = list(object({
-    repository_name                 = string
-    description                     = optional(string, "")
-    region                          = optional(string, null)
-    domain_owner                    = optional(string, null)
-    upstream                        = optional(string, null)
-    external_connection             = optional(string, null)
-    policy_document_path            = optional(string, null)
-    default_read_access_principals  = optional(list(string), null)
-    default_write_access_principals = optional(list(string), null)
+    repository_name      = string
+    description          = optional(string, "")
+    region               = optional(string, null)
+    domain_owner         = optional(string, null)
+    upstream             = optional(string, null)
+    external_connection  = optional(string, null)
+    policy_document_path = optional(string, null)
   }))
   description = "List of repositories within Codeartifact domain"
   default     = []