Wednesday, April 19, 2023

Using Terraform Remote Modules Sourced From CodeCommit using HTTPS (GRC) with AWS Account Factory (AFT) Workflow

AWS Account Factory is a robust templating framework allowing users to apply account configuration using terraform uniformly across an organization utilizing multiple accounts and consolidated billing. Currently, there is a limitation preventing the inclusion of codecommit modules in the customization terraform script, which makes it difficult to compartmentalize the account customization scripts. Amazon recommends using HTTPS (GRC) to access CodeCommit; this method allows you to use AWS credentials to access the repository, negating the need for usernames, passwords, and keys. Fortunately, all of the nuts and bolts to source modules from codecommit are already there. We just need to make a few tweaks to the customizations folder and role used to execute the customizations CodeBuild Project.

Terraform pre-api-helpers.sh

To support codecommit GRC access, you need to install the git-remote-codecommit credential helper. This can be done using the pre-api-helper.sh script negating the need to modify the boilerplate codebuild project provided from Amazon.

#AWS overwrites the python VENV when executing the pre-api-helpers you first need 
#to re-map it back to the one used when terraform executes 
python3 -m venv $DEFAULT_PATH/aft-venv
#Install the codecommit helper to the terraform venv pip location
$DEFAULT_PATH/aft-venv/bin/pip install git-remote-codecommit

Terraform module reference

When setting up your repositories in codecommit for access as a module reference, it is recommended to use a convention so that you can specify that convention in the policy, avoiding the need to add each repository to the policy individually or granting access to all repositories. Note the use of the aft-management in the URI. This tells the credential helper to use the credential profile used to connect to the management account or aft management role when connecting to the repository.

module "aft-module-mymodule" {
  source = "git::codecommit::us-east-1://aft-management@aft-module-mymodule"
}

IAM Policy Changes

Next, we need to give AFT access to the module's repositories so they can be referenced as noted above, it is recommended to use a convention so any new modules you create are automatically granted in the IAM Policy. First, Locate the aft-customizations-role in IAM and add the following policy or amend the existing policy that allows access to the aft-account-customizations repository

...
          {
            "Effect": "Allow",
            "Action": [
                "codecommit:GetBranch",
                "codecommit:GetRepository",
                "codecommit:GetCommit",
                "codecommit:GitPull",
                "codecommit:UploadArchive",
                "codecommit:GetUploadArchiveStatus",
                "codecommit:CancelUploadArchive"
            ],
            "Resource": [
                "arn:aws:codecommit:us-east-1:YOURACCOUNTNUMBERHERE:aft-*-customizations*",
                "arn:aws:codecommit:us-east-1:YOURACCOUNTNUMBERHERE:aft-module-*"
            ]
        }
...

No comments:

Post a Comment