Problem with cloud pipeline policy

rachel33118301 · January 3, 2023, 12:06pm

Hi!!!:high5:
this is my code:

terraform {
  required_version = ">= 0.12"
}

module "s3" {
  source = "../s3"
  sse_algorithm = "aws:kms"
}

resource "aws_codepipeline" "codepipeline" {
  name     = var.name
  role_arn = aws_iam_role.codepipeline_role.arn

  artifact_store {
    location = module.s3.bucket_name
    type     = var.artifact_store_type

    encryption_key {
      id   = module.s3.kms_arn
      type = var.encryption_key_type
    }
  }

  stage {
    name = "Source"

    action {
      name             = "Source"
      category         = "Source"
      owner            = "AWS"
      provider         = "CodeStarSourceConnection"
      version          = "1"
      output_artifacts = ["source_output"]

      configuration = {
        ConnectionArn    = aws_codestarconnections_connection.example.arn
        FullRepositoryId = "my-organization/example"
        BranchName       = "main"
      }
    }
  }

  stage {
    name = "Build"

    action {
      name             = "Build"
      category         = "Build"
      owner            = "AWS"
      provider         = "CodeBuild"
      input_artifacts  = ["source_output"]
      output_artifacts = ["build_output"]
      version          = "1"

      configuration = {
        ProjectName = "test"
      }
    }
  }

  stage {
    name = "Deploy"

    action {
      name            = "Deploy"
      category        = "Deploy"
      owner           = "AWS"
      provider        = "CloudFormation"
      input_artifacts = ["build_output"]
      version         = "1"

      configuration = {
        ActionMode     = "REPLACE_ON_FAILURE"
        Capabilities   = "CAPABILITY_AUTO_EXPAND,CAPABILITY_IAM"
        OutputFileName = "CreateStackOutput.json"
        StackName      = "MyStack"
        TemplatePath   = "build_output::sam-templated.yaml"
      }
    }
  }
}

resource "aws_codestarconnections_connection" "example" {
  name          = var.aws_codestarconnections_name
  provider_type = var.codestarconnections_provider_type
}

# resource "aws_s3_bucket" "codepipeline_bucket" {
#   bucket = "test-bucket"
# }

resource "aws_s3_bucket_acl" "codepipeline_bucket_acl" {
  bucket = module.s3.s3_bucket_id
  acl    = var.codepipeline_acl
}

resource "aws_iam_role" "codepipeline_role" {
  name = var.iam_role_codepipeline_name

  assume_role_policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "codepipeline.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}
EOF
}

resource "aws_iam_role_policy" "codepipeline_policy" {
  name = var.iam_role_policy_codepipeline
  role = aws_iam_role.codepipeline_role.id

  policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect":"Allow",
      "Action": [
        "s3:GetObject",
        "s3:GetObjectVersion",
        "s3:GetBucketVersioning",
        "s3:PutObjectAcl",
        "s3:PutObject"
      ],
      "Resource": [
        "${module.s3.s3_arn}",
        "${module.s3.s3_arn}/*"
      ]
    },
    {
      "Effect": "Allow",
      "Action": ["
          "codestar-connections:CreateConnection",
          "codestar-connections:DeleteConnection",
          "codestar-connections:UseConnection",
          "codestar-connections:GetConnection",
          "codestar-connections:ListConnections",
          "codestar-connections:TagResource",
          "codestar-connections:ListTagsForResource",
          "codestar-connections:UntagResource"
      "],
      "Resource": "${aws_codestarconnections_connection.example.arn}"

    },
    {
      "Effect": "Allow",
      "Action": [
        "codebuild:BatchGetBuilds",
        "codebuild:StartBuild"
      ],
      "Resource": "*"
    }
  ]
}
EOF
}
I tried also:
...
resource "aws_iam_role_policy" "codepipeline_policy" {
  name = var.iam_role_policy_codepipeline
  role = aws_iam_role.codepipeline_role.id

  policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect":"Allow",
      "Action": [
        "s3:GetObject",
        "s3:GetObjectVersion",
        "s3:GetBucketVersioning",
        "s3:PutObjectAcl",
        "s3:PutObject"
      ],
      "Resource": [
        "${module.s3.s3_arn}",
        "${module.s3.s3_arn}/*"
      ]
    },
    {
      "Effect": "Allow",
      "Action": ["*"],
      "Resource": "${aws_codestarconnections_connection.example.arn}"

    },
    {
      "Effect": "Allow",
      "Action": [
        "codebuild:BatchGetBuilds",
        "codebuild:StartBuild"
      ],
      "Resource": "*"
    }
  ]
}
EOF
}
...

and I got this error:
Error: creating CodeStar Connections Connection (example-connection): AccessDeniedException: User: arn:aws:iam::705076103456:user/cloud_user is not authorized to perform: codestar-connections:CreateConnection on resource: arn:aws:codestar-connections:us-east-1:705076103456:* with an explicit deny in a service control policy
│ status code: 400, request id: 901bbcb4-1e28-4c7a-8616-9ef2c712ff3f
│
│ with module.code_pipeline.aws_codestarconnections_connection.example,
│ on …/modules/Codepipeline/main.tf line 86, in resource “aws_codestarconnections_connection” “example”:
│ 86: resource “aws_codestarconnections_connection” “example” {
Ill help me if you know what the problem is.
thanks!!