Hi!!!:high5:
this is my code:
terraform {
required_version = ">= 0.12"
}
module "s3" {
source = "../s3"
sse_algorithm = "aws:kms"
}
resource "aws_codepipeline" "codepipeline" {
name = var.name
role_arn = aws_iam_role.codepipeline_role.arn
artifact_store {
location = module.s3.bucket_name
type = var.artifact_store_type
encryption_key {
id = module.s3.kms_arn
type = var.encryption_key_type
}
}
stage {
name = "Source"
action {
name = "Source"
category = "Source"
owner = "AWS"
provider = "CodeStarSourceConnection"
version = "1"
output_artifacts = ["source_output"]
configuration = {
ConnectionArn = aws_codestarconnections_connection.example.arn
FullRepositoryId = "my-organization/example"
BranchName = "main"
}
}
}
stage {
name = "Build"
action {
name = "Build"
category = "Build"
owner = "AWS"
provider = "CodeBuild"
input_artifacts = ["source_output"]
output_artifacts = ["build_output"]
version = "1"
configuration = {
ProjectName = "test"
}
}
}
stage {
name = "Deploy"
action {
name = "Deploy"
category = "Deploy"
owner = "AWS"
provider = "CloudFormation"
input_artifacts = ["build_output"]
version = "1"
configuration = {
ActionMode = "REPLACE_ON_FAILURE"
Capabilities = "CAPABILITY_AUTO_EXPAND,CAPABILITY_IAM"
OutputFileName = "CreateStackOutput.json"
StackName = "MyStack"
TemplatePath = "build_output::sam-templated.yaml"
}
}
}
}
resource "aws_codestarconnections_connection" "example" {
name = var.aws_codestarconnections_name
provider_type = var.codestarconnections_provider_type
}
# resource "aws_s3_bucket" "codepipeline_bucket" {
# bucket = "test-bucket"
# }
resource "aws_s3_bucket_acl" "codepipeline_bucket_acl" {
bucket = module.s3.s3_bucket_id
acl = var.codepipeline_acl
}
resource "aws_iam_role" "codepipeline_role" {
name = var.iam_role_codepipeline_name
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "codepipeline.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
EOF
}
resource "aws_iam_role_policy" "codepipeline_policy" {
name = var.iam_role_policy_codepipeline
role = aws_iam_role.codepipeline_role.id
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect":"Allow",
"Action": [
"s3:GetObject",
"s3:GetObjectVersion",
"s3:GetBucketVersioning",
"s3:PutObjectAcl",
"s3:PutObject"
],
"Resource": [
"${module.s3.s3_arn}",
"${module.s3.s3_arn}/*"
]
},
{
"Effect": "Allow",
"Action": ["
"codestar-connections:CreateConnection",
"codestar-connections:DeleteConnection",
"codestar-connections:UseConnection",
"codestar-connections:GetConnection",
"codestar-connections:ListConnections",
"codestar-connections:TagResource",
"codestar-connections:ListTagsForResource",
"codestar-connections:UntagResource"
"],
"Resource": "${aws_codestarconnections_connection.example.arn}"
},
{
"Effect": "Allow",
"Action": [
"codebuild:BatchGetBuilds",
"codebuild:StartBuild"
],
"Resource": "*"
}
]
}
EOF
}
I tried also:
...
resource "aws_iam_role_policy" "codepipeline_policy" {
name = var.iam_role_policy_codepipeline
role = aws_iam_role.codepipeline_role.id
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect":"Allow",
"Action": [
"s3:GetObject",
"s3:GetObjectVersion",
"s3:GetBucketVersioning",
"s3:PutObjectAcl",
"s3:PutObject"
],
"Resource": [
"${module.s3.s3_arn}",
"${module.s3.s3_arn}/*"
]
},
{
"Effect": "Allow",
"Action": ["*"],
"Resource": "${aws_codestarconnections_connection.example.arn}"
},
{
"Effect": "Allow",
"Action": [
"codebuild:BatchGetBuilds",
"codebuild:StartBuild"
],
"Resource": "*"
}
]
}
EOF
}
...
and I got this error:
Error: creating CodeStar Connections Connection (example-connection): AccessDeniedException: User: arn:aws:iam::705076103456:user/cloud_user is not authorized to perform: codestar-connections:CreateConnection on resource: arn:aws:codestar-connections:us-east-1:705076103456:* with an explicit deny in a service control policy
│ status code: 400, request id: 901bbcb4-1e28-4c7a-8616-9ef2c712ff3f
│
│ with module.code_pipeline.aws_codestarconnections_connection.example,
│ on …/modules/Codepipeline/main.tf line 86, in resource “aws_codestarconnections_connection” “example”:
│ 86: resource “aws_codestarconnections_connection” “example” {
Ill help me if you know what the problem is.
thanks!!