{"id":16710344,"url":"https://github.com/nathanjadams/aws_bb_oidc_buckets","last_synced_at":"2025-03-15T03:15:03.005Z","repository":{"id":165205655,"uuid":"631073818","full_name":"NathanJAdams/aws_bb_oidc_buckets","owner":"NathanJAdams","description":"Terraform module that creates S3 buckets secured by Bitbucket OIDC roles","archived":false,"fork":false,"pushed_at":"2023-08-09T23:18:04.000Z","size":20,"stargazers_count":0,"open_issues_count":0,"forks_count":1,"subscribers_count":2,"default_branch":"master","last_synced_at":"2025-01-21T18:51:06.452Z","etag":null,"topics":["aws-s3","bitbucket","bitbucket-pipelines","oidc","terraform","terraform-module"],"latest_commit_sha":null,"homepage":"","language":"HCL","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/NathanJAdams.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2023-04-21T21:30:37.000Z","updated_at":"2023-04-22T13:49:54.000Z","dependencies_parsed_at":null,"dependency_job_id":"56668c76-6ec8-42d4-a6d8-4a006bb5d1bb","html_url":"https://github.com/NathanJAdams/aws_bb_oidc_buckets","commit_stats":null,"previous_names":[],"tags_count":2,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/NathanJAdams%2Faws_bb_oidc_buckets","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/NathanJAdams%2Faws_bb_oidc_buckets/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/NathanJAdams%2Faws_bb_oidc_buckets/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/NathanJAdams%2Faws_bb_oidc_buckets/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/NathanJAdams","download_url":"https://codeload.github.com/NathanJAdams/aws_bb_oidc_buckets/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":243676778,"owners_count":20329434,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["aws-s3","bitbucket","bitbucket-pipelines","oidc","terraform","terraform-module"],"created_at":"2024-10-12T20:08:07.656Z","updated_at":"2025-03-15T03:15:02.999Z","avatar_url":"https://github.com/NathanJAdams.png","language":"HCL","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Terraform module that creates S3 buckets secured by Bitbucket OIDC roles\n\nGenerates S3 buckets, IAM roles and policies.\nThese policies control access to the buckets and restrict their use to Bitbucket repositories within a Bitbucket\nworkspace.\nAccess is granted via OIDC roles set from within in a Bitbucket pipeline.\nPolicies are also added that prevent public or non-secure access to the bucket.\n\n## License\n\nThis module is licensed under the [MIT License](./LICENSE).\n\n## Usage\n\nThe module is hosted on GitHub and can be used by referencing a tag or branch.\n\nThe example below allows the `my-project` repository in the `my-bitbucket-account` workspace to use the `my-repository.example.com` bucket as a maven repository.\nIt allows reading from the whole bucket and writing to the folders\n - `snapshots/com/example/my-project`\n - `releases/com/example/my-project`\n\n```hcl\nmodule \"oidc_buckets\" {\n source = \"github.com/NathanJAdams/aws_bb_oidc_buckets.git?ref=1.0\"\n\n bitbucket_workspace_name = \"MyBitbucketWorkspace\"\n bitbucket_workspace_uuid = \"12345678-abcd-1234-abcd-123456789012\"\n bitbucket_workspace_oidc = {\n add_resource = true\n thumbprint = \"1234567890123456789012345678901234567890\"\n }\n bucket_versioning = \"Enabled\"\n role_name_prefix = \"MyRolePrefix\"\n role_strategy = \"PER_REPOSITORY\"\n permissions = [\n {\n repo_name = \"my-project\"\n repo_uuid = \"12345678-abcd-1234-abcd-123456789012\"\n bucket_name = \"my-repository.example.com\"\n folders = [\"\"]\n actions = [\n \"s3:ListBucket\",\n \"s3:GetObject\",\n ]\n },\n {\n repo_name = \"my-project\"\n repo_uuid = \"12345678-abcd-1234-abcd-123456789012\"\n bucket_name = \"my-repository.example.com\"\n folders = [\n \"snapshots/com/example/my-project\",\n \"releases/com/example/my-project\"\n ]\n actions = [\n \"s3:PutObject\",\n \"s3:DeleteObject\",\n ]\n }\n ]\n}\n```\n\n## Variables\n\n| Variables | Required | Type | Default | Description |\n|--------------------------|:--------:|:-----------------------------------------------------------------------------------------------------------------------------------------|----------|----------------------------------------------------------------------------------------------------------------------------------------|\n| bitbucket_workspace_name | ✔ | string | | The name of the Bitbucket workspace |\n| bitbucket_workspace_uuid | ✔ | string | | The UUID of the Bitbucket workspace |\n| bitbucket_workspace_oidc | ✔ | object({\u003cbr/\u003eadd_resource:bool\u003cbr/\u003ethumbprint:string\u003cbr/\u003e}) | | The OIDC configuration for the Bitbucket workspace. If a resource is not added, the existing resource will be used |\n| role_name_prefix | ✔ | string | | The prefix to use for the IAM roles. If a `role_strategy` of `ONE` is used, it will be used as the role name |\n| permissions | ✔ | list(object({\u003cbr/\u003erole_name:string\u003cbr/\u003erepo_uuid:string\u003cbr/\u003ebucket_name:string\u003cbr/\u003efolders:list(string)\u003cbr/\u003eactions:list(string)\u003cbr/\u003e})) | | List of permissions to apply. Entries in the `folders` list allow actions on the folder (or bucket if empty) and everything inside it. |\n| role_strategy | | string | ONE | Which roles to add, one of [ONE, PER_BUCKET, PER_REPOSITORY]. Policies will be added to the roles accordingly |\n| bucket_versioning | | string | Disabled | S3 bucket versioning option, one of [Enabled, Suspended, Disabled] |\n\n| Outputs | Type | Description |\n|------------|:-------------|----------------------------------------------|\n| role_names | list(string) | List of IAM role names created by the module |\n\n\n## Use in Bitbucket Pipelines\n\nThe module outputs a list of IAM role names.\nThese can be used in a Bitbucket pipeline as follows:\n(this example uses the `PER_REPOSITORY` role strategy)\n\n```yaml\nimage: amazon/aws-cli:2.x.x # TODO use a valid up-to-date image version\n\ndefinitions:\n scripts:\n - script: \u0026install-jq yum install -y jq\n - script: \u0026assume-role |\n export AWS_ROLE=\"MyRolePrefix_${BITBUCKET_WORKSPACE}_${BITBUCKET_REPO_SLUG}\"\n export AWS_ACCOUNT_ID=123456789012\n export AWS_SESSION_CREDENTIALS=$(aws sts assume-role-with-web-identity \\\n --role-arn \"arn:aws:iam::${AWS_ACCOUNT_ID}:role/${AWS_ROLE}\" \\\n --role-session-name \"${BITBUCKET_WORKSPACE}-${BITBUCKET_REPO_SLUG}-session-${BITBUCKET_BUILD_NUMBER}\" \\\n --web-identity-token \"${BITBUCKET_STEP_OIDC_TOKEN}\" \\\n --duration-seconds 3600)\n export AWS_ACCESS_KEY_ID=$( echo \"$AWS_SESSION_CREDENTIALS\" | jq -r '.Credentials.AccessKeyId')\n export AWS_SECRET_ACCESS_KEY=$(echo \"$AWS_SESSION_CREDENTIALS\" | jq -r '.Credentials.SecretAccessKey')\n export AWS_SESSION_TOKEN=$( echo \"$AWS_SESSION_CREDENTIALS\" | jq -r '.Credentials.SessionToken')\n\npipelines:\n default:\n - step:\n oidc: true # Required for OIDC authentication\n name: Test\n script:\n - *install-jq\n - *assume-role\n - echo \"TODO: Test the project, read/write to bucket, etc.\"\n```\n\n## AWS limits and role strategy\n\nAWS enforces limits on the number of policies per role (20) and the size of a policy (6,144 characters).\nIf using many repositories or when creating many buckets, this can prevent a single role from being created with all the necessary permissions.\nTherefore, the `role_strategy` variable can be used to work around these limits by creating multiple roles.\n\nThe example above uses a `role_strategy` set to `PER_REPOSITORY` which means that a role will be created for each repository.\nIt can also be set to `PER_BUCKET` which will create a role for each bucket or `ONE` which will create a single role containing all policies.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnathanjadams%2Faws_bb_oidc_buckets","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fnathanjadams%2Faws_bb_oidc_buckets","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnathanjadams%2Faws_bb_oidc_buckets/lists"}