From 524844ca6911549f97cd8577b7612113694c05e8 Mon Sep 17 00:00:00 2001
From: Joe Niland <joe@originalmind.com.au>
Date: Thu, 25 Jun 2020 16:19:55 +1000
Subject: [PATCH] Add bitbucket support (#34)

* Add support for codestar source in CodePipeline

* expose local codebuild cache variables

* Expose github_anonymous variable to allow setting it on the webhooks module

* bump version of cloudposse/terraform-aws-codebuild

* Updated README.md

Co-authored-by: actions-bot <58130806+actions-bot@users.noreply.github.com>
---
 README.md         |   5 +-
 docs/terraform.md |   5 +-
 main.tf           | 130 +++++++++++++++++++++++++++++++++++++++++++++-
 variables.tf      |  22 +++++++-
 4 files changed, 157 insertions(+), 5 deletions(-)

diff --git a/README.md b/README.md
index d4b422c..c74b9a2 100644
--- a/README.md
+++ b/README.md
@@ -220,15 +220,18 @@ Available targets:
 | build\_timeout | How long in minutes, from 5 to 480 (8 hours), for AWS CodeBuild to wait until timing out any related build that does not get marked as completed | `number` | `60` | no |
 | buildspec | Declaration to use for building the project. [For more info](http://docs.aws.amazon.com/codebuild/latest/userguide/build-spec-ref.html) | `string` | `""` | no |
 | cache\_type | The type of storage that will be used for the AWS CodeBuild project cache. Valid values: NO\_CACHE, LOCAL, and S3.  Defaults to S3.  If cache\_type is S3, it will create an S3 bucket for storing codebuild cache inside | `string` | `"S3"` | no |
+| codestar\_connection\_arn | CodeStar connection ARN required for Bitbucket integration with CodePipeline | `string` | `""` | no |
 | delimiter | Delimiter between `namespace`, `stage`, `name` and `attributes` | `string` | `"-"` | no |
 | ecs\_cluster\_name | ECS Cluster Name | `string` | n/a | yes |
 | enabled | Enable `CodePipeline` creation | `bool` | `true` | no |
 | environment\_variables | A list of maps, that contain both the key 'name' and the key 'value' to be used as additional environment variables for the build | <pre>list(object(<br>    {<br>      name  = string<br>      value = string<br>  }))</pre> | `[]` | no |
-| github\_oauth\_token | GitHub OAuth Token with permissions to access private repositories | `string` | n/a | yes |
+| github\_anonymous | Github Anonymous API (if `true`, token must not be set as GITHUB\_TOKEN or `github_token`) | `bool` | `false` | no |
+| github\_oauth\_token | GitHub OAuth Token with permissions to access private repositories | `string` | `""` | no |
 | github\_webhook\_events | A list of events which should trigger the webhook. See a list of [available events](https://developer.github.com/v3/activity/events/types/) | `list(string)` | <pre>[<br>  "push"<br>]</pre> | no |
 | github\_webhooks\_token | GitHub OAuth Token with permissions to create webhooks. If not provided, can be sourced from the `GITHUB_TOKEN` environment variable | `string` | `""` | no |
 | image\_repo\_name | ECR repository name to store the Docker image built by this module. Used as CodeBuild ENV variable when building Docker images. [For more info](http://docs.aws.amazon.com/codebuild/latest/userguide/sample-docker.html) | `string` | n/a | yes |
 | image\_tag | Docker image tag in the ECR repository, e.g. 'latest'. Used as CodeBuild ENV variable when building Docker images. [For more info](http://docs.aws.amazon.com/codebuild/latest/userguide/sample-docker.html) | `string` | `"latest"` | no |
+| local\_cache\_modes | Specifies settings that AWS CodeBuild uses to store and reuse build dependencies. Valid values: LOCAL\_SOURCE\_CACHE, LOCAL\_DOCKER\_LAYER\_CACHE, and LOCAL\_CUSTOM\_CACHE | `list(string)` | `[]` | no |
 | name | Name of the application | `string` | n/a | yes |
 | namespace | Namespace (e.g. `eg` or `cp`) | `string` | `""` | no |
 | poll\_source\_changes | Periodically check the location of your source content and run the pipeline if changes are detected | `bool` | `false` | no |
diff --git a/docs/terraform.md b/docs/terraform.md
index 5dbbb92..be87325 100644
--- a/docs/terraform.md
+++ b/docs/terraform.md
@@ -29,15 +29,18 @@
 | build\_timeout | How long in minutes, from 5 to 480 (8 hours), for AWS CodeBuild to wait until timing out any related build that does not get marked as completed | `number` | `60` | no |
 | buildspec | Declaration to use for building the project. [For more info](http://docs.aws.amazon.com/codebuild/latest/userguide/build-spec-ref.html) | `string` | `""` | no |
 | cache\_type | The type of storage that will be used for the AWS CodeBuild project cache. Valid values: NO\_CACHE, LOCAL, and S3.  Defaults to S3.  If cache\_type is S3, it will create an S3 bucket for storing codebuild cache inside | `string` | `"S3"` | no |
+| codestar\_connection\_arn | CodeStar connection ARN required for Bitbucket integration with CodePipeline | `string` | `""` | no |
 | delimiter | Delimiter between `namespace`, `stage`, `name` and `attributes` | `string` | `"-"` | no |
 | ecs\_cluster\_name | ECS Cluster Name | `string` | n/a | yes |
 | enabled | Enable `CodePipeline` creation | `bool` | `true` | no |
 | environment\_variables | A list of maps, that contain both the key 'name' and the key 'value' to be used as additional environment variables for the build | <pre>list(object(<br>    {<br>      name  = string<br>      value = string<br>  }))</pre> | `[]` | no |
-| github\_oauth\_token | GitHub OAuth Token with permissions to access private repositories | `string` | n/a | yes |
+| github\_anonymous | Github Anonymous API (if `true`, token must not be set as GITHUB\_TOKEN or `github_token`) | `bool` | `false` | no |
+| github\_oauth\_token | GitHub OAuth Token with permissions to access private repositories | `string` | `""` | no |
 | github\_webhook\_events | A list of events which should trigger the webhook. See a list of [available events](https://developer.github.com/v3/activity/events/types/) | `list(string)` | <pre>[<br>  "push"<br>]</pre> | no |
 | github\_webhooks\_token | GitHub OAuth Token with permissions to create webhooks. If not provided, can be sourced from the `GITHUB_TOKEN` environment variable | `string` | `""` | no |
 | image\_repo\_name | ECR repository name to store the Docker image built by this module. Used as CodeBuild ENV variable when building Docker images. [For more info](http://docs.aws.amazon.com/codebuild/latest/userguide/sample-docker.html) | `string` | n/a | yes |
 | image\_tag | Docker image tag in the ECR repository, e.g. 'latest'. Used as CodeBuild ENV variable when building Docker images. [For more info](http://docs.aws.amazon.com/codebuild/latest/userguide/sample-docker.html) | `string` | `"latest"` | no |
+| local\_cache\_modes | Specifies settings that AWS CodeBuild uses to store and reuse build dependencies. Valid values: LOCAL\_SOURCE\_CACHE, LOCAL\_DOCKER\_LAYER\_CACHE, and LOCAL\_CUSTOM\_CACHE | `list(string)` | `[]` | no |
 | name | Name of the application | `string` | n/a | yes |
 | namespace | Namespace (e.g. `eg` or `cp`) | `string` | `""` | no |
 | poll\_source\_changes | Periodically check the location of your source content and run the pipeline if changes are detected | `bool` | `false` | no |
diff --git a/main.tf b/main.tf
index 0488283..0a60e34 100644
--- a/main.tf
+++ b/main.tf
@@ -167,6 +167,53 @@ data "aws_iam_policy_document" "codebuild" {
   }
 }
 
+# https://docs.aws.amazon.com/codepipeline/latest/userguide/connections-permissions.html
+resource "aws_iam_role_policy_attachment" "codestar" {
+  count      = var.enabled && var.codestar_connection_arn != "" ? 1 : 0
+  role       = join("", aws_iam_role.default.*.id)
+  policy_arn = join("", aws_iam_policy.codestar.*.arn)
+}
+
+module "codestar_label" {
+  source     = "github.com/cloudposse/terraform-null-label.git?ref=0.16.0"
+  enabled    = var.enabled && var.codestar_connection_arn != ""
+  attributes = compact(concat(var.attributes, ["codestar"]))
+  delimiter  = var.delimiter
+  name       = var.name
+  namespace  = var.namespace
+  stage      = var.stage
+  tags       = var.tags
+}
+
+resource "aws_iam_policy" "codestar" {
+  count  = var.enabled && var.codestar_connection_arn != "" ? 1 : 0
+  name   = module.codestar_label.id
+  policy = join("", data.aws_iam_policy_document.codestar.*.json)
+}
+
+data "aws_iam_policy_document" "codestar" {
+  count = var.enabled && var.codestar_connection_arn != "" ? 1 : 0
+  statement {
+    sid = ""
+
+    actions = [
+      "codestar-connections:UseConnection"
+    ]
+
+    condition {
+      test     = "StringLike"
+      variable = "codestar-connections:FullRepositoryId"
+      values = [
+        format("%s/%s", var.repo_owner, var.repo_name)
+      ]
+    }
+
+    resources = [var.codestar_connection_arn]
+    effect    = "Allow"
+
+  }
+}
+
 data "aws_caller_identity" "default" {
 }
 
@@ -174,7 +221,7 @@ data "aws_region" "default" {
 }
 
 module "codebuild" {
-  source                = "git::https://github.com/cloudposse/terraform-aws-codebuild.git?ref=tags/0.20.0"
+  source                = "git::https://github.com/cloudposse/terraform-aws-codebuild.git?ref=tags/0.21.0"
   enabled               = var.enabled
   namespace             = var.namespace
   name                  = var.name
@@ -195,6 +242,7 @@ module "codebuild" {
   environment_variables = var.environment_variables
   badge_enabled         = var.badge_enabled
   cache_type            = var.cache_type
+  local_cache_modes     = var.local_cache_modes
 }
 
 resource "aws_iam_role_policy_attachment" "codebuild_s3" {
@@ -204,7 +252,7 @@ resource "aws_iam_role_policy_attachment" "codebuild_s3" {
 }
 
 resource "aws_codepipeline" "default" {
-  count    = var.enabled ? 1 : 0
+  count    = var.enabled && var.github_oauth_token != "" ? 1 : 0
   name     = module.codepipeline_label.id
   role_arn = join("", aws_iam_role.default.*.arn)
 
@@ -279,6 +327,83 @@ resource "aws_codepipeline" "default" {
   }
 }
 
+# https://docs.aws.amazon.com/codepipeline/latest/userguide/action-reference-CodestarConnectionSource.html#action-reference-CodestarConnectionSource-example
+resource "aws_codepipeline" "bitbucket" {
+  count    = var.enabled && var.codestar_connection_arn != "" ? 1 : 0
+  name     = module.codepipeline_label.id
+  role_arn = join("", aws_iam_role.default.*.arn)
+
+  artifact_store {
+    location = join("", aws_s3_bucket.default.*.bucket)
+    type     = "S3"
+  }
+
+  depends_on = [
+    aws_iam_role_policy_attachment.default,
+    aws_iam_role_policy_attachment.s3,
+    aws_iam_role_policy_attachment.codebuild,
+    aws_iam_role_policy_attachment.codebuild_s3,
+    aws_iam_role_policy_attachment.codestar
+  ]
+
+  stage {
+    name = "Source"
+
+    action {
+      name             = "Source"
+      category         = "Source"
+      owner            = "AWS"
+      provider         = "CodeStarSourceConnection"
+      version          = "1"
+      output_artifacts = ["code"]
+
+      configuration = {
+        ConnectionArn        = var.codestar_connection_arn
+        FullRepositoryId     = format("%s/%s", var.repo_owner, var.repo_name)
+        BranchName           = var.branch
+        OutputArtifactFormat = "CODE_ZIP"
+      }
+    }
+  }
+
+  stage {
+    name = "Build"
+
+    action {
+      name     = "Build"
+      category = "Build"
+      owner    = "AWS"
+      provider = "CodeBuild"
+      version  = "1"
+
+      input_artifacts  = ["code"]
+      output_artifacts = ["task"]
+
+      configuration = {
+        ProjectName = module.codebuild.project_name
+      }
+    }
+  }
+
+  stage {
+    name = "Deploy"
+
+    action {
+      name            = "Deploy"
+      category        = "Deploy"
+      owner           = "AWS"
+      provider        = "ECS"
+      input_artifacts = ["task"]
+      version         = "1"
+
+      configuration = {
+        ClusterName = var.ecs_cluster_name
+        ServiceName = var.service_name
+      }
+    }
+  }
+}
+
 resource "random_string" "webhook_secret" {
   count  = var.enabled && var.webhook_enabled ? 1 : 0
   length = 32
@@ -312,6 +437,7 @@ resource "aws_codepipeline_webhook" "webhook" {
 module "github_webhooks" {
   source               = "git::https://github.com/cloudposse/terraform-github-repository-webhooks.git?ref=tags/0.7.0"
   enabled              = var.enabled && var.webhook_enabled ? true : false
+  github_anonymous     = var.github_anonymous
   github_organization  = var.repo_owner
   github_repositories  = [var.repo_name]
   github_token         = var.github_webhooks_token
diff --git a/variables.tf b/variables.tf
index e90ae12..571817d 100644
--- a/variables.tf
+++ b/variables.tf
@@ -49,9 +49,16 @@ variable "service_name" {
   description = "ECS Service Name"
 }
 
+variable "github_anonymous" {
+  type        = bool
+  description = "Github Anonymous API (if `true`, token must not be set as GITHUB_TOKEN or `github_token`)"
+  default     = false
+}
+
 variable "github_oauth_token" {
   type        = string
   description = "GitHub OAuth Token with permissions to access private repositories"
+  default     = ""
 }
 
 variable "github_webhooks_token" {
@@ -194,8 +201,21 @@ variable "s3_bucket_force_destroy" {
   default     = false
 }
 
+variable "codestar_connection_arn" {
+  type        = string
+  description = "CodeStar connection ARN required for Bitbucket integration with CodePipeline"
+  default     = ""
+}
+
 variable "cache_type" {
   type        = string
   default     = "S3"
   description = "The type of storage that will be used for the AWS CodeBuild project cache. Valid values: NO_CACHE, LOCAL, and S3.  Defaults to S3.  If cache_type is S3, it will create an S3 bucket for storing codebuild cache inside"
-}
\ No newline at end of file
+}
+
+variable "local_cache_modes" {
+  type        = list(string)
+  default     = []
+  description = "Specifies settings that AWS CodeBuild uses to store and reuse build dependencies. Valid values: LOCAL_SOURCE_CACHE, LOCAL_DOCKER_LAYER_CACHE, and LOCAL_CUSTOM_CACHE"
+}
+