Perms for deploy, more info in output.json (#53)

.github/workflows/environment-main-deploy.yaml

@@ -63,17 +63,18 @@ jobs:
 
     - name: write UI config file
       run: |
+        echo "${{ toJSON(steps.terraform.outputs) }}"
         cat > ui/config/output-${{ vars.ENVIRONMENT }}.json <<EOF
         {
           "ui_bucket": {"value": "${{ steps.terraform.outputs.ui_bucket }}"},
           "cdn_id": {"value": "${{ steps.terraform.outputs.cdn_id }}"},
-          "cognito_identity_pool_id": {"value": ""},
-          "cognito_user_pool_id": {"value": ""},
-          "cognito_web_client_id": {"value": ""},
-          "graphql_uri": {"value": ""},
-          "region": {"value": ""},
-          "cognito_login_domain": {"value": ""},
-          "cdn_domain_name": {"value": ""}
+          "cognito_identity_pool_id": {"value": "${{ steps.terraform.outputs.cognito_identity_pool_id }}"},
+          "cognito_user_pool_id": {"value": "${{ steps.terraform.outputs.cognito_user_pool_id }}"},
+          "cognito_web_client_id": {"value": "${{ steps.terraform.outputs.cognito_web_client_id }}"},
+          "graphql_uri": {"value": "${{ steps.terraform.outputs.graphql_uri }}"},
+          "region": {"value": "${{ steps.terraform.outputs.region }}"},
+          "cognito_login_domain": {"value": "${{ steps.terraform.outputs.cognito_login_domain }}"},
+          "cdn_domain_name": {"value": "${{ steps.terraform.outputs.cdn_domain_name }}"}
         }
         EOF
 

terraform/module/iac-roles/policy.tf

@@ -141,7 +141,21 @@ data "aws_iam_policy_document" "rw" {
       "s3:PutObject"
     ]
     resources = [
-      "${var.state_bucket_arn}/${var.environment}/terraform.tfstate"
+      "${var.state_bucket_arn}/${var.environment}/terraform.tfstate",
+    ]
+  }
+
+  statement {
+    sid = "s3ui"
+    actions = [
+      "s3:GetObject",
+      "s3:PutObject",
+      "s3:DeleteObject",
+      "cloudfront:CreateInvalidation",
+    ]
+    resources = [
+      "arn:${data.aws_partition.current.id}:s3:::${lower(var.app_name)}-${var.environment}-ui/*",
+      "arn:${data.aws_partition.current.id}:cloudfront::${data.aws_caller_identity.current.account_id}:distribution/*",
     ]
   }
 
@@ -356,7 +370,20 @@ data "aws_iam_policy_document" "rw_boundary" {
     ]
     resources = [
       "${var.state_bucket_arn}/${var.environment}/terraform.tfstate",
-      "arn:${data.aws_partition.current.id}:s3:::${lower(var.app_name)}-${var.environment}-*/*",
+    ]
+  }
+
+  statement {
+    sid = "s3ui"
+    actions = [
+      "s3:GetObject",
+      "s3:PutObject",
+      "s3:DeleteObject",
+      "cloudfront:CreateInvalidation",
+    ]
+    resources = [
+      "arn:${data.aws_partition.current.id}:s3:::${lower(var.app_name)}-${var.environment}-ui/*",
+      "arn:${data.aws_partition.current.id}:cloudfront::${data.aws_caller_identity.current.account_id}:distribution/*",
     ]
   }
 

ui/ui.mk

@@ -35,6 +35,7 @@ ui/.build-%: appsync/schema.ts appsync/graphql.ts ui/src/*.ts ui/src/amplifyconf
 ui/.push: ui-test ui/.push-dev
 	touch $@
 
+# We really should run this as RW_ROLE on a make dev...
 ui/.push-%: ui/config/output-%.json ui/config/config-%.json ui/.build-%
 	aws --no-cli-pager s3 sync ui/dist "s3://$$(jq -r .ui_bucket.value $< )"
 	aws --no-cli-pager s3 sync --delete ui/dist "s3://$$(jq -r .ui_bucket.value $< )"