Merge pull request #30 from aws-samples/vpc_perms

update codebuild vpc perms

Author: jakebark

codebuild.tf

@@ -148,20 +148,54 @@ data "aws_iam_policy_document" "codebuild" {
     ]
   }
 
+  // https://docs.aws.amazon.com/codebuild/latest/userguide/auth-and-access-control-iam-identity-based-access-control.html#customer-managed-policies-example-create-vpc-network-interface
   dynamic "statement" {
     for_each = var.vpc == null ? [] : [var.vpc]
     content {
       effect = "Allow"
       actions = [
-        "ec2:DescribeSecurityGroups",
+        "ec2:CreateNetworkInterface",
+        "ec2:DescribeDhcpOptions",
+        "ec2:DescribeNetworkInterfaces",
+        "ec2:DeleteNetworkInterface",
         "ec2:DescribeSubnets",
+        "ec2:DescribeSecurityGroups",
         "ec2:DescribeVpcs"
       ]
       resources = [
         "*"
       ]
     }
   }
+
+  dynamic "statement" {
+    for_each = var.vpc == null ? [] : [var.vpc]
+    content {
+      effect = "Allow"
+      actions = [
+        "ec2:CreateNetworkInterfacePermission"
+
+      ]
+      resources = [
+        "arn:aws:ec2:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:network-interface/*"
+      ]
+      condition {
+        test     = "StringEquals"
+        variable = "ec2:AuthorizedService"
+        values = [
+          "codebuild.amazonaws.com"
+        ]
+      }
+      condition {
+        test     = "ArnEquals"
+        variable = "ec2:Subnet"
+        values = [
+          for id in var.vpc["subnets"] :
+          "arn:aws:ec2:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:subnet/${id}"
+        ]
+      }
+    }
+  }
 }
 
 resource "aws_codebuild_report_group" "sast" {