feat: Add an IAM policy for deploying to each documentation prefix. (#20)

Author: jamesiarmes

.github/workflows/docs.yaml

@@ -14,6 +14,7 @@ on:
       - 'docs/**'
       - 'mkdocs.yaml'
       - '.github/workflows/docs.yaml'
+      - '*.md'
     branches:
       - main
 
@@ -22,8 +23,8 @@ permissions:
 
 jobs:
   deploy:
-    name: Deploy Documentation to ${{ inputs.environment }}
-    environment: ${{ inputs.environment }}
+    name: Deploy Documentation to ${{ inputs.environment || 'development'}}
+    environment: ${{ inputs.environment || 'development'}}
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
@@ -43,6 +44,13 @@ jobs:
           path: .cache
           restore-keys: |
             mkdocs-material-
-      - run: pip install mkdocs-material markdown-callouts mdx_truly_sane_lists mkdocs-nav-weight pymdown-extensions
+      - name: Install python dependencies
+        run: |
+          pip install \
+            mkdocs-material \
+            markdown-callouts \
+            mdx_truly_sane_lists \
+            mkdocs-nav-weight \
+            pymdown-extensions
       - run: mkdocs build
       - run: aws s3 sync ./site "s3://${{ env.DOCS_BUCKET || 'docs.dev.services.cfa.codes' }}/${{ env.PREFIX || 'shared-services' }}"

tofu/config/development/docs/main.tf

@@ -16,6 +16,15 @@ module "docs" {
   domain       = "dev.services.cfa.codes"
   subdomain    = "docs"
 
+  # TODO: Get these from app specs.
+  prefixes = [
+    "cmr-entity-resolution",
+    "document-transfer-service",
+    "shared-services",
+    "tax-benefits-backend",
+    "tofu-modules"
+  ]
+
   # Use the same VPC we use for shared hosting.
   # TODO: Use data resources to look this up.
   logging_bucket = "shared-services-development-logs"

tofu/modules/docs/files/rewrite-function.js

@@ -1,6 +1,6 @@
 function handler(event) {
-  var request = event.request;
-  var uri = request.uri;
+  const request = event.request;
+  const uri = request.uri;
 
   // If the request is being made to a directory (e.g. / or /docs), we want to
   // append "index.html" so that S3 serves the proper object. If the path

tofu/modules/docs/iam.tf

@@ -0,0 +1,12 @@
+resource "aws_iam_policy" "prefix" {
+  for_each = var.prefixes
+
+  name        = "${local.prefix}-deploy-${each.value}"
+  path        = "/"
+  description = "Allow deploy access to ${each.value} in the documentation bucket"
+
+  policy = jsonencode(yamldecode(templatefile("${path.module}/templates/prefix-policy.yaml.tftpl", {
+    bucket_arn : module.bucket.arn,
+    prefix : each.value
+  })))
+}

tofu/modules/docs/templates/prefix-policy.yaml.tftpl

@@ -0,0 +1,13 @@
+Version: "2012-10-17"
+Statement:
+- Sid: DocumentationPrefixPolicy
+  Effect: Allow
+  Action:
+  - s3:PutObject
+  - s3:GetObject
+  - s3:ListBucket
+  - s3:DeleteObject
+  - s3:GetBucketLocation
+  Resource:
+  - ${bucket_arn}
+  - ${bucket_arn}/${prefix}/*

tofu/modules/docs/variables.tf

@@ -26,6 +26,12 @@ variable "logging_bucket" {
   type        = string
 }
 
+variable "prefixes" {
+  description = "A list of prefixes to create access policies for."
+  type        = set(string)
+  default     = []
+}
+
 variable "subdomain" {
   description = "The subdomain for the documentation hosting."
   type        = string