IAM policy /ci/builder for building applications that rely on software packages stored in CodeArtifact.
Originally designed to be used in CI pipelines by GitHub action agilecustoms/setup-maven-codeartifact
The policy allows codeartifact:ReadFromRepository from all CodeArtifact repositories in a specified domain
To publish artifacts to S3, ECR and CodeArtifact, see another module terraform-aws-ci-publisher
- Grants minimal read access to CodeArtifact
- Supports GitHub Actions and other CI systems
module "builder_policy" {
source = "agilecustoms/ci-builder/aws"
account_id = local.account_id
codeartifact_domain_name = local.artifact_domain_name
region = var.region
}This module creates just policy, and here is a recommendation how to create a role. For roles used in CI pipelines, it is highly recommended to use an OIDC provider rather than IAM user credentials. See terraform-aws-ci-publisher for an example
| Name | Version |
|---|---|
| terraform | >= 1.5.7 |
| aws | >= 3.38.0 |
| Name | Version |
|---|---|
| aws | >= 3.38.0 |
No modules.
| Name | Type |
|---|---|
| aws_iam_policy.builder | resource |
| Name | Default | Description |
|---|---|---|
| account_id | (required) AWS account ID where the CodeArtifact domain is located | |
| codeartifact_domain_name | (required) CodeArtifact domain, typically just a company name | |
| iam_policy_path | /ci/ | Use path to differentiate application/user/CI roles |
| iam_policy_name | builder | Name of the IAM policy |
| partition | aws | AWS partition, e.g. aws, aws-cn, aws-us-gov |
| region | (required) AWS region where CodeArtifact is located |
| Name | Description |
|---|---|
| policy_arn | ARN of the IAM policy created by this module |
Module is maintained by Alexey Chekulaev
Apache 2 Licensed. See LICENSE for full details
Copyright 2025 Alexey Chekulaev