iamポリシーのjsonをHCLで書き直すパズル集 #AWS - Qiita

https://docs.aws.amazon.com/ja_jp/codebuild/latest/userguide/auth-and-access-control-iam-identity-based-access-control.html#customer-managed-policies-example-create-vpc-network-interface

https://docs.aws.amazon.com/codebuild/latest/userguide/auth-and-access-control-iam-identity-based-access-control.html#customer-managed-policies-example-create-vpc-network-interface

data "aws_caller_identity" "current" {}

locals {
  region     = "ap-northeast-1"
  account_id = data.aws_caller_identity.current.account_id
}

resource "aws_subnet" "private_1a" {
...
}

resource "aws_subnet" "private_1c" {
...
}

data "aws_iam_policy_document" "codebuild_vpc" {
  statement {
    sid = ""
    actions = [
      "ec2:CreateNetworkInterface",
      "ec2:DescribeDhcpOptions",
      "ec2:DescribeNetworkInterfaces",
      "ec2:DeleteNetworkInterface",
      "ec2:DescribeSubnets",
      "ec2:DescribeSecurityGroups",
      "ec2:DescribeVpcs"
    ]
    effect = "Allow"
    resources = [
      "*"
    ]
  }

  statement {
    sid = ""
    actions = [
      "ec2:CreateNetworkInterfacePermission"
    ]
    effect = "Allow"
    resources = [
      "arn:aws:ec2:${local.region}:${local.account_id}:network-interface/*"
    ]
    condition {
      test = "StringEquals"
      values = [
        "${aws_subnet.private_1a.arn}",
        "${aws_subnet.private_1c.arn}"
      ]
      variable = "ec2:Subnet"
    }
    condition {
      test = "StringEquals"
      values = [
        "codebuild.amazonaws.com"
      ]
      variable = "ec2:AuthorizedService"
    }
  }
}

参考

CodeBuildでCloudformationを使ってIAMロールを作成する #CloudFormation - Qiita 2020

CloudFormationでCodeBuildを作成しようとしたら「Not authorized to perform DescribeSecurityGroups」になった #AWS - Qiita 2022