[QT-400] Fix doormat hc-service-uri for ci bootstrap ci doormat role (#2944)

enos/ci/service-user-iam/github-actions-doormat.tf

@@ -6,11 +6,20 @@ locals {
   // "Github Actions Doormat repositories and qualifiers"
   // see: https://docs.prod.secops.hashicorp.services/doormat/gha/
   github_actions_doormat_rwqs = {
-    boundary-enterprise = "github.com/hashicorp/boundary-enterprise@event_name=schedule///event_name=workflow_dispatch+push:ref=refs/heads/main+refs/heads/release/0.8.x+refs/heads/release/0.10.x+refs/heads/release/0.11.x///event_name=pull_request:base_ref=main+release/0.8.x+release/0.10.x+release/0.11.x",
-    boundary-hcp        = "github.com/hashicorp/boundary-hcp@event_name=schedule///event_name=workflow_dispatch+push:ref=refs/heads/main+refs/heads/release/0.8.x+refs/heads/release/0.10.x+refs/heads/release/0.11.x///event_name=pull_request:base_ref=main+release/0.8.x+release/0.10.x+release/0.11.x",
+    boundary-enterprise = {
+      ci           = "github.com/hashicorp/boundary-enterprise@event_name=workflow_dispatch+push:ref=refs/heads/main+refs/heads/release/0.8.x+refs/heads/release/0.10.x+refs/heads/release/0.11.x///event_name=pull_request:base_ref=main+release/0.8.x+release/0.10.x+release/0.11.x",
+      ci-bootstrap = "github.com/hashicorp/boundary-enterprise@event_name=schedule"
+    }
+    boundary-hcp = {
+      ci           = "github.com/hashicorp/boundary-hcp@event_name=workflow_dispatch+push:ref=refs/heads/main+refs/heads/release/0.8.x+refs/heads/release/0.10.x+refs/heads/release/0.11.x///event_name=pull_request:base_ref=main+release/0.8.x+release/0.10.x+release/0.11.x",
+      ci-bootstrap = "github.com/hashicorp/boundary-hcp@event_name=schedule"
+    }
   }
-  github_actions_doormat_assume_policy_name = "AssumeServiceUserPolicy"
-  boundary_gha_iam_role_name                = "${var.repository}-GHA-ci"
+  ent_policies_json = {
+    ci           = data.aws_iam_policy_document.enos_policy_document.json
+    ci-bootstrap = data.aws_iam_policy_document.combined_policy_document.json
+  }
+  repo_github_actions_doormat_rwqs = local.is_ent ? local.github_actions_doormat_rwqs[var.repository] : {}
 }
 
 // Doormat Github Actions assume policy
@@ -34,20 +43,19 @@ data "aws_iam_policy_document" "github_actions_doormat_assume" {
 
 # Doormat Github Actions roles
 resource "aws_iam_role" "github_actions_doormat_role" {
-  count = local.is_ent ? 1 : 0
+  for_each = local.repo_github_actions_doormat_rwqs
 
   provider = aws.us_east_1
 
-  name = local.boundary_gha_iam_role_name
+  name = "${var.repository}-GHA-${each.key}"
   tags = {
-    hc-service-uri = local.github_actions_doormat_rwqs[var.repository]
+    hc-service-uri = each.value
   }
   max_session_duration = 43200
   assume_role_policy   = data.aws_iam_policy_document.github_actions_doormat_assume[0].json
 
   inline_policy {
-    name = "AssumeServiceUserPolicy"
-    // Use the service user policy for now
-    policy = data.aws_iam_policy_document.combined_policy_document.json
+    name   = "AssumeServiceUserPolicy"
+    policy = local.ent_policies_json[each.key]
   }
 }

enos/ci/service-user-iam/outputs.tf

@@ -1,22 +1,17 @@
 # Copyright (c) HashiCorp, Inc.
 # SPDX-License-Identifier: MPL-2.0
 
-output "ci_role" {
-  value = local.is_ent ? {
-    name = aws_iam_role.github_actions_doormat_role[0].name
-    arn  = aws_iam_role.github_actions_doormat_role[0].arn
-    } : {
-    name = aws_iam_role.role[0].name
-    arn  = aws_iam_role.role[0].arn
-  }
-}
-
-output "ci_role_policy" {
-  value = local.is_ent ? {
-    name   = local.github_actions_doormat_assume_policy_name
-    policy = data.aws_iam_policy_document.github_actions_doormat_assume[0].json
-    } : {
-    name   = aws_iam_role_policy.role_policy[0].name
+output "ci_roles" {
+  value = local.is_ent ? [for role in aws_iam_role.github_actions_doormat_role : {
+    name = role.name
+    arn  = role.arn
+    policy = [for policy in role.inline_policy : {
+      name   = policy.name
+      policy = jsondecode(policy.policy)
+    }][0]
+    }] : [{
+    name   = aws_iam_role.role[0].name
+    arn    = aws_iam_role.role[0].arn
     policy = aws_iam_role_policy.role_policy[0].policy
-  }
+  }]
 }