From 6b701b2f9d54644c8b4a6c4e2f1e5aad667ab935 Mon Sep 17 00:00:00 2001 From: alexeh Date: Mon, 9 Dec 2024 06:04:52 +0100 Subject: [PATCH] create data bucket per instance --- .../base/modules/aws/s3_bucket/main.tf | 3 + .../kubernetes/modules/aws/env/main.tf | 13 ++++ .../kubernetes/modules/aws/s3/main.tf | 59 +++++++++++++++++++ .../kubernetes/modules/aws/s3/outputs.tf | 7 +++ .../kubernetes/modules/aws/s3/variables.tf | 6 ++ 5 files changed, 88 insertions(+) create mode 100644 infrastructure/kubernetes/modules/aws/s3/main.tf create mode 100644 infrastructure/kubernetes/modules/aws/s3/outputs.tf create mode 100644 infrastructure/kubernetes/modules/aws/s3/variables.tf diff --git a/infrastructure/base/modules/aws/s3_bucket/main.tf b/infrastructure/base/modules/aws/s3_bucket/main.tf index bd3eea2b5..59f24c9d2 100644 --- a/infrastructure/base/modules/aws/s3_bucket/main.tf +++ b/infrastructure/base/modules/aws/s3_bucket/main.tf @@ -6,3 +6,6 @@ resource "aws_s3_bucket_acl" "landgriffon-raw-data_acl" { bucket = aws_s3_bucket.landgriffon-raw-data.id acl = "private" } + + + diff --git a/infrastructure/kubernetes/modules/aws/env/main.tf b/infrastructure/kubernetes/modules/aws/env/main.tf index 6cc521195..2064e206b 100644 --- a/infrastructure/kubernetes/modules/aws/env/main.tf +++ b/infrastructure/kubernetes/modules/aws/env/main.tf @@ -237,6 +237,10 @@ module "k8s_data_import" { name = "S3_COG_PATH" value = "processed/cogs" }, + { + name : "DATA_BUCKET_NAME" + value : module.environment_bucket.instance-bucket-name + } ]) secrets = [ @@ -318,6 +322,15 @@ module "github_actions_frontend_secrets" { domain = var.domain } + +module environment_bucket { + source = "../s3" + bucket_name = var.environment + depends_on = [ + module.k8s_namespace + ] +} + #module "data_import" { # source = "../../modules/fargate" # namespace = var.environment diff --git a/infrastructure/kubernetes/modules/aws/s3/main.tf b/infrastructure/kubernetes/modules/aws/s3/main.tf new file mode 100644 index 000000000..88d8f1f40 --- /dev/null +++ b/infrastructure/kubernetes/modules/aws/s3/main.tf @@ -0,0 +1,59 @@ +data "aws_caller_identity" "current" {} + +resource "aws_s3_bucket" "instance_bucket" { + bucket = "landgriffon-${var.bucket_name}-bucket" + + tags = { + Environment = var.bucket_name + } +} + +resource "aws_s3_bucket_versioning" "versioning" { + bucket = aws_s3_bucket.instance_bucket.id + + versioning_configuration { + status = "Enabled" + } +} + +resource "aws_s3_bucket_server_side_encryption_configuration" "encryption" { + bucket = aws_s3_bucket.instance_bucket.id + + rule { + apply_server_side_encryption_by_default { + sse_algorithm = "AES256" + } + } +} + +resource "aws_s3_bucket_public_access_block" "block_public_access" { + bucket = aws_s3_bucket.instance_bucket.id + + block_public_acls = true + block_public_policy = true + ignore_public_acls = true + restrict_public_buckets = true +} + +resource "aws_s3_bucket_policy" "bucket_policy" { + bucket = aws_s3_bucket.instance_bucket.id + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Sid = "AllowAllAuthenticatedUsersInAccount" + Effect = "Allow" + Principal = { + AWS = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:root" + } + Action = "s3:*" + Resource = [ + "arn:aws:s3:::${aws_s3_bucket.instance_bucket.id}", + "arn:aws:s3:::${aws_s3_bucket.instance_bucket.id}/*" + ] + } + ] + }) +} + diff --git a/infrastructure/kubernetes/modules/aws/s3/outputs.tf b/infrastructure/kubernetes/modules/aws/s3/outputs.tf new file mode 100644 index 000000000..ebbae60d6 --- /dev/null +++ b/infrastructure/kubernetes/modules/aws/s3/outputs.tf @@ -0,0 +1,7 @@ +output "instance-bucket-arn" { + value = aws_s3_bucket.instance_bucket.arn +} + +output "instance-bucket-name" { + value = aws_s3_bucket.instance_bucket.bucket +} diff --git a/infrastructure/kubernetes/modules/aws/s3/variables.tf b/infrastructure/kubernetes/modules/aws/s3/variables.tf new file mode 100644 index 000000000..e1774b889 --- /dev/null +++ b/infrastructure/kubernetes/modules/aws/s3/variables.tf @@ -0,0 +1,6 @@ +variable "bucket_name" { + description = "Name of the bucket" + type = string +} + +