Skip to content

Commit

Permalink
Merge pull request #70 from ministryofjustice/irsa
Browse files Browse the repository at this point in the history
Create policy and output ARN for IRSA
  • Loading branch information
jakemulley authored May 3, 2023
2 parents e8067ac + 66f2581 commit 28756d6
Show file tree
Hide file tree
Showing 3 changed files with 78 additions and 7 deletions.
3 changes: 3 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -92,11 +92,13 @@ No modules.
| Name | Type |
|------|------|
| [aws_iam_access_key.user](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_access_key) | resource |
| [aws_iam_policy.irsa](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
| [aws_iam_user.user](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user) | resource |
| [aws_iam_user_policy.policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy) | resource |
| [aws_s3_bucket.bucket](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource |
| [aws_s3_bucket_public_access_block.block_public_access](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block) | resource |
| [random_id.id](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/id) | resource |
| [aws_iam_policy_document.irsa](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_policy_document.policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [template_file.bucket_policy](https://registry.terraform.io/providers/hashicorp/template/latest/docs/data-sources/file) | data source |
| [template_file.user_policy](https://registry.terraform.io/providers/hashicorp/template/latest/docs/data-sources/file) | data source |
Expand Down Expand Up @@ -131,6 +133,7 @@ No modules.
| <a name="output_access_key_id"></a> [access\_key\_id](#output\_access\_key\_id) | Access key id for s3 account |
| <a name="output_bucket_arn"></a> [bucket\_arn](#output\_bucket\_arn) | Arn for s3 bucket created |
| <a name="output_bucket_name"></a> [bucket\_name](#output\_bucket\_name) | bucket name |
| <a name="output_irsa_policy_arn"></a> [irsa\_policy\_arn](#output\_irsa\_policy\_arn) | n/a |
| <a name="output_secret_access_key"></a> [secret\_access\_key](#output\_secret\_access\_key) | Secret key for s3 account |
<!-- END_TF_DOCS -->

Expand Down
79 changes: 72 additions & 7 deletions main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,16 @@ data "template_file" "user_policy" {
locals {
bucket_name = var.bucket_name == "" ? "cloud-platform-${random_id.id.hex}" : var.bucket_name
s3_bucket_arn = "arn:aws:s3:::${aws_s3_bucket.bucket.id}"

default_tags = {
namespace = var.namespace
business-unit = var.business-unit
application = var.application
is-production = var.is-production
environment-name = var.environment-name
owner = var.team_name
infrastructure-support = var.infrastructure-support
}
}

resource "aws_s3_bucket" "bucket" {
Expand Down Expand Up @@ -125,6 +135,17 @@ resource "aws_s3_bucket" "bucket" {
}
}

resource "aws_s3_bucket_public_access_block" "block_public_access" {
count = var.enable_allow_block_pub_access ? 1 : 0
bucket = aws_s3_bucket.bucket.id

block_public_acls = true
block_public_policy = true
ignore_public_acls = true
restrict_public_buckets = true
}

# Legacy long-lived credentials
resource "aws_iam_user" "user" {
name = "s3-bucket-user-${random_id.id.hex}"
path = "/system/s3-bucket-user/"
Expand Down Expand Up @@ -185,12 +206,56 @@ resource "aws_iam_user_policy" "policy" {
user = aws_iam_user.user.name
}

resource "aws_s3_bucket_public_access_block" "block_public_access" {
count = var.enable_allow_block_pub_access ? 1 : 0
bucket = aws_s3_bucket.bucket.id
# Short-lived credentials (IRSA)
data "aws_iam_policy_document" "irsa" {
version = "2012-10-17"
statement {
sid = "AllowBucketActions"
effect = "Allow"
actions = [
"s3:GetBucketLocation",
"s3:GetBucketPolicy",
"s3:ListBucket",
"s3:ListBucketMultipartUploads",
"s3:ListBucketVersions",
]
resources = [local.s3_bucket_arn] # todo: fix
}

block_public_acls = true
block_public_policy = true
ignore_public_acls = true
restrict_public_buckets = true
statement {
sid = "AllowObjectActions"
effect = "Allow"
actions = [
"s3:AbortMultipartUpload",
"s3:DeleteObject",
"s3:DeleteObjectTagging",
"s3:DeleteObjectVersion",
"s3:DeleteObjectVersionTagging",
"s3:GetObject",
"s3:GetObjectAcl",
"s3:GetObjectTagging",
"s3:GetObjectTorrent",
"s3:GetObjectVersion",
"s3:GetObjectVersionAcl",
"s3:GetObjectVersionTagging",
"s3:GetObjectVersionTorrent",
"s3:ListMultipartUploadParts",
"s3:PutObject",
"s3:PutObjectAcl",
"s3:PutObjectTagging",
"s3:PutObjectVersionAcl",
"s3:PutObjectVersionTagging",
"s3:RestoreObject",
]
resources = [
"${local.s3_bucket_arn}/*"
]
}
}

resource "aws_iam_policy" "irsa" {
name = "cloud-platform-s3-${random_id.id.hex}"
path = "/cloud-platform/s3/"
policy = data.aws_iam_policy_document.irsa.json
tags = local.default_tags
}
3 changes: 3 additions & 0 deletions outputs.tf
Original file line number Diff line number Diff line change
Expand Up @@ -20,3 +20,6 @@ output "bucket_name" {
value = aws_s3_bucket.bucket.id
}

output "irsa_policy_arn" {
value = aws_iam_policy.irsa.arn
}

0 comments on commit 28756d6

Please sign in to comment.