From 88b7e8cd19d73d52ed53cc4acb7e26a44ab753f7 Mon Sep 17 00:00:00 2001 From: jakemulley Date: Tue, 2 May 2023 22:01:12 +0100 Subject: [PATCH 1/2] Create policy and output ARN for IRSA --- main.tf | 79 +++++++++++++++++++++++++++++++++++++++++++++++++----- outputs.tf | 3 +++ 2 files changed, 75 insertions(+), 7 deletions(-) diff --git a/main.tf b/main.tf index 79a80e4..fa629a5 100644 --- a/main.tf +++ b/main.tf @@ -21,6 +21,16 @@ data "template_file" "user_policy" { locals { bucket_name = var.bucket_name == "" ? "cloud-platform-${random_id.id.hex}" : var.bucket_name s3_bucket_arn = "arn:aws:s3:::${aws_s3_bucket.bucket.id}" + + default_tags = { + namespace = var.namespace + business-unit = var.business-unit + application = var.application + is-production = var.is-production + environment-name = var.environment-name + owner = var.team_name + infrastructure-support = var.infrastructure-support + } } resource "aws_s3_bucket" "bucket" { @@ -125,6 +135,17 @@ resource "aws_s3_bucket" "bucket" { } } +resource "aws_s3_bucket_public_access_block" "block_public_access" { + count = var.enable_allow_block_pub_access ? 1 : 0 + bucket = aws_s3_bucket.bucket.id + + block_public_acls = true + block_public_policy = true + ignore_public_acls = true + restrict_public_buckets = true +} + +# Legacy long-lived credentials resource "aws_iam_user" "user" { name = "s3-bucket-user-${random_id.id.hex}" path = "/system/s3-bucket-user/" @@ -185,12 +206,56 @@ resource "aws_iam_user_policy" "policy" { user = aws_iam_user.user.name } -resource "aws_s3_bucket_public_access_block" "block_public_access" { - count = var.enable_allow_block_pub_access ? 1 : 0 - bucket = aws_s3_bucket.bucket.id +# Short-lived credentials (IRSA) +data "aws_iam_policy_document" "irsa" { + version = "2012-10-17" + statement { + sid = "AllowBucketActions" + effect = "Allow" + actions = [ + "s3:GetBucketLocation", + "s3:GetBucketPolicy", + "s3:ListBucket", + "s3:ListBucketMultipartUploads", + "s3:ListBucketVersions", + ] + resources = [local.s3_bucket_arn] # todo: fix + } - block_public_acls = true - block_public_policy = true - ignore_public_acls = true - restrict_public_buckets = true + statement { + sid = "AllowObjectActions" + effect = "Allow" + actions = [ + "s3:AbortMultipartUpload", + "s3:DeleteObject", + "s3:DeleteObjectTagging", + "s3:DeleteObjectVersion", + "s3:DeleteObjectVersionTagging", + "s3:GetObject", + "s3:GetObjectAcl", + "s3:GetObjectTagging", + "s3:GetObjectTorrent", + "s3:GetObjectVersion", + "s3:GetObjectVersionAcl", + "s3:GetObjectVersionTagging", + "s3:GetObjectVersionTorrent", + "s3:ListMultipartUploadParts", + "s3:PutObject", + "s3:PutObjectAcl", + "s3:PutObjectTagging", + "s3:PutObjectVersionAcl", + "s3:PutObjectVersionTagging", + "s3:RestoreObject", + ] + resources = [ + "${local.s3_bucket_arn}/*" + ] + } +} + +resource "aws_iam_policy" "irsa" { + name = "cloud-platform-s3-${random_id.id.hex}" + path = "/cloud-platform/s3/" + policy = data.aws_iam_policy_document.irsa.json + tags = local.default_tags } diff --git a/outputs.tf b/outputs.tf index 73bf2db..46e7f6f 100644 --- a/outputs.tf +++ b/outputs.tf @@ -20,3 +20,6 @@ output "bucket_name" { value = aws_s3_bucket.bucket.id } +output "irsa_policy_arn" { + value = aws_iam_policy.irsa.arn +} From 66f2581dcda385b3637f3b7125b6fa9223dd18b5 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Wed, 3 May 2023 15:36:47 +0000 Subject: [PATCH 2/2] terraform-docs: automated action --- README.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/README.md b/README.md index 5d866f5..d9478db 100644 --- a/README.md +++ b/README.md @@ -92,11 +92,13 @@ No modules. | Name | Type | |------|------| | [aws_iam_access_key.user](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_access_key) | resource | +| [aws_iam_policy.irsa](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | | [aws_iam_user.user](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user) | resource | | [aws_iam_user_policy.policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy) | resource | | [aws_s3_bucket.bucket](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource | | [aws_s3_bucket_public_access_block.block_public_access](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block) | resource | | [random_id.id](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/id) | resource | +| [aws_iam_policy_document.irsa](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_iam_policy_document.policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [template_file.bucket_policy](https://registry.terraform.io/providers/hashicorp/template/latest/docs/data-sources/file) | data source | | [template_file.user_policy](https://registry.terraform.io/providers/hashicorp/template/latest/docs/data-sources/file) | data source | @@ -131,6 +133,7 @@ No modules. | [access\_key\_id](#output\_access\_key\_id) | Access key id for s3 account | | [bucket\_arn](#output\_bucket\_arn) | Arn for s3 bucket created | | [bucket\_name](#output\_bucket\_name) | bucket name | +| [irsa\_policy\_arn](#output\_irsa\_policy\_arn) | n/a | | [secret\_access\_key](#output\_secret\_access\_key) | Secret key for s3 account |