From 86c5a94d82ca79505b547616acc8892ce24849d6 Mon Sep 17 00:00:00 2001 From: jakemulley Date: Wed, 30 Aug 2023 17:59:03 +0100 Subject: [PATCH] Remove access keys --- README.md | 10 ++------ examples/s3.tf | 6 ++--- main.tf | 70 -------------------------------------------------- outputs.tf | 12 --------- variables.tf | 6 ----- 5 files changed, 4 insertions(+), 100 deletions(-) diff --git a/README.md b/README.md index 02fe0e0..8b36b25 100644 --- a/README.md +++ b/README.md @@ -26,6 +26,8 @@ module "s3" { ### Migrate from existing buckets + + The `user_policy` input is useful when migrating data from existing bucket(s). For commands like `s3 ls` or `s3 sync` to work across accounts, a policy granting access must be set in 2 places: the *source bucket* and the *destination user* @@ -233,17 +235,12 @@ No modules. | Name | Type | |------|------| -| [aws_iam_access_key.user](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_access_key) | resource | | [aws_iam_policy.irsa](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | -| [aws_iam_user.user](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user) | resource | -| [aws_iam_user_policy.policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy) | resource | | [aws_s3_bucket.bucket](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource | | [aws_s3_bucket_public_access_block.block_public_access](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block) | resource | | [random_id.id](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/id) | resource | | [aws_iam_policy_document.irsa](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | -| [aws_iam_policy_document.policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [template_file.bucket_policy](https://registry.terraform.io/providers/hashicorp/template/latest/docs/data-sources/file) | data source | -| [template_file.user_policy](https://registry.terraform.io/providers/hashicorp/template/latest/docs/data-sources/file) | data source | ## Inputs @@ -265,19 +262,16 @@ No modules. | [logging\_enabled](#input\_logging\_enabled) | Set the logging for bucket | `bool` | `false` | no | | [namespace](#input\_namespace) | Namespace name | `string` | n/a | yes | | [team\_name](#input\_team\_name) | Team name | `string` | n/a | yes | -| [user\_policy](#input\_user\_policy) | The IAM policy to assign to the generated user. If empty, the default policy is used | `string` | `""` | no | | [versioning](#input\_versioning) | Enable object versioning for the bucket | `bool` | `false` | no | ## Outputs | Name | Description | |------|-------------| -| [access\_key\_id](#output\_access\_key\_id) | Access key id for s3 account | | [bucket\_arn](#output\_bucket\_arn) | S3 bucket ARN | | [bucket\_domain\_name](#output\_bucket\_domain\_name) | Regional bucket domain name | | [bucket\_name](#output\_bucket\_name) | S3 bucket name | | [irsa\_policy\_arn](#output\_irsa\_policy\_arn) | IAM policy ARN for access to the S3 bucket | -| [secret\_access\_key](#output\_secret\_access\_key) | Secret key for s3 account | ## Tags diff --git a/examples/s3.tf b/examples/s3.tf index 5ad0576..17fc2d0 100644 --- a/examples/s3.tf +++ b/examples/s3.tf @@ -184,9 +184,7 @@ resource "kubernetes_secret" "s3_bucket" { } data = { - access_key_id = module.s3_bucket.access_key_id - secret_access_key = module.s3_bucket.secret_access_key - bucket_arn = module.s3_bucket.bucket_arn - bucket_name = module.s3_bucket.bucket_name + bucket_arn = module.s3_bucket.bucket_arn + bucket_name = module.s3_bucket.bucket_name } } diff --git a/main.tf b/main.tf index dde5a5f..7019dec 100644 --- a/main.tf +++ b/main.tf @@ -37,15 +37,6 @@ data "template_file" "bucket_policy" { } } -# TODO: the `template` provider has been deprecated, these need to be removed in a future release. -data "template_file" "user_policy" { - template = var.user_policy - - vars = { - bucket_arn = "arn:aws:s3:::${local.bucket_name}" - } -} - ################# # Create bucket # ################# @@ -166,67 +157,6 @@ resource "aws_s3_bucket_public_access_block" "block_public_access" { restrict_public_buckets = true } -# Legacy long-lived credentials -resource "aws_iam_user" "user" { - name = "s3-bucket-user-${random_id.id.hex}" - path = "/system/s3-bucket-user/" -} - -resource "aws_iam_access_key" "user" { - user = aws_iam_user.user.name -} - -data "aws_iam_policy_document" "policy" { - statement { - actions = [ - "s3:GetBucketLocation", - "s3:GetBucketPolicy", - "s3:ListBucket", - "s3:ListBucketMultipartUploads", - "s3:ListBucketVersions", - ] - - resources = [ - local.s3_bucket_arn, - ] - } - - statement { - actions = [ - "s3:AbortMultipartUpload", - "s3:DeleteObject", - "s3:DeleteObjectTagging", - "s3:DeleteObjectVersion", - "s3:DeleteObjectVersionTagging", - "s3:GetObject", - "s3:GetObjectAcl", - "s3:GetObjectTagging", - "s3:GetObjectTorrent", - "s3:GetObjectVersion", - "s3:GetObjectVersionAcl", - "s3:GetObjectVersionTagging", - "s3:GetObjectVersionTorrent", - "s3:ListMultipartUploadParts", - "s3:PutObject", - "s3:PutObjectAcl", - "s3:PutObjectTagging", - "s3:PutObjectVersionAcl", - "s3:PutObjectVersionTagging", - "s3:RestoreObject", - ] - - resources = [ - "${local.s3_bucket_arn}/*", - ] - } -} - -resource "aws_iam_user_policy" "policy" { - name = "s3-bucket-read-write" - policy = data.template_file.user_policy.rendered == "" ? data.aws_iam_policy_document.policy.json : data.template_file.user_policy.rendered - user = aws_iam_user.user.name -} - ############################## # Create IAM role for access # ############################## diff --git a/outputs.tf b/outputs.tf index e423368..200c562 100644 --- a/outputs.tf +++ b/outputs.tf @@ -1,15 +1,3 @@ -output "access_key_id" { - description = "Access key id for s3 account" - value = aws_iam_access_key.user.id - sensitive = true -} - -output "secret_access_key" { - description = "Secret key for s3 account" - value = aws_iam_access_key.user.secret - sensitive = true -} - output "bucket_arn" { description = "S3 bucket ARN" value = aws_s3_bucket.bucket.arn diff --git a/variables.tf b/variables.tf index 87fe759..ea5f4c9 100644 --- a/variables.tf +++ b/variables.tf @@ -13,12 +13,6 @@ variable "bucket_policy" { type = string } -variable "user_policy" { - description = "The IAM policy to assign to the generated user. If empty, the default policy is used" - default = "" - type = string -} - variable "versioning" { description = "Enable object versioning for the bucket" default = false