diff --git a/main.tf b/main.tf index 79a80e4..fa629a5 100644 --- a/main.tf +++ b/main.tf @@ -21,6 +21,16 @@ data "template_file" "user_policy" { locals { bucket_name = var.bucket_name == "" ? "cloud-platform-${random_id.id.hex}" : var.bucket_name s3_bucket_arn = "arn:aws:s3:::${aws_s3_bucket.bucket.id}" + + default_tags = { + namespace = var.namespace + business-unit = var.business-unit + application = var.application + is-production = var.is-production + environment-name = var.environment-name + owner = var.team_name + infrastructure-support = var.infrastructure-support + } } resource "aws_s3_bucket" "bucket" { @@ -125,6 +135,17 @@ resource "aws_s3_bucket" "bucket" { } } +resource "aws_s3_bucket_public_access_block" "block_public_access" { + count = var.enable_allow_block_pub_access ? 1 : 0 + bucket = aws_s3_bucket.bucket.id + + block_public_acls = true + block_public_policy = true + ignore_public_acls = true + restrict_public_buckets = true +} + +# Legacy long-lived credentials resource "aws_iam_user" "user" { name = "s3-bucket-user-${random_id.id.hex}" path = "/system/s3-bucket-user/" @@ -185,12 +206,56 @@ resource "aws_iam_user_policy" "policy" { user = aws_iam_user.user.name } -resource "aws_s3_bucket_public_access_block" "block_public_access" { - count = var.enable_allow_block_pub_access ? 1 : 0 - bucket = aws_s3_bucket.bucket.id +# Short-lived credentials (IRSA) +data "aws_iam_policy_document" "irsa" { + version = "2012-10-17" + statement { + sid = "AllowBucketActions" + effect = "Allow" + actions = [ + "s3:GetBucketLocation", + "s3:GetBucketPolicy", + "s3:ListBucket", + "s3:ListBucketMultipartUploads", + "s3:ListBucketVersions", + ] + resources = [local.s3_bucket_arn] # todo: fix + } - block_public_acls = true - block_public_policy = true - ignore_public_acls = true - restrict_public_buckets = true + statement { + sid = "AllowObjectActions" + effect = "Allow" + actions = [ + "s3:AbortMultipartUpload", + "s3:DeleteObject", + "s3:DeleteObjectTagging", + "s3:DeleteObjectVersion", + "s3:DeleteObjectVersionTagging", + "s3:GetObject", + "s3:GetObjectAcl", + "s3:GetObjectTagging", + "s3:GetObjectTorrent", + "s3:GetObjectVersion", + "s3:GetObjectVersionAcl", + "s3:GetObjectVersionTagging", + "s3:GetObjectVersionTorrent", + "s3:ListMultipartUploadParts", + "s3:PutObject", + "s3:PutObjectAcl", + "s3:PutObjectTagging", + "s3:PutObjectVersionAcl", + "s3:PutObjectVersionTagging", + "s3:RestoreObject", + ] + resources = [ + "${local.s3_bucket_arn}/*" + ] + } +} + +resource "aws_iam_policy" "irsa" { + name = "cloud-platform-s3-${random_id.id.hex}" + path = "/cloud-platform/s3/" + policy = data.aws_iam_policy_document.irsa.json + tags = local.default_tags } diff --git a/outputs.tf b/outputs.tf index 73bf2db..46e7f6f 100644 --- a/outputs.tf +++ b/outputs.tf @@ -20,3 +20,6 @@ output "bucket_name" { value = aws_s3_bucket.bucket.id } +output "irsa_policy_arn" { + value = aws_iam_policy.irsa.arn +}