Created
November 17, 2017 10:46
-
-
Save onnimonni/c34570f851f7e75f303d267bf699acaa to your computer and use it in GitHub Desktop.
Poor mans append-only bucket with terraform - versioned s3 bucket without delete access
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
## | |
# Asks the bucket name | |
## | |
variable "aws_bucket_name" {} | |
provider "aws" { | |
alias = "west" | |
region = "eu-west-1" | |
} | |
## | |
# Creates the versioned bucket | |
## | |
resource "aws_s3_bucket" "uploads" { | |
provider = "aws.west" | |
bucket = "${var.aws_bucket_name}" | |
acl = "private" | |
region = "eu-west-1" | |
versioning { | |
enabled = true | |
} | |
lifecycle_rule { | |
prefix = "" | |
enabled = true | |
# Move the overwritten copies into glacier after 1 year | |
noncurrent_version_transition { | |
days = 365 | |
storage_class = "GLACIER" | |
} | |
} | |
} | |
## | |
# Creates the User, Access Key and User Policy | |
## | |
resource "aws_iam_user" "uploads_user" { | |
name = "${var.aws_bucket_name}-user" | |
} | |
resource "aws_iam_access_key" "uploads_user" { | |
user = "${aws_iam_user.uploads_user.name}" | |
} | |
resource "aws_iam_user_policy" "without_delete_s3_policy" { | |
name = "Append-Only-S3" | |
user = "${aws_iam_user.uploads_user.name}" | |
policy = <<EOF | |
{ | |
"Version": "2012-10-17", | |
"Statement": [ | |
{ | |
"Sid": "Stmt1392016154000", | |
"Effect": "Allow", | |
"Action": [ | |
"s3:AbortMultipartUpload", | |
"s3:GetBucketAcl", | |
"s3:GetBucketLocation", | |
"s3:GetBucketPolicy", | |
"s3:GetObject", | |
"s3:GetObjectAcl", | |
"s3:ListBucket", | |
"s3:ListBucketMultipartUploads", | |
"s3:ListMultipartUploadParts", | |
"s3:PutObject", | |
"s3:PutObjectAcl" | |
], | |
"Resource": [ | |
"arn:aws:s3:::${aws_s3_bucket.uploads.bucket}/*" | |
] | |
}, | |
{ | |
"Sid": "AllowRootAndHomeListingOfBucket", | |
"Action": ["s3:ListBucket"], | |
"Effect": "Allow", | |
"Resource": ["arn:aws:s3:::${aws_s3_bucket.uploads.bucket}"], | |
"Condition":{"StringLike":{"s3:prefix":["*"]}} | |
} | |
] | |
} | |
EOF | |
} | |
# These output the created access keys and bucket name | |
output "s3-bucket-name-main" { | |
value = "${var.aws_bucket_name}" | |
} | |
output "s3-user-access-key" { | |
value = "${aws_iam_access_key.uploads_user.id}" | |
} | |
output "s3-user-secret-key" { | |
value = "${aws_iam_access_key.uploads_user.secret}" | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment