Create S3 frontend IAM user

* Creates an IAM user with the required permissions for Publii

Author: Stretch96

outputs.tf

@@ -12,3 +12,8 @@ output "s3_bucket_frontend" {
   description = "S3 bucket frontend attributes"
   value       = aws_s3_bucket.frontend
 }
+
+output "iam_user_publii_s3_frontend" {
+  description = "IAM User attributes for Publii S3 bucket"
+  value       = aws_iam_user.publii_s3_frontend
+}

policies/s3-rw.json.tpl

@@ -0,0 +1,28 @@
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Action": [
+        "s3:GetObject",
+        "s3:PutObject",
+        "s3:List*",
+        "s3:GetObjectVersion",
+        "s3:GetBucketVersioning"
+      ],
+      "Effect": "Allow",
+      "Resource": [
+        "${bucket_arn}",
+        "${bucket_arn}/*"
+      ]
+    },
+    {
+      "Action": [
+        "kms:GenerateDataKey"
+      ],
+      "Effect": "Allow",
+      "Resource": [
+        "${kms_key_arn}"
+      ]
+    }
+  ]
+}

s3-frontend.tf

@@ -3,6 +3,29 @@ resource "aws_s3_bucket" "frontend" {
   force_destroy = false
 }
 
+resource "aws_iam_user" "publii_s3_frontend" {
+  name = "publii-s3-${local.project_name}"
+}
+
+data "template_file" "publii_s3_frontend_policy" {
+  template = file("${path.module}/policies/s3-rw.json.tpl")
+
+  vars = {
+    bucket_arn  = aws_s3_bucket.frontend.arn
+    kms_key_arn = aws_kms_key.s3_bucket_frontend.arn
+  }
+}
+
+resource "aws_iam_policy" "publii_s3_frontend" {
+  name   = "publii-s3-frontend-${local.project_name}"
+  policy = data.template_file.publii_s3_frontend_policy.rendered
+}
+
+resource "aws_iam_user_policy_attachment" "publii_s3_frontend" {
+  user       = aws_iam_user.publii_s3_frontend.name
+  policy_arn = aws_iam_policy.publii_s3_frontend.arn
+}
+
 resource "aws_s3_bucket_versioning" "frontend" {
   bucket = aws_s3_bucket.frontend.id
   versioning_configuration {