Merge pull request #8 from chris-qa-org/add-s3-frontend-iam-user

Stretch96 · web-flow · commit fdef1c073d37 · 2022-03-13T20:31:47.000Z
Create S3 frontend IAM user
diff --git a/README.md b/README.md
@@ -23,6 +23,9 @@ Terraform module to host a static site generated by Publii
 
 | Name | Type |
 |------|------|
+| [aws_iam_policy.publii_s3_frontend](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
+| [aws_iam_user.publii_s3_frontend](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user) | resource |
+| [aws_iam_user_policy_attachment.publii_s3_frontend](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy_attachment) | resource |
 | [aws_kms_key.s3_bucket_frontend](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource |
 | [aws_kms_key.s3_bucket_frontend_logging](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource |
 | [aws_s3_bucket.frontend](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource |
@@ -44,6 +47,7 @@ Terraform module to host a static site generated by Publii
 | [template_file.frontend_bucket_policy](https://registry.terraform.io/providers/hashicorp/template/latest/docs/data-sources/file) | data source |
 | [template_file.frontend_logging_bucket_enforce_tls_statement](https://registry.terraform.io/providers/hashicorp/template/latest/docs/data-sources/file) | data source |
 | [template_file.frontend_logging_bucket_policy](https://registry.terraform.io/providers/hashicorp/template/latest/docs/data-sources/file) | data source |
+| [template_file.publii_s3_frontend_policy](https://registry.terraform.io/providers/hashicorp/template/latest/docs/data-sources/file) | data source |
 
 ## Inputs
 
@@ -56,6 +60,7 @@ Terraform module to host a static site generated by Publii
 
 | Name | Description |
 |------|-------------|
+| <a name="output_iam_user_publii_s3_frontend"></a> [iam\_user\_publii\_s3\_frontend](#output\_iam\_user\_publii\_s3\_frontend) | IAM User attributes for Publii S3 bucket |
 | <a name="output_project_name"></a> [project\_name](#output\_project\_name) | Project name. Generated from the site\_url and project\_random\_id |
 | <a name="output_project_random_id"></a> [project\_random\_id](#output\_project\_random\_id) | The random ID generated to ensure unique resource names |
 | <a name="output_s3_bucket_frontend"></a> [s3\_bucket\_frontend](#output\_s3\_bucket\_frontend) | S3 bucket frontend attributes |
diff --git a/outputs.tf b/outputs.tf
@@ -12,3 +12,8 @@ output "s3_bucket_frontend" {
   description = "S3 bucket frontend attributes"
   value       = aws_s3_bucket.frontend
 }
+
+output "iam_user_publii_s3_frontend" {
+  description = "IAM User attributes for Publii S3 bucket"
+  value       = aws_iam_user.publii_s3_frontend
+}
diff --git a/policies/s3-rw.json.tpl b/policies/s3-rw.json.tpl
@@ -0,0 +1,28 @@
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Action": [
+        "s3:GetObject",
+        "s3:PutObject",
+        "s3:List*",
+        "s3:GetObjectVersion",
+        "s3:GetBucketVersioning"
+      ],
+      "Effect": "Allow",
+      "Resource": [
+        "${bucket_arn}",
+        "${bucket_arn}/*"
+      ]
+    },
+    {
+      "Action": [
+        "kms:GenerateDataKey"
+      ],
+      "Effect": "Allow",
+      "Resource": [
+        "${kms_key_arn}"
+      ]
+    }
+  ]
+}
diff --git a/s3-frontend.tf b/s3-frontend.tf
@@ -3,6 +3,29 @@ resource "aws_s3_bucket" "frontend" {
   force_destroy = false
 }
 
+resource "aws_iam_user" "publii_s3_frontend" {
+  name = "publii-s3-${local.project_name}"
+}
+
+data "template_file" "publii_s3_frontend_policy" {
+  template = file("${path.module}/policies/s3-rw.json.tpl")
+
+  vars = {
+    bucket_arn  = aws_s3_bucket.frontend.arn
+    kms_key_arn = aws_kms_key.s3_bucket_frontend.arn
+  }
+}
+
+resource "aws_iam_policy" "publii_s3_frontend" {
+  name   = "publii-s3-frontend-${local.project_name}"
+  policy = data.template_file.publii_s3_frontend_policy.rendered
+}
+
+resource "aws_iam_user_policy_attachment" "publii_s3_frontend" {
+  user       = aws_iam_user.publii_s3_frontend.name
+  policy_arn = aws_iam_policy.publii_s3_frontend.arn
+}
+
 resource "aws_s3_bucket_versioning" "frontend" {
   bucket = aws_s3_bucket.frontend.id
   versioning_configuration {

Original file line number	Diff line number	Diff line change
`@@ -12,3 +12,8 @@ output "s3_bucket_frontend" {`
`12`	`12`	`description = "S3 bucket frontend attributes"`
`13`	`13`	`value = aws_s3_bucket.frontend`
`14`	`14`	`}`
	`15`	`+`
	`16`	`+output "iam_user_publii_s3_frontend" {`
	`17`	`+ description = "IAM User attributes for Publii S3 bucket"`
	`18`	`+ value = aws_iam_user.publii_s3_frontend`
	`19`	`+}`