-
-
Notifications
You must be signed in to change notification settings - Fork 199
Expand file tree
/
Copy pathmain.tf
More file actions
118 lines (102 loc) · 2.86 KB
/
main.tf
File metadata and controls
118 lines (102 loc) · 2.86 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
provider "aws" {
region = "eu-north-1"
}
# Create the IAM user who will assume the basic role
resource "aws_iam_user" "basic_user" {
name = "basic-user"
}
# Basic Role - trust the specific IAM user to assume this role
resource "aws_iam_role" "basic_role" {
name = "terraform-basic-role"
assume_role_policy = jsonencode({
Version = "2012-10-17",
Statement = [
{
Effect = "Allow",
Principal = {
AWS = aws_iam_user.basic_user.arn # <--- Trust this IAM user
},
Action = "sts:AssumeRole"
}
]
})
}
# Policy allowing the basic role to assume the admin role
resource "aws_iam_policy" "assume_admin_policy" {
name = "AssumeTerraformAdminRole"
policy = jsonencode({
Version = "2012-10-17",
Statement = [
{
Effect = "Allow",
Action = "sts:AssumeRole",
Resource = aws_iam_role.admin_role.arn
}
]
})
}
# Attach the assume admin role policy to the basic role
resource "aws_iam_role_policy_attachment" "basic_assume_admin_attach" {
role = aws_iam_role.basic_role.name
policy_arn = aws_iam_policy.assume_admin_policy.arn
}
# Admin role (trusts the basic role)
resource "aws_iam_role" "admin_role" {
name = "terraform-admin-role"
assume_role_policy = jsonencode({
Version = "2012-10-17",
Statement = [
{
Effect = "Allow",
Principal = {
AWS = aws_iam_role.basic_role.arn
},
Action = "sts:AssumeRole"
}
]
})
}
resource "aws_iam_role_policy_attachment" "admin_attach" {
role = aws_iam_role.admin_role.name
policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
}
# 1. S3 Bucket (private by default)
resource "aws_s3_bucket" "auth_bucket" {
bucket = "codebar-planner-auth-bucket"
}
# 2. IAM User for Heroku app
resource "aws_iam_user" "heroku_role" {
name = "heroku-s3-access"
}
# 3. IAM Policy: Read-only access to just this bucket
resource "aws_iam_policy" "read_write_policy" {
name = "HerokuS3ReadWrite"
policy = jsonencode({
Version = "2012-10-17",
Statement = [
{
Effect = "Allow",
Action = [
"s3:ListBucket", # List files in bucket
"s3:GetObject", # Read/download files
"s3:PutObject", # Upload files
"s3:DeleteObject", # Optional: allow deleting files
"s3:ListAllMyBuckets" # enable user to list all buckets
],
Resource = [
aws_s3_bucket.auth_bucket.arn,
"${aws_s3_bucket.auth_bucket.arn}/*"
]
}
]
})
}
# 4. Attach the policy to the user
resource "aws_iam_user_policy_attachment" "attach_policy" {
user = aws_iam_user.heroku_role.name
policy_arn = aws_iam_policy.read_write_policy.arn
}
# 5. Create access keys for the user
resource "aws_iam_access_key" "heroku_user_keys" {
user = aws_iam_user.heroku_role.name
}