Dyw8f0D5

· 6 years ago · Jun 30, 2019, 04:58 PM
1# Create all variables used in this Terraform run
2variable "aws_access_key" {}
3variable "aws_access_secret_key" {}
4variable "aws_bucket_name" {}
5variable "aws_region_main" {
6  default = "eu-west-1"
7}
8variable "aws_region_replica" {
9  default = "eu-central-1"
10}
11
12# Use AWS credentials
13provider "aws" {
14  access_key = "${var.aws_access_key}"
15  secret_key = "${var.aws_access_secret_key}"
16}
17
18# Give Different aliases for aws regions
19provider "aws" {
20  alias  = "west"
21  region = "eu-west-1"
22}
23provider "aws" {
24  alias  = "central"
25  region = "eu-central-1"
26}
27
28# Create replication role
29resource "aws_iam_role" "replication" {
30  name               = "tf-iam-role-replication-12345"
31  assume_role_policy = <<POLICY
32{
33  "Version": "2012-10-17",
34  "Statement": [
35    {
36      "Action": "sts:AssumeRole",
37      "Principal": {
38        "Service": "s3.amazonaws.com"
39      },
40      "Effect": "Allow",
41      "Sid": ""
42    }
43  ]
44}
45POLICY
46}
47
48resource "aws_iam_policy" "replication" {
49    name = "tf-iam-role-policy-replication-12345"
50    policy = <<POLICY
51{
52  "Version": "2012-10-17",
53  "Statement": [
54    {
55      "Action": [
56        "s3:GetReplicationConfiguration",
57        "s3:ListBucket"
58      ],
59      "Effect": "Allow",
60      "Resource": [
61        "${aws_s3_bucket.uploads.arn}"
62      ]
63    },
64    {
65      "Action": [
66        "s3:GetObjectVersion",
67        "s3:GetObjectVersionAcl"
68      ],
69      "Effect": "Allow",
70      "Resource": [
71        "${aws_s3_bucket.uploads.arn}/*"
72      ]
73    },
74    {
75      "Action": [
76        "s3:ReplicateObject",
77        "s3:ReplicateDelete"
78      ],
79      "Effect": "Allow",
80      "Resource": "${aws_s3_bucket.replica.arn}/*"
81    }
82  ]
83}
84POLICY
85}
86
87resource "aws_iam_policy_attachment" "replication" {
88    name = "tf-iam-role-attachment-replication-12345"
89    roles = ["${aws_iam_role.replication.name}"]
90    policy_arn = "${aws_iam_policy.replication.arn}"
91}
92
93# This is the replication bucket for uploads
94resource "aws_s3_bucket" "replica" {
95    provider = "aws.central"
96    bucket   = "${var.aws_bucket_name}-replica-1"
97    region   = "${var.aws_region_replica}"
98    acl      = "public-read"
99
100    # Enable versioning so that files can be replicated
101    versioning {
102      enabled = true
103    }
104
105    # Remove old versions of images after 15 days
106    lifecycle_rule {
107        prefix = ""
108        enabled = true
109
110        noncurrent_version_expiration {
111            days = 15
112        }
113    }
114}
115
116# This is the main s3 bucket for uploads
117resource "aws_s3_bucket" "uploads" {
118    provider = "aws.west"
119    bucket = "${var.aws_bucket_name}"
120    acl = "public-read"
121    region = "${var.aws_region_main}"
122
123    # Enable versioning so that files can be replicated
124    versioning {
125      enabled = true
126    }
127
128    # Remove old versions after 15 days, these shouldn't happen that often because
129    # humanmade/s3-uploads will rename files which have same name
130    lifecycle_rule {
131        prefix = ""
132        enabled = true
133
134        noncurrent_version_expiration {
135            days = 15
136        }
137    }
138
139    replication_configuration {
140        role = "${aws_iam_role.replication.arn}"
141        rules {
142            id     = "replica"
143            prefix = ""
144            status = "Enabled"
145
146            destination {
147                bucket        = "${aws_s3_bucket.replica.arn}"
148                storage_class = "STANDARD"
149            }
150        }
151    }
152}
153
154resource "aws_iam_user" "uploads_user" {
155    name = "${var.aws_bucket_name}-user"
156}
157
158resource "aws_iam_access_key" "uploads_user" {
159    user = "${aws_iam_user.uploads_user.name}"
160}
161
162resource "aws_iam_user_policy" "wp_uploads_policy" {
163    name = "WordPress-S3-Uploads"
164    user = "${aws_iam_user.uploads_user.name}"
165
166    # S3 policy from humanmade/s3-uploads for WordPress uploads
167    policy = <<EOF
168{
169  "Version": "2012-10-17",
170  "Statement": [
171    {
172      "Sid": "Stmt1392016154000",
173      "Effect": "Allow",
174      "Action": [
175        "s3:AbortMultipartUpload",
176        "s3:DeleteObject",
177        "s3:GetBucketAcl",
178        "s3:GetBucketLocation",
179        "s3:GetBucketPolicy",
180        "s3:GetObject",
181        "s3:GetObjectAcl",
182        "s3:ListBucket",
183        "s3:ListBucketMultipartUploads",
184        "s3:ListMultipartUploadParts",
185        "s3:PutObject",
186        "s3:PutObjectAcl"
187      ],
188      "Resource": [
189        "arn:aws:s3:::${aws_s3_bucket.uploads.bucket}/*"
190      ]
191    },
192    {
193      "Sid": "AllowRootAndHomeListingOfBucket",
194      "Action": ["s3:ListBucket"],
195      "Effect": "Allow",
196      "Resource": ["arn:aws:s3:::${aws_s3_bucket.uploads.bucket}"],
197      "Condition":{"StringLike":{"s3:prefix":["*"]}}
198    }
199  ]
200}
201EOF
202}
203
204# These output the created access keys and bucket name
205output "s3-bucket-name" {
206    value = "${var.aws_bucket_name}"
207}
208
209output "s3-user-access-key" {
210    value = "${aws_iam_access_key.uploads_user.id}"
211}
212
213output "s3-user-secret-key" {
214    value = "${aws_iam_access_key.uploads_user.secret}"
215}