From 88eb5ee91f1a85f0afedd121d7f3f9856eca3ba9 Mon Sep 17 00:00:00 2001
From: Khalim Conn-Kowlessar <kconnkowlessar@gmail.com>
Date: Thu, 13 Jul 2023 16:57:43 +0100
Subject: [PATCH] Added presigned bucket and iam role to terraform

---
 infrastructure/terraform/main.tf              |  6 ++
 .../modules/s3_presignable_bucket/main.tf     | 59 +++++++++++++++++++
 .../modules/s3_presignable_bucket/outputs.tf  |  9 +++
 .../s3_presignable_bucket/variables.tf        |  4 ++
 4 files changed, 78 insertions(+)
 create mode 100644 infrastructure/terraform/modules/s3_presignable_bucket/main.tf
 create mode 100644 infrastructure/terraform/modules/s3_presignable_bucket/outputs.tf
 create mode 100644 infrastructure/terraform/modules/s3_presignable_bucket/variables.tf

diff --git a/infrastructure/terraform/main.tf b/infrastructure/terraform/main.tf
index 9422fdfb..44b4691e 100644
--- a/infrastructure/terraform/main.tf
+++ b/infrastructure/terraform/main.tf
@@ -76,3 +76,9 @@ resource "aws_db_instance" "default" {
   # have major security demand and don't want to set this up now
   publicly_accessible = true
 }
+
+# Set up the bucket that recieve the csv uploads of properties to be retrofit
+module "s3_presignable_bucket" {
+  source = "./modules/s3_presignable_bucket"
+  environment = var.stage
+}
\ No newline at end of file
diff --git a/infrastructure/terraform/modules/s3_presignable_bucket/main.tf b/infrastructure/terraform/modules/s3_presignable_bucket/main.tf
new file mode 100644
index 00000000..d07abd59
--- /dev/null
+++ b/infrastructure/terraform/modules/s3_presignable_bucket/main.tf
@@ -0,0 +1,59 @@
+resource "aws_s3_bucket" "bucket" {
+  bucket = "retrofit-plan-inputs-${var.environment}"
+  acl    = "private"
+
+  server_side_encryption_configuration {
+    rule {
+      apply_server_side_encryption_by_default {
+        sse_algorithm = "AES256"
+      }
+    }
+  }
+
+  lifecycle {
+    prevent_destroy = true
+  }
+}
+
+resource "aws_iam_role" "role" {
+  name = "s3_presign_role"
+  assume_role_policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Action": "sts:AssumeRole",
+      "Principal": {
+        "Service": "lambda.amazonaws.com"
+      },
+      "Effect": "Allow",
+      "Sid": ""
+    }
+  ]
+}
+EOF
+}
+
+resource "aws_iam_role_policy" "policy" {
+  name = "s3_presign_policy"
+  role = aws_iam_role.role.id
+
+  policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Action": [
+        "s3:PutObject",
+        "s3:PutObjectAcl",
+        "s3:GetObject",
+        "s3:GetObjectAcl",
+        "s3:DeleteObject"
+      ],
+      "Resource": "arn:aws:s3:::${aws_s3_bucket.bucket.bucket}/*"
+    }
+  ]
+}
+EOF
+}
diff --git a/infrastructure/terraform/modules/s3_presignable_bucket/outputs.tf b/infrastructure/terraform/modules/s3_presignable_bucket/outputs.tf
new file mode 100644
index 00000000..c9847577
--- /dev/null
+++ b/infrastructure/terraform/modules/s3_presignable_bucket/outputs.tf
@@ -0,0 +1,9 @@
+output "bucket_name" {
+  description = "The name of the S3 bucket"
+  value       = aws_s3_bucket.bucket.bucket
+}
+
+output "role_arn" {
+  description = "The ARN of the IAM role"
+  value       = aws_iam_role.role.arn
+}
diff --git a/infrastructure/terraform/modules/s3_presignable_bucket/variables.tf b/infrastructure/terraform/modules/s3_presignable_bucket/variables.tf
new file mode 100644
index 00000000..285e38a9
--- /dev/null
+++ b/infrastructure/terraform/modules/s3_presignable_bucket/variables.tf
@@ -0,0 +1,4 @@
+variable "environment" {
+  description = "The environment for the bucket (dev or prod)"
+  type        = string
+}
\ No newline at end of file