From a62c9afa459e70ddacfdcde0f7f9e8fabe366c86 Mon Sep 17 00:00:00 2001
From: Khalim Conn-Kowlessar <kconnkowlessar@gmail.com>
Date: Thu, 13 Jul 2023 19:36:56 +0100
Subject: [PATCH] Updated buckets to generate iam users and separate between
 lambda and frontend

---
 .../modules/s3_presignable_bucket/main.tf     | 39 ++++++++++++++++---
 .../modules/s3_presignable_bucket/outputs.tf  | 16 ++++++--
 2 files changed, 46 insertions(+), 9 deletions(-)

diff --git a/infrastructure/terraform/modules/s3_presignable_bucket/main.tf b/infrastructure/terraform/modules/s3_presignable_bucket/main.tf
index d07abd59..6c8bf541 100644
--- a/infrastructure/terraform/modules/s3_presignable_bucket/main.tf
+++ b/infrastructure/terraform/modules/s3_presignable_bucket/main.tf
@@ -15,8 +15,35 @@ resource "aws_s3_bucket" "bucket" {
   }
 }
 
-resource "aws_iam_role" "role" {
-  name = "s3_presign_role"
+resource "aws_iam_user" "presign_frontend_user" {
+  name = "presign_frontend_user-${var.environment}"
+  path = "/system/"
+}
+
+resource "aws_iam_access_key" "presign_frontend_user_access_key" {
+  user = aws_iam_user.presign_frontend_user.name
+}
+
+resource "aws_secretsmanager_secret" "presign_frontend_user_access_key" {
+  name = "${var.environment}/presign_frontend/access_key"
+}
+
+resource "aws_secretsmanager_secret_version" "presign_frontend_user_access_key" {
+  secret_id     = aws_secretsmanager_secret.presign_frontend_user_access_key.id
+  secret_string = aws_iam_access_key.presign_frontend_user_access_key.id
+}
+
+resource "aws_secretsmanager_secret" "presign_frontend_user_secret_key" {
+  name = "${var.environment}/presign_frontend/secret_key"
+}
+
+resource "aws_secretsmanager_secret_version" "presign_frontend_user_secret_key" {
+  secret_id     = aws_secretsmanager_secret.presign_frontend_user_secret_key.id
+  secret_string = aws_iam_access_key.presign_frontend_user_access_key.secret
+}
+
+resource "aws_iam_role" "presign_frontend_role" {
+  name = "presign_frontend_role-${var.environment}"
   assume_role_policy = <<EOF
 {
   "Version": "2012-10-17",
@@ -24,7 +51,7 @@ resource "aws_iam_role" "role" {
     {
       "Action": "sts:AssumeRole",
       "Principal": {
-        "Service": "lambda.amazonaws.com"
+        "Service": "ec2.amazonaws.com"
       },
       "Effect": "Allow",
       "Sid": ""
@@ -34,9 +61,9 @@ resource "aws_iam_role" "role" {
 EOF
 }
 
-resource "aws_iam_role_policy" "policy" {
-  name = "s3_presign_policy"
-  role = aws_iam_role.role.id
+resource "aws_iam_role_policy" "presign_frontend_policy" {
+  name = "presign_frontend_policy-${var.environment}"
+  role = aws_iam_role.presign_frontend_role.id
 
   policy = <<EOF
 {
diff --git a/infrastructure/terraform/modules/s3_presignable_bucket/outputs.tf b/infrastructure/terraform/modules/s3_presignable_bucket/outputs.tf
index c9847577..37243cd0 100644
--- a/infrastructure/terraform/modules/s3_presignable_bucket/outputs.tf
+++ b/infrastructure/terraform/modules/s3_presignable_bucket/outputs.tf
@@ -3,7 +3,17 @@ output "bucket_name" {
   value       = aws_s3_bucket.bucket.bucket
 }
 
-output "role_arn" {
-  description = "The ARN of the IAM role"
-  value       = aws_iam_role.role.arn
+output "presign_frontend_role_arn" {
+  description = "The ARN of the frontend IAM role"
+  value       = aws_iam_role.presign_frontend_role.arn
+}
+
+output "presign_frontend_access_key_secret_name" {
+  description = "The name of the access key secret in AWS Secrets Manager for the frontend user"
+  value       = aws_secretsmanager_secret.presign_frontend_user_access_key.name
+}
+
+output "presign_frontend_secret_key_secret_name" {
+  description = "The name of the secret key secret in AWS Secrets Manager for the frontend user"
+  value       = aws_secretsmanager_secret.presign_frontend_user_secret_key.name
 }