Merge pull request #25 from Hestia-Homes/main

Added presigned bucket and iam role to terraform
2026-06-08 11:17:27 +00:00 · 2023-07-13 16:58:53 +01:00 · 2023-07-13 16:58:53 +01:00 · e67f537113
commit e67f537113
parent e2b96d8ace 88eb5ee91f
4 changed files with 78 additions and 0 deletions
--- a/infrastructure/terraform/main.tf
+++ b/infrastructure/terraform/main.tf
@ -76,3 +76,9 @@ resource "aws_db_instance" "default" {
  # have major security demand and don't want to set this up now
  publicly_accessible = true
 }
+
+# Set up the bucket that recieve the csv uploads of properties to be retrofit
+module "s3_presignable_bucket" {
+  source = "./modules/s3_presignable_bucket"
+  environment = var.stage
+}
--- a/infrastructure/terraform/modules/s3_presignable_bucket/main.tf
+++ b/infrastructure/terraform/modules/s3_presignable_bucket/main.tf
@ -0,0 +1,59 @@
+resource "aws_s3_bucket" "bucket" {
+  bucket = "retrofit-plan-inputs-${var.environment}"
+  acl    = "private"
+
+  server_side_encryption_configuration {
+    rule {
+      apply_server_side_encryption_by_default {
+        sse_algorithm = "AES256"
+      }
+    }
+  }
+
+  lifecycle {
+    prevent_destroy = true
+  }
+}
+
+resource "aws_iam_role" "role" {
+  name = "s3_presign_role"
+  assume_role_policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Action": "sts:AssumeRole",
+      "Principal": {
+        "Service": "lambda.amazonaws.com"
+      },
+      "Effect": "Allow",
+      "Sid": ""
+    }
+  ]
+}
+EOF
+}
+
+resource "aws_iam_role_policy" "policy" {
+  name = "s3_presign_policy"
+  role = aws_iam_role.role.id
+
+  policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Action": [
+        "s3:PutObject",
+        "s3:PutObjectAcl",
+        "s3:GetObject",
+        "s3:GetObjectAcl",
+        "s3:DeleteObject"
+      ],
+      "Resource": "arn:aws:s3:::${aws_s3_bucket.bucket.bucket}/*"
+    }
+  ]
+}
+EOF
+}
--- a/infrastructure/terraform/modules/s3_presignable_bucket/outputs.tf
+++ b/infrastructure/terraform/modules/s3_presignable_bucket/outputs.tf
@ -0,0 +1,9 @@
+output "bucket_name" {
+  description = "The name of the S3 bucket"
+  value       = aws_s3_bucket.bucket.bucket
+}
+
+output "role_arn" {
+  description = "The ARN of the IAM role"
+  value       = aws_iam_role.role.arn
+}
--- a/infrastructure/terraform/modules/s3_presignable_bucket/variables.tf
+++ b/infrastructure/terraform/modules/s3_presignable_bucket/variables.tf
@ -0,0 +1,4 @@
+variable "environment" {
+  description = "The environment for the bucket (dev or prod)"
+  type        = string
+}