masto-aio/terraform/s3.tf


resource "aws_s3_bucket" "s3_bucket" {
  bucket = "mastodon-${local.domain_name}"
}

resource "aws_s3_bucket_ownership_controls" "s3_bucket" {
  bucket = aws_s3_bucket.s3_bucket.id
  rule {
    object_ownership = "BucketOwnerPreferred"
  }
}

resource "aws_s3_bucket_public_access_block" "s3_bucket" {
  bucket = aws_s3_bucket.s3_bucket.id

  block_public_acls       = false
  block_public_policy     = false
  ignore_public_acls      = false
  restrict_public_buckets = false
}

resource "aws_s3_bucket_acl" "s3_bucket" {
  depends_on = [
    aws_s3_bucket_public_access_block.s3_bucket,
    aws_s3_bucket_ownership_controls.s3_bucket,
  ]

  bucket = aws_s3_bucket.s3_bucket.id
  acl    = "public-read"
}

resource "aws_iam_access_key" "s3" {
  user    = aws_iam_user.s3.name
}

resource "aws_iam_user" "s3" {
  name = "mastodon-s3-${local.domain_name}"
  path = "/system/"
}

resource "aws_iam_user_policy" "s3" {
  name = "${aws_s3_bucket.s3_bucket.id}-access"
  user = aws_iam_user.s3.name

  policy      = data.aws_iam_policy_document.s3.json
}

data "aws_iam_policy_document" "s3" {
  statement {
    actions = [
      "s3:*"
    ]
    resources = [
      "${aws_s3_bucket.s3_bucket.arn}",
      "${aws_s3_bucket.s3_bucket.arn}/*"
    ]
  }
}

resource "local_file" "s3_secret" {
  filename = ".s3_secret"
  content  = "${aws_iam_access_key.s3.secret}\n"
}

resource "local_file" "s3_id" {
  filename = ".s3_id"
  content  = "${aws_iam_access_key.s3.id}\n"
}
First version that works, or at least gets all the way through ansible config 2024-01-18 18:14:17 -08:00
Fix S3 bucket ACL so masto can actually post media to it 2024-02-10 11:20:43 -08:00			`resource "aws_s3_bucket" "s3_bucket" {`
Changing the main S3 bucket name since it appears in URLs 2024-02-12 19:50:15 -08:00			`bucket = "mastodon-${local.domain_name}"`
Fix S3 bucket ACL so masto can actually post media to it 2024-02-10 11:20:43 -08:00			`}`
First version that works, or at least gets all the way through ansible config 2024-01-18 18:14:17 -08:00
Fix S3 bucket ACL so masto can actually post media to it 2024-02-10 11:20:43 -08:00			`resource "aws_s3_bucket_ownership_controls" "s3_bucket" {`
			`bucket = aws_s3_bucket.s3_bucket.id`
			`rule {`
			`object_ownership = "BucketOwnerPreferred"`
First version that works, or at least gets all the way through ansible config 2024-01-18 18:14:17 -08:00			`}`
Fix S3 bucket ACL so masto can actually post media to it 2024-02-10 11:20:43 -08:00			`}`

			`resource "aws_s3_bucket_public_access_block" "s3_bucket" {`
			`bucket = aws_s3_bucket.s3_bucket.id`

			`block_public_acls = false`
			`block_public_policy = false`
			`ignore_public_acls = false`
			`restrict_public_buckets = false`
			`}`

			`resource "aws_s3_bucket_acl" "s3_bucket" {`
			`depends_on = [`
			`aws_s3_bucket_public_access_block.s3_bucket,`
			`aws_s3_bucket_ownership_controls.s3_bucket,`
			`]`
First version that works, or at least gets all the way through ansible config 2024-01-18 18:14:17 -08:00
Fix S3 bucket ACL so masto can actually post media to it 2024-02-10 11:20:43 -08:00			`bucket = aws_s3_bucket.s3_bucket.id`
			`acl = "public-read"`
First version that works, or at least gets all the way through ansible config 2024-01-18 18:14:17 -08:00			`}`

			`resource "aws_iam_access_key" "s3" {`
			`user = aws_iam_user.s3.name`
			`}`

			`resource "aws_iam_user" "s3" {`
Changing the main S3 bucket name since it appears in URLs 2024-02-12 19:50:15 -08:00			`name = "mastodon-s3-${local.domain_name}"`
First version that works, or at least gets all the way through ansible config 2024-01-18 18:14:17 -08:00			`path = "/system/"`
			`}`

How did we not add permissions to the s3 bucket before? 2024-02-09 05:30:30 -08:00			`resource "aws_iam_user_policy" "s3" {`
Fix S3 bucket ACL so masto can actually post media to it 2024-02-10 11:20:43 -08:00			`name = "${aws_s3_bucket.s3_bucket.id}-access"`
How did we not add permissions to the s3 bucket before? 2024-02-09 05:30:30 -08:00			`user = aws_iam_user.s3.name`

			`policy = data.aws_iam_policy_document.s3.json`
			`}`

			`data "aws_iam_policy_document" "s3" {`
			`statement {`
			`actions = [`
			`"s3:*"`
			`]`
			`resources = [`
Fix S3 bucket ACL so masto can actually post media to it 2024-02-10 11:20:43 -08:00			`"${aws_s3_bucket.s3_bucket.arn}",`
			`"${aws_s3_bucket.s3_bucket.arn}/*"`
How did we not add permissions to the s3 bucket before? 2024-02-09 05:30:30 -08:00			`]`
			`}`
			`}`

First version that works, or at least gets all the way through ansible config 2024-01-18 18:14:17 -08:00			`resource "local_file" "s3_secret" {`
			`filename = ".s3_secret"`
			`content = "${aws_iam_access_key.s3.secret}\n"`
			`}`

			`resource "local_file" "s3_id" {`
			`filename = ".s3_id"`
			`content = "${aws_iam_access_key.s3.id}\n"`
			`}`