erik/masto-aio
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Create private s3 bucket for backups and such

Browse source
This commit is contained in:
Erik Stambaugh 2024-02-09 05:48:45 -08:00
parent 259636b909
commit 8fc3d96a22
4 changed files with 53 additions and 17 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

15
terraform/main.tf
View file

@ -24,12 +24,25 @@ module "vpc" {
enable_vpn_gateway = false enable_vpn_gateway = false
} }
resource "aws_iam_role" "social" {
name = "social_role"
assume_role_policy = data.aws_iam_policy_document.assume_role_policy.json
path = "/"
description = "instance role for social server"
}
resource "aws_iam_instance_profile" "social" {
name = "social_profile"
role = aws_iam_role.social.name
path = "/"
}
resource "aws_instance" "social" { resource "aws_instance" "social" {
ami = data.aws_ami.ubuntu.id ami = data.aws_ami.ubuntu.id
instance_type = local.instance_type instance_type = local.instance_type
subnet_id = module.vpc.public_subnets.0 subnet_id = module.vpc.public_subnets.0
key_name = aws_key_pair.key.key_name key_name = aws_key_pair.key.key_name
iam_instance_profile = aws_iam_instance_profile.ssm.name iam_instance_profile = aws_iam_instance_profile.social.name
vpc_security_group_ids = [ module.sg.security_group_id ] vpc_security_group_ids = [ module.sg.security_group_id ]

37
terraform/s3-private.tf Normal file
View file

@ -0,0 +1,37 @@
module "private_s3_bucket" {
source = "terraform-aws-modules/s3-bucket/aws"
bucket = "mastodon-private-${random_pet.name.id}"
versioning = {
enabled = false
}
}
data "aws_iam_policy_document" "private_s3" {
statement {
actions = [
"s3:*"
]
resources = [
"${module.private_s3_bucket.s3_bucket_arn}",
"${module.private_s3_bucket.s3_bucket_arn}/*"
]
}
}
resource "aws_iam_policy" "private_s3" {
name = "${module.private_s3_bucket.s3_bucket_id}-access"
policy = data.aws_iam_policy_document.private_s3.json
path = "/"
description = "permissions for mastodon private s3 bucket"
}
resource "aws_iam_role_policy_attachment" "private_s3" {
role = aws_iam_role.social.name
policy_arn = aws_iam_policy.private_s3.arn
}

3
terraform/s3.tf
View file

@ -32,13 +32,12 @@ data "aws_iam_policy_document" "s3" {
"s3:*" "s3:*"
] ]
resources = [ resources = [
module.s3_bucket.s3_bucket_arn, "${module.s3_bucket.s3_bucket_arn}",
"${module.s3_bucket.s3_bucket_arn}/*" "${module.s3_bucket.s3_bucket_arn}/*"
] ]
} }
} }
resource "local_file" "s3_secret" { resource "local_file" "s3_secret" {
filename = ".s3_secret" filename = ".s3_secret"
content = "${aws_iam_access_key.s3.secret}\n" content = "${aws_iam_access_key.s3.secret}\n"

15
terraform/ssm.tf
View file

@ -1,13 +1,6 @@
# SSM permissions # SSM permissions
resource "aws_iam_role" "ssm" {
name = "social_ssm"
assume_role_policy = data.aws_iam_policy_document.assume_role_policy.json
path = "/"
description = "SSM permissions for social server"
}
data "aws_iam_policy_document" "assume_role_policy" { data "aws_iam_policy_document" "assume_role_policy" {
statement { statement {
actions = ["sts:AssumeRole"] actions = ["sts:AssumeRole"]
@ -31,14 +24,8 @@ data "aws_iam_policy" "ssm" {
} }
resource "aws_iam_role_policy_attachment" "ssm" { resource "aws_iam_role_policy_attachment" "ssm" {
role = aws_iam_role.ssm.name role = aws_iam_role.social.name
policy_arn = aws_iam_policy.ssm.arn policy_arn = aws_iam_policy.ssm.arn
} }
resource "aws_iam_instance_profile" "ssm" {
name = "social_ssm"
role = aws_iam_role.ssm.name
path = "/"
}