Minimal AWS IAM permissions on S3 for raft auto-snapshot

aws_kms_auto_unseal.tf

data "aws_kms_key" "auto_unseal" {
  key_id = "alias/my-key"
}

data "aws_iam_policy_document" "auto_unseal" {
  version = "2012-10-17"
  statement {
    effect = "Allow"
    actions = [
      "kms:DescribeKey",
      "kms:Encrypt",
      "kms:Decrypt",
      "kms:EnableKeyRotation"
    ]
    resources = [
      data.aws_kms_key.auto_unseal.arn
    ]
  }
}

aws_raft_join.tf

data "aws_iam_policy_document" "raft_auto_join" {
  version = "2012-10-17"
  statement {
    sid    = "ListInstancesWithTags"
    effect = "Allow"

    actions = [
      "ec2:DescribeInstances",
    ]

    resources = [
      "*"
    ]

    condition {
      test     = "StringEquals"
      variable = "ec2:ResourceTag/app"

      values = [
        "vault",
      ]
    }
  }
}

data "aws_iam_policy_document" "default" {
  source_policy_documents = [
    data.aws_iam_policy_document.raft_auto_join.json,
  ]
}

resource "aws_iam_policy" "default" {
  name   = "vault_server_policy"
  path   = "/"
  policy = data.aws_iam_policy_document.default.json
}

raft_snapshot_aws.tf

data "aws_s3_bucket" "default" {
  bucket = var.bucket_name
}

data "aws_iam_policy_document" "raft_snapshot" {
  version = "2012-10-17"

  statement {
    sid       = "ListObjectsInBucket"
    effect    = "Allow"
    actions   = ["s3:ListBucket"]
    resources = [data.aws_s3_bucket.default.arn]
  }

  statement {
    sid       = "AllObjectActions"
    effect    = "Allow"
    actions   = ["s3:*Object"]
    resources = [data.aws_s3_bucket.default.arn]
  }
}

data "aws_iam_policy_document" "default" {
  source_policy_documents = [data.aws_iam_policy_document.raft_snapshot.json]
}

resource "aws_s3_bucket_policy" "default" {
  bucket = data.aws_s3_bucket.default.id
  policy = data.aws_iam_policy_document.default.json
}