onnimonni/append-only-s3.tf

## append-only-s3.tf
##
# Asks the bucket name
##
variable "aws_bucket_name" {}

provider "aws" {
  alias  = "west"
  region = "eu-west-1"
}

##
# Creates the versioned bucket
##
resource "aws_s3_bucket" "uploads" {
    provider = "aws.west"
    bucket   = "${var.aws_bucket_name}"
    acl      = "private"
    region   = "eu-west-1"

    versioning {
        enabled = true
    }

    lifecycle_rule {
        prefix = ""
        enabled = true

        # Move the overwritten copies into glacier after 1 year
        noncurrent_version_transition {
          days          = 365
          storage_class = "GLACIER"
        }
    }
}

##
# Creates the User, Access Key and User Policy
##
resource "aws_iam_user" "uploads_user" {
    name = "${var.aws_bucket_name}-user"
}

resource "aws_iam_access_key" "uploads_user" {
    user = "${aws_iam_user.uploads_user.name}"
}

resource "aws_iam_user_policy" "without_delete_s3_policy" {
    name = "Append-Only-S3"
    user = "${aws_iam_user.uploads_user.name}"

    policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Stmt1392016154000",
      "Effect": "Allow",
      "Action": [
        "s3:AbortMultipartUpload",
        "s3:GetBucketAcl",
        "s3:GetBucketLocation",
        "s3:GetBucketPolicy",
        "s3:GetObject",
        "s3:GetObjectAcl",
        "s3:ListBucket",
        "s3:ListBucketMultipartUploads",
        "s3:ListMultipartUploadParts",
        "s3:PutObject",
        "s3:PutObjectAcl"
      ],
      "Resource": [
        "arn:aws:s3:::${aws_s3_bucket.uploads.bucket}/*"
      ]
    },
    {
      "Sid": "AllowRootAndHomeListingOfBucket",
      "Action": ["s3:ListBucket"],
      "Effect": "Allow",
      "Resource": ["arn:aws:s3:::${aws_s3_bucket.uploads.bucket}"],
      "Condition":{"StringLike":{"s3:prefix":["*"]}}
    }
  ]
}
EOF
}

# These output the created access keys and bucket name
output "s3-bucket-name-main" {
    value = "${var.aws_bucket_name}"
}

output "s3-user-access-key" {
    value = "${aws_iam_access_key.uploads_user.id}"
}

output "s3-user-secret-key" {
    value = "${aws_iam_access_key.uploads_user.secret}"
}
	##
	# Asks the bucket name
	##
	variable "aws_bucket_name" {}

	provider "aws" {
	alias = "west"
	region = "eu-west-1"
	}

	##
	# Creates the versioned bucket
	##
	resource "aws_s3_bucket" "uploads" {
	provider = "aws.west"
	bucket = "${var.aws_bucket_name}"
	acl = "private"
	region = "eu-west-1"

	versioning {
	enabled = true
	}

	lifecycle_rule {
	prefix = ""
	enabled = true

	# Move the overwritten copies into glacier after 1 year
	noncurrent_version_transition {
	days = 365
	storage_class = "GLACIER"
	}
	}
	}

	##
	# Creates the User, Access Key and User Policy
	##
	resource "aws_iam_user" "uploads_user" {
	name = "${var.aws_bucket_name}-user"
	}

	resource "aws_iam_access_key" "uploads_user" {
	user = "${aws_iam_user.uploads_user.name}"
	}

	resource "aws_iam_user_policy" "without_delete_s3_policy" {
	name = "Append-Only-S3"
	user = "${aws_iam_user.uploads_user.name}"

	policy = <<EOF
	{
	"Version": "2012-10-17",
	"Statement": [
	{
	"Sid": "Stmt1392016154000",
	"Effect": "Allow",
	"Action": [
	"s3:AbortMultipartUpload",
	"s3:GetBucketAcl",
	"s3:GetBucketLocation",
	"s3:GetBucketPolicy",
	"s3:GetObject",
	"s3:GetObjectAcl",
	"s3:ListBucket",
	"s3:ListBucketMultipartUploads",
	"s3:ListMultipartUploadParts",
	"s3:PutObject",
	"s3:PutObjectAcl"
	],
	"Resource": [
	"arn:aws:s3:::${aws_s3_bucket.uploads.bucket}/*"
	]
	},
	{
	"Sid": "AllowRootAndHomeListingOfBucket",
	"Action": ["s3:ListBucket"],
	"Effect": "Allow",
	"Resource": ["arn:aws:s3:::${aws_s3_bucket.uploads.bucket}"],
	"Condition":{"StringLike":{"s3:prefix":["*"]}}
	}
	]
	}
	EOF
	}

	# These output the created access keys and bucket name
	output "s3-bucket-name-main" {
	value = "${var.aws_bucket_name}"
	}

	output "s3-user-access-key" {
	value = "${aws_iam_access_key.uploads_user.id}"
	}

	output "s3-user-secret-key" {
	value = "${aws_iam_access_key.uploads_user.secret}"
	}