-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathmain.tf
141 lines (120 loc) · 4.17 KB
/
main.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
#####################################################################################
# Terraform module examples are meant to show an _example_ on how to use a module
# per use-case. The code below should not be copied directly but referenced in order
# to build your own root module that invokes this module
#####################################################################################
# S3 Datasync location
resource "aws_datasync_location_s3" "s3_location" {
for_each = {
for location in var.s3_locations :
location.name => location # Assign key => value
}
s3_bucket_arn = each.value.s3_bucket_arn
s3_storage_class = try(each.value.s3_storage_class, null)
subdirectory = each.value.subdirectory != null ? each.value.subdirectory : "/"
tags = each.value.tags != null ? each.value.tags : {}
agent_arns = try(each.value.agent_arns, null)
s3_config {
bucket_access_role_arn = each.value.s3_config_bucket_access_role_arn != null ? each.value.s3_config_bucket_access_role_arn : aws_iam_role.datasync_role_s3[each.key].arn
}
}
#TFSEC High warning supressed for IAM policy document uses sensitive action 's3:AbortMultipartUpload' on wildcarded resource.
# Ref Doc : https://docs.aws.amazon.com/datasync/latest/userguide/create-s3-location.html#create-role-manually
#tfsec:ignore:aws-iam-no-policy-wildcards
resource "aws_iam_role" "datasync_role_s3" {
for_each = {
for index, location in var.s3_locations :
location.name => location if try(location.create_role, false)
}
assume_role_policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Action = "sts:AssumeRole"
Effect = "Allow"
Sid = "datasyncAssumeRole"
Principal = {
Service = "datasync.amazonaws.com"
}
},
]
})
inline_policy {
name = "datasync_inline_policy"
policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Sid = "allowListGetBucket"
Action = [
"s3:GetBucketLocation",
"s3:ListBucket",
"s3:ListBucketMultipartUploads",
]
Effect = "Allow"
Resource = each.value.s3_bucket_arn
},
{
Sid = "allowBucketObjects"
Action = [
"s3:AbortMultipartUpload",
"s3:DeleteObject",
"s3:GetObject",
"s3:ListMultipartUploadParts",
"s3:PutObjectTagging",
"s3:GetObjectTagging",
"s3:PutObject",
]
Effect = "Allow"
Resource = "${each.value.s3_bucket_arn}/*"
}
]
})
}
}
resource "aws_iam_policy" "datasync_role_kms" {
for_each = {
for index, location in var.s3_locations :
location.name => location if try(location.create_role, false) && try(location.s3_source_bucket_kms != "", false)
}
name = "datasync_inline_kms_policy"
policy = jsonencode({
Sid = "allowKMSAccess"
Effect = "Allow",
Action = [
"kms:Encrypt",
"kms:Decrypt",
"kms:DescribeKey",
"kms:GenerateDataKey",
"kms:PutRolePolicy",
"kms:Get*",
"kms:List*"
],
Resource = [
"${each.value.s3_source_bucket_kms_arn}",
"${each.value.s3_dest_bucket_kms_arn}"
]
})
}
resource "aws_iam_role_policy_attachment" "datasync_role_kms_policy_attachement" {
for_each = {
for index, location in var.s3_locations :
location.name => location if try(location.create_role, false) && try(location.s3_source_bucket_kms != "", false)
}
role = aws_iam_role.datasync_role_s3[each.key].name
policy_arn = aws_iam_policy.datasync_role_kms[each.key].arn
}
# EFS Datasync location
resource "aws_datasync_location_efs" "efs_location" {
for_each = {
for location in var.efs_locations :
location.name => location # Assign key => value
}
efs_file_system_arn = each.value.efs_file_system_arn
subdirectory = each.value.subdirectory != null ? each.value.subdirectory : "/"
tags = each.value.tags != null ? each.value.tags : {}
ec2_config {
subnet_arn = each.value.ec2_config_subnet_arn
security_group_arns = each.value.ec2_config_security_group_arns
}
}