terraform/modules/s3/main.tf (87 lines of code) (raw):

# This Source Code Form is subject to the terms of the Mozilla Public # License, v. 2.0. If a copy of the MPL was not distributed with this # file, You can obtain one at http://mozilla.org/MPL/2.0/. # This data source retrieves information about the # aws provider for this module instance data "aws_region" "provider-region" { } resource "aws_s3_bucket" "moz-hg-logging" { bucket = "moz-hg-logging-${data.aws_region.provider-region.name}" acl = "log-delivery-write" tags = { App = "hgmo" Env = "prod" Owner = "gps@mozilla.com" Bugid = "1510795" Name = "hg logging bucket in ${data.aws_region.provider-region.name}" } } # Per-region S3 buckets hold bundle objects. Each region should be # identically configured except for the per-region differences. resource "aws_s3_bucket" "hg_bundles" { # Buckets are pinned to a specific region and therefore have to use # an explicit provider for that region. bucket = "moz-hg-${data.aws_region.provider-region.name}" acl = "private" tags = { App = "hgmo" Env = "prod" Owner = "gps@mozilla.com" Bugid = "1510795" Name = "hg bundles bucket in ${data.aws_region.provider-region.name}" } # Serve the auto-generated index when / is requested. website { index_document = "index.html" } # Send access logs to S3 so we can audit and monitor. logging { target_bucket = "moz-hg-logging-${data.aws_region.provider-region.name}" target_prefix = "s3/hg/" } # Objects automatically expire after 1 week. lifecycle_rule { enabled = true prefix = "" expiration { days = 7 } noncurrent_version_expiration { days = 1 } } } # Define the policy for bundle access data "aws_iam_policy_document" "hg_bundles" { # Grant bundler user access to upload and modify objects. statement { effect = "Allow" actions = [ "s3:DeleteObject", "s3:GetObject", "s3:PutObject", ] resources = [ "${aws_s3_bucket.hg_bundles.arn}/*", ] principals { type = "AWS" identifiers = [var.bundler_arn] } } # Grant all access to read S3 objects. statement { effect = "Allow" actions = [ "s3:ListBucket", ] resources = [aws_s3_bucket.hg_bundles.arn] principals { type = "AWS" identifiers = ["*"] } } statement { effect = "Allow" actions = [ "s3:GetObjectTorrent", "s3:GetObject", ] resources = [ "${aws_s3_bucket.hg_bundles.arn}/*", ] principals { type = "AWS" identifiers = ["*"] } } } resource "aws_s3_bucket_policy" "hg_bundles_policy" { bucket = aws_s3_bucket.hg_bundles.bucket policy = data.aws_iam_policy_document.hg_bundles.json }