-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathmain.tf
109 lines (99 loc) · 3.42 KB
/
main.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
#####################################################################################
# Terraform module examples are meant to show an _example_ on how to use a module
# per use-case. The code below should not be copied directly but referenced in order
# to build your own root module that invokes this module
#####################################################################################
# S3 Datasync location
resource "aws_datasync_location_s3" "s3_location" {
for_each = {
for location in var.s3_locations :
location.name => location # Assign key => value
}
s3_bucket_arn = each.value.s3_bucket_arn
s3_storage_class = try(each.value.s3_storage_class, null)
subdirectory = each.value.subdirectory != null ? each.value.subdirectory : "/"
tags = each.value.tags != null ? each.value.tags : {}
agent_arns = try(each.value.agent_arns, null)
s3_config {
bucket_access_role_arn = each.value.s3_config_bucket_access_role_arn != null ? each.value.s3_config_bucket_access_role_arn : aws_iam_role.datasync_role_s3[each.key].arn
}
}
#TFSEC High warning supressed for IAM policy document uses sensitive action 's3:AbortMultipartUpload' on wildcarded resource.
# Ref Doc : https://docs.aws.amazon.com/datasync/latest/userguide/create-s3-location.html#create-role-manually
#tfsec:ignore:aws-iam-no-policy-wildcards
resource "aws_iam_role" "datasync_role_s3" {
for_each = {
for index, location in var.s3_locations :
location.name => location if try(location.create_role, false)
}
assume_role_policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Action = "sts:AssumeRole"
Effect = "Allow"
Sid = "datasyncAssumeRole"
Principal = {
Service = "datasync.amazonaws.com"
}
},
]
})
inline_policy {
name = "datasync_inline_policy"
policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Sid = "allowListGetBucket"
Action = [
"s3:GetBucketLocation",
"s3:ListBucket",
"s3:ListBucketMultipartUploads",
]
Effect = "Allow"
Resource = each.value.s3_bucket_arn
},
{
Sid = "allowBucketObjects"
Action = [
"s3:AbortMultipartUpload",
"s3:DeleteObject",
"s3:GetObject",
"s3:ListMultipartUploadParts",
"s3:PutObjectTagging",
"s3:GetObjectTagging",
"s3:PutObject",
]
Effect = "Allow"
Resource = "${each.value.s3_bucket_arn}/*"
},
{
Sid = "allowKMSAccess"
Effect = "Allow",
Action = [
"kms:Encrypt",
"kms:Decrypt",
"kms:DescribeKey",
"kms:GenerateDataKey"
],
Resource = "arn:aws:kms:*:*:key/*"
}
]
})
}
}
# EFS Datasync location
resource "aws_datasync_location_efs" "efs_location" {
for_each = {
for location in var.efs_locations :
location.name => location # Assign key => value
}
efs_file_system_arn = each.value.efs_file_system_arn
subdirectory = each.value.subdirectory != null ? each.value.subdirectory : "/"
tags = each.value.tags != null ? each.value.tags : {}
ec2_config {
subnet_arn = each.value.ec2_config_subnet_arn
security_group_arns = each.value.ec2_config_security_group_arns
}
}