-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathbucket.tf
67 lines (65 loc) · 2.24 KB
/
bucket.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
resource "random_string" "bucket_suffix" {
length = 10
upper = false
lower = true
numeric = true
special = false
}
// create Object Storage bucket for testing purpose
resource "yandex_storage_bucket" "s3_bucket" {
bucket = "s3-bucket-${random_string.bucket_suffix.result}"
access_key = yandex_iam_service_account_static_access_key.s3_bucket_sa_keys.access_key
secret_key = yandex_iam_service_account_static_access_key.s3_bucket_sa_keys.secret_key
depends_on = [yandex_resourcemanager_folder_iam_member.s3_bucket_sa_roles]
policy = !var.bucket_private_access ? null : <<POLICY
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Allow access to bucket only from NAT-instances public IP-address",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::s3-bucket-${random_string.bucket_suffix.result}/*",
"arn:aws:s3:::s3-bucket-${random_string.bucket_suffix.result}"
],
"Condition": {
"IpAddress": {
"aws:SourceIp": [
"${join("\",\"", yandex_vpc_address.public_ip_list.*.external_ipv4_address.0.address)}${var.mgmt_ip != null ? "\",\"${var.mgmt_ip}" : "" }"
]
}
}
}
${var.bucket_console_access ? <<EOT
,
{
"Sid": "Allow access to bucket from UI console",
"Effect": "Allow",
"Principal": "*",
"Action": "*",
"Resource": [
"arn:aws:s3:::s3-bucket-${random_string.bucket_suffix.result}/*",
"arn:aws:s3:::s3-bucket-${random_string.bucket_suffix.result}"
],
"Condition": {
"StringLike": {
"aws:referer": "https://console.yandex.cloud/folders/*/storage/buckets/s3-bucket-${random_string.bucket_suffix.result}*"
}
}
}
EOT
: ""
}
]
}
POLICY
}
resource "yandex_storage_object" "s3_test_file" {
bucket = yandex_storage_bucket.s3_bucket.id
access_key = yandex_iam_service_account_static_access_key.s3_bucket_sa_keys.access_key
secret_key = yandex_iam_service_account_static_access_key.s3_bucket_sa_keys.secret_key
key = "s3_test_file.txt"
content = "Object Storage test file was successfully downloaded\n"
}