-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathartifacts.tf
85 lines (73 loc) · 2.31 KB
/
artifacts.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
resource "aws_s3_bucket" "aws-experiments" {
bucket = "aws-experiments"
lifecycle {
prevent_destroy = true
}
}
resource "aws_s3_bucket_versioning" "aws-experiments" {
bucket = aws_s3_bucket.aws-experiments.id
versioning_configuration {
status = "Suspended"
}
}
resource "aws_iam_user" "gha" {
name = "gha"
}
resource "aws_iam_group" "aws-experiments-upload" {
name = "aws-experiments-upload"
}
resource "aws_iam_group_membership" "aws-experiments-upload" {
name = "aws-experiments-upload"
users = [
aws_iam_user.gha.name
]
group = aws_iam_group.aws-experiments-upload.name
}
# Allow upload from https://github.com/jg210/spring-experiments
data "aws_iam_policy_document" "aws-experiments-upload" {
statement {
actions = ["s3:PutObject", "s3:GetObject"]
resources = ["${aws_s3_bucket.aws-experiments.arn}/artifacts/*"]
}
statement {
actions = ["s3:ListBucket"]
resources = ["${aws_s3_bucket.aws-experiments.arn}"]
}
}
resource "aws_iam_group_policy" "aws-experiments-upload" {
name = "aws-experiments-upload"
policy = data.aws_iam_policy_document.aws-experiments-upload.json
group = aws_iam_group.aws-experiments-upload.id
}
data "aws_iam_policy_document" "server_role" {
statement {
actions = ["sts:AssumeRole"]
principals {
type = "Service"
identifiers = ["ec2.amazonaws.com"]
}
}
}
resource "aws_iam_role" "aws_experiments_download" {
name = "aws_experiments_download"
assume_role_policy = data.aws_iam_policy_document.server_role.json
}
resource "aws_iam_instance_profile" "aws_experiments_download" {
name = "aws_experiments_download"
role = aws_iam_role.aws_experiments_download.name
}
# Allow download by https://github.com/jg210/aws-experiments/blob/master/resources/bin/provision when running packer.
data "aws_iam_policy_document" "aws_experiments_download" {
statement {
actions = ["s3:GetObject"]
resources = ["${aws_s3_bucket.aws-experiments.arn}/artifacts/*"]
}
}
resource "aws_iam_policy" "aws_experiments_download" {
name = "aws_experiments_download"
policy = data.aws_iam_policy_document.aws_experiments_download.json
}
resource "aws_iam_role_policy_attachment" "aws_experiments_download" {
role = aws_iam_role.aws_experiments_download.id
policy_arn = aws_iam_policy.aws_experiments_download.arn
}