Skip to content

Aws s3 #2418

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
jonodrew wants to merge 4 commits into
base: master
Choose a base branch
from
Open

Aws s3 #2418

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
e23b517
Update .gitignore to prevent accidental upload
jonodrew Oct 14, 2025
0e0e484
Create first draft terraform
jonodrew Oct 14, 2025
5ef4aca
Finish terraform
jonodrew Nov 25, 2025
a793492
Add ListAllMyBuckets permission, which is required to ListBucket
jonodrew Dec 9, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
20 changes: 20 additions & 0 deletions .gitignore
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -58,3 +58,23 @@ vendor/bundle
/yarn-error.log
yarn-debug.log*
.yarn-integrity

# Terraform state files
*.tfstate
*.tfstate.backup

# Terraform variable files (actual, not examples)
*.tfvars
*.auto.tfvars

# .terraform directory
.terraform/

# Sensitive credentials
*.pem
*.key
*.secret
*.env

# Plan files
*.tfplan
25 changes: 25 additions & 0 deletions infra/.terraform.lock.hcl
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

118 changes: 118 additions & 0 deletions infra/main.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,118 @@
provider "aws" {
region = "eu-north-1"
}

# Create the IAM user who will assume the basic role
resource "aws_iam_user" "basic_user" {
name = "basic-user"
}

# Basic Role - trust the specific IAM user to assume this role
resource "aws_iam_role" "basic_role" {
name = "terraform-basic-role"

assume_role_policy = jsonencode({
Version = "2012-10-17",
Statement = [
{
Effect = "Allow",
Principal = {
AWS = aws_iam_user.basic_user.arn # <--- Trust this IAM user
},
Action = "sts:AssumeRole"
}
]
})
}

# Policy allowing the basic role to assume the admin role
resource "aws_iam_policy" "assume_admin_policy" {
name = "AssumeTerraformAdminRole"

policy = jsonencode({
Version = "2012-10-17",
Statement = [
{
Effect = "Allow",
Action = "sts:AssumeRole",
Resource = aws_iam_role.admin_role.arn
}
]
})
}

# Attach the assume admin role policy to the basic role
resource "aws_iam_role_policy_attachment" "basic_assume_admin_attach" {
role = aws_iam_role.basic_role.name
policy_arn = aws_iam_policy.assume_admin_policy.arn
}

# Admin role (trusts the basic role)
resource "aws_iam_role" "admin_role" {
name = "terraform-admin-role"

assume_role_policy = jsonencode({
Version = "2012-10-17",
Statement = [
{
Effect = "Allow",
Principal = {
AWS = aws_iam_role.basic_role.arn
},
Action = "sts:AssumeRole"
}
]
})
}

resource "aws_iam_role_policy_attachment" "admin_attach" {
role = aws_iam_role.admin_role.name
policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
}

# 1. S3 Bucket (private by default)
resource "aws_s3_bucket" "auth_bucket" {
bucket = "codebar-planner-auth-bucket"
Copy link
Contributor

@till till Dec 9, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It would be nice to create buckets myself, but otherwise I'd like 2 - one prod, one staging.

}

# 2. IAM User for Heroku app
resource "aws_iam_user" "heroku_role" {
name = "heroku-s3-access"
}

# 3. IAM Policy: Read-only access to just this bucket
resource "aws_iam_policy" "read_write_policy" {
name = "HerokuS3ReadWrite"

policy = jsonencode({
Version = "2012-10-17",
Statement = [
{
Effect = "Allow",
Action = [
"s3:ListBucket", # List files in bucket
"s3:GetObject", # Read/download files
"s3:PutObject", # Upload files
"s3:DeleteObject", # Optional: allow deleting files
"s3:ListAllMyBuckets" # enable user to list all buckets
Copy link
Contributor

@till till Dec 9, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This should be un-scoped - per bucket, you need something like this (this is the json format):

{
   "Version":"2012-10-17",		 	 	 
   "Statement":[
      {
         "Effect":"Allow",
         "Action": "s3:ListAllMyBuckets",
         "Resource":"*"
      },
      {
         "Effect":"Allow",
         "Action":["s3:ListBucket","s3:GetBucketLocation"],
         "Resource":"arn:aws:s3:::bucket-name-etc"
      },
      {
         "Effect":"Allow",
         "Action":[
            "s3:PutObject",
            "s3:GetObject",
            "s3:DeleteObject"
         ],
         "Resource":"arn:aws:s3:::bucket-name-etc/*"
      }
   ]
}

],
Resource = [
aws_s3_bucket.auth_bucket.arn,
"${aws_s3_bucket.auth_bucket.arn}/*"
]
}
]
})
}


# 4. Attach the policy to the user
resource "aws_iam_user_policy_attachment" "attach_policy" {
user = aws_iam_user.heroku_role.name
policy_arn = aws_iam_policy.read_write_policy.arn
}

# 5. Create access keys for the user
resource "aws_iam_access_key" "heroku_user_keys" {
user = aws_iam_user.heroku_role.name
}
10 changes: 10 additions & 0 deletions infra/terraform.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 5.92"
}
}

required_version = ">= 1.2"
}