fix(s3-blobstore): add code to create user,role and bucket

stevie- · stevie- · commit 004867220fe1 · 2020-05-28T16:26:30.000+02:00
Signed-off-by: Steffen Tautenhahn &lt;607018+stevie-@users.noreply.github.com&gt;
diff --git a/.vscode/settings.json b/.vscode/settings.json
@@ -9,5 +9,6 @@
   },
   "go.buildFlags": [
     "-v"
-  ]
+  ],
+  "go.inferGopath": false
 }
diff --git a/examples/blobstore-s3/README.md b/examples/blobstore-s3/README.md
@@ -1,10 +1,17 @@
-#
+# Nexus with AWS s3 blobstore
 
+To use the AWS credential from the terraform code example below you need to do the following:
+
+- login with iam user credentials
+- assume role "terraform-provider-nexus-s3"
+- access s3 bucket "terraform-provider-nexus-example.datadrivers.de"
 
 ## Terraform
 
+Here you can find terraform example code to create iam user, iam role and s3-bucket to be used with nexus.
+
 ```bash
 cd terraform
 terraform init
-terraform plan -var-file=./example.tfvars
-terraform apply -var-file=./example.tfvars
+terraform plan -var-file=./example.tfvars -out example.tfplan
+terraform apply example.tfvars
diff --git a/examples/blobstore-s3/terraform/.gitignore b/examples/blobstore-s3/terraform/.gitignore
@@ -0,0 +1 @@
+*.tfplan
diff --git a/examples/blobstore-s3/terraform/.terraform-version b/examples/blobstore-s3/terraform/.terraform-version
@@ -1 +1 @@
-0.12.23
+0.12.26
diff --git a/examples/blobstore-s3/terraform/example.tfvars b/examples/blobstore-s3/terraform/example.tfvars
@@ -1,49 +1,32 @@
-bucket_name     = "terrafor-provider-nexus--example"
-iam_name_prefix = "terrafor-provider-nexus"
+// general
+tags = {
+  provisioning = "terraform"
+  use-case     = "terraform-provider-nexus"
+  github       = "https://github.com/datadrivers/terraform-provider-nexus"
+  owner        = "datadrivers"
+}
 
-acl = "private"
+// iam settings
+iam_user_name_prefix = "terraform-provider-nexus--github-action"
+iam_role_name        = "terraform-provider-nexus-s3"
 
+// s3 settings
+bucket_name   = "terraform-provider-nexus-example.datadrivers.de"
+acl           = "private"
 force_destroy = true
-
 versioning = {
   enabled = false
 }
-
-lifecycle_rule = [
-  {
-    id      = "save-costs"
-    enabled = true
-
-    abort_incomplete_multipart_upload_days = 7
-
-    transition = [
-      {
-        days          = 30
-        storage_class = "STANDARD_IA" # (requires >=30 days)
-      },
-    ]
-  },
-]
-
+lifecycle_rule = [] # disable lifecycle rules since it will conflict with nexus lifecycle policys
 server_side_encryption_configuration = {
   rule = {
     apply_server_side_encryption_by_default = {
       sse_algorithm = "AES256"
     }
   }
 }
-
-tags = {
-  provisioning = "terraform"
-  use-case     = "terrafor-provider-nexus"
-  owner        = "datadrivers"
-}
-
 // S3 bucket-level Public Access Block configuration
-block_public_acls = true
-
-block_public_policy = true
-
-ignore_public_acls = true
-
+block_public_acls       = true
+block_public_policy     = true
+ignore_public_acls      = true
 restrict_public_buckets = true
diff --git a/examples/blobstore-s3/terraform/main.tf b/examples/blobstore-s3/terraform/main.tf
@@ -1,11 +1,32 @@
+// iam user
 resource "aws_iam_user" "login_for_external_user" {
-  name = var.iam_name_prefix
-  tags = var.tags
+  count = var.iam_user_name_prefix != null ? 1 : 0
+  name  = var.iam_user_name_prefix
+  tags  = var.tags
 }
 
+resource "aws_iam_user_policy" "assume_nexus_role" {
+  count = var.iam_user_name_prefix != null ? 1 : 0
+  name  = "assume_role_nexus"
+  user  = aws_iam_user.login_for_external_user.0.name
+
+  policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Action": "sts:AssumeRole",
+      "Effect": "Allow",
+      "Resource": "${aws_iam_role.access_s3_bucket_nexus.arn}"
+    }
+  ]
+}
+EOF
+}
 
+// iam role
 resource "aws_iam_role" "access_s3_bucket_nexus" {
-  name_prefix = var.iam_name_prefix
+  name = var.iam_role_name
 
   assume_role_policy = <<EOF
 {
@@ -14,18 +35,9 @@ resource "aws_iam_role" "access_s3_bucket_nexus" {
     {
       "Action": "sts:AssumeRole",
       "Principal": {
-        "AWS": "${aws_iam_user.login_for_external_user.arn}"
+        "AWS": ${jsonencode(aws_iam_user.login_for_external_user.*.arn)}
       },
-      "Effect": "Allow",
-      "Sid": "iam_user"
-    },
-        {
-      "Action": "sts:AssumeRole",
-      "Principal": {
-        "Service": "ec2.amazonaws.com"
-      },
-      "Effect": "Allow",
-      "Sid": "ec2_instance"
+      "Effect": "Allow"
     }
   ]
 }
@@ -60,8 +72,8 @@ data "aws_iam_policy_document" "bucket_policy" {
 }
 
 resource "aws_iam_policy" "policy_s3_bucket" {
-  name_prefix = var.iam_name_prefix
-  description = "A test policy"
+  name_prefix = var.iam_role_name
+  description = "Nexus Access to S3 bucket"
 
   policy = data.aws_iam_policy_document.bucket_policy.json
 }
@@ -71,6 +83,7 @@ resource "aws_iam_role_policy_attachment" "attach-s3-policy" {
   policy_arn = aws_iam_policy.policy_s3_bucket.arn
 }
 
+// s3 bucket
 module "s3_bucket" {
   source = "terraform-aws-modules/s3-bucket/aws"
 
diff --git a/examples/blobstore-s3/terraform/variables.tf b/examples/blobstore-s3/terraform/variables.tf
@@ -1,5 +1,11 @@
-variable "iam_name_prefix" {
-  description = "The name prefix of the iam resoruces to access the bucket. If omitted, Terraform will assign a random, unique name."
+variable "iam_user_name_prefix" {
+  description = "The name prefix of the iam user resoruces to access the bucket. If omitted, Terraform will skip user creation"
+  type        = string
+  default     = null
+}
+
+variable "iam_role_name" {
+  description = "The name of the iam role to access the bucket. If omitted, Terraform will assign a random, unique name."
   type        = string
   default     = null
 }

Original file line number	Diff line number	Diff line change
`@@ -9,5 +9,6 @@`
`9`	`9`	`},`
`10`	`10`	`"go.buildFlags": [`
`11`	`11`	`"-v"`
`12`		`- ]`
	`12`	`+ ],`
	`13`	`+ "go.inferGopath": false`
`13`	`14`	`}`