diff --git a/infra/modules/codedang-infra/backend/admin-task-definition.tftpl b/infra/modules/codedang-infra/backend/admin-task-definition.tftpl index fede929935..783d23527d 100644 --- a/infra/modules/codedang-infra/backend/admin-task-definition.tftpl +++ b/infra/modules/codedang-infra/backend/admin-task-definition.tftpl @@ -58,6 +58,17 @@ { "name" : "TESTCASE_SECRET_KEY", "value" : "${testcase_secret_key}" + }, + "name" : "MEDIA_BUCKET_NAME", + "value" : "${media_bucket_name}" + }, + { + "name" : "MEDIA_ACCESS_KEY", + "value" : "${media_access_key}" + }, + { + "name" : "MEDIA_SECRET_KEY", + "value" : "${media_secret_key}" } ], "logConfiguration": { diff --git a/infra/modules/codedang-infra/ecs-api-admin.tf b/infra/modules/codedang-infra/ecs-api-admin.tf index d0e1ff4a81..af6180c303 100644 --- a/infra/modules/codedang-infra/ecs-api-admin.tf +++ b/infra/modules/codedang-infra/ecs-api-admin.tf @@ -113,6 +113,9 @@ resource "aws_ecs_task_definition" "admin_api" { testcase_bucket_name = aws_s3_bucket.testcase.id, testcase_access_key = aws_iam_access_key.testcase.id, testcase_secret_key = aws_iam_access_key.testcase.secret, + media_bucket_name = aws_s3_bucket.media.id, + media_access_key = aws_iam_access_key.media.id, + media_secret_key = aws_iam_access_key.media.secret, loki_url = var.loki_url, }) execution_role_arn = aws_iam_role.ecs_task_execution_role.arn diff --git a/infra/modules/codedang-infra/s3-media.tf b/infra/modules/codedang-infra/s3-media.tf new file mode 100644 index 0000000000..eabe1c4e36 --- /dev/null +++ b/infra/modules/codedang-infra/s3-media.tf @@ -0,0 +1,55 @@ +resource "aws_s3_bucket" "media" { + bucket = "codedang-media" + + tags = { + Name = "Codedang-Media" + } +} + +# public access for objects +resource "aws_s3_bucket_public_access_block" "block_public_access" { + bucket = aws_s3_bucket.media.id + block_public_acls = false + block_public_policy = false + ignore_public_acls = false + restrict_public_buckets = false +} + +data "aws_iam_policy_document" "media_permissions" { + statement { + actions = ["s3:GetObject"] + resources = ["${aws_s3_bucket.media.arn}/*"] + + principals { + type = "*" + identifiers = ["*"] + } + } +} + +resource "aws_s3_bucket_policy" "media" { + bucket = aws_s3_bucket.media.id + policy = data.aws_iam_policy_document.media_permissions.json +} + +# user for admin api +resource "aws_iam_user" "media" { + name = "user-codedang-media" +} + +data "aws_iam_policy_document" "media_s3" { + statement { + actions = ["s3:GetObject", "s3:PutObject", "s3:DeleteObject"] + resources = ["${aws_s3_bucket.media.arn}/*"] + } +} + +resource "aws_iam_user_policy" "media_s3" { + name = "codedang-media-s3" + user = aws_iam_user.media.name + policy = data.aws_iam_policy_document.media_s3.json +} + +resource "aws_iam_access_key" "media" { + user = aws_iam_user.media.name +} diff --git a/infra/modules/codedang-infra/testcase.tf b/infra/modules/codedang-infra/s3-testcase.tf similarity index 100% rename from infra/modules/codedang-infra/testcase.tf rename to infra/modules/codedang-infra/s3-testcase.tf