From 04da950b94ae8defe4be593d40bbd7030f135a95 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=EA=B9=80=EC=9D=BC=EA=B1=B4?= <100272259+k1g99@users.noreply.github.com> Date: Mon, 4 Mar 2024 10:07:59 +0900 Subject: [PATCH] feat(infra): create media bucket (#1536) * chore: rename testcase.tf file * feat: create media s3 bucket * chore: connect media bucket and admin cluster --- .../backend/admin-task-definition.tftpl | 11 ++++ infra/modules/codedang-infra/ecs-api-admin.tf | 3 + infra/modules/codedang-infra/s3-media.tf | 55 +++++++++++++++++++ .../{testcase.tf => s3-testcase.tf} | 0 4 files changed, 69 insertions(+) create mode 100644 infra/modules/codedang-infra/s3-media.tf rename infra/modules/codedang-infra/{testcase.tf => s3-testcase.tf} (100%) diff --git a/infra/modules/codedang-infra/backend/admin-task-definition.tftpl b/infra/modules/codedang-infra/backend/admin-task-definition.tftpl index fede929935..783d23527d 100644 --- a/infra/modules/codedang-infra/backend/admin-task-definition.tftpl +++ b/infra/modules/codedang-infra/backend/admin-task-definition.tftpl @@ -58,6 +58,17 @@ { "name" : "TESTCASE_SECRET_KEY", "value" : "${testcase_secret_key}" + }, + "name" : "MEDIA_BUCKET_NAME", + "value" : "${media_bucket_name}" + }, + { + "name" : "MEDIA_ACCESS_KEY", + "value" : "${media_access_key}" + }, + { + "name" : "MEDIA_SECRET_KEY", + "value" : "${media_secret_key}" } ], "logConfiguration": { diff --git a/infra/modules/codedang-infra/ecs-api-admin.tf b/infra/modules/codedang-infra/ecs-api-admin.tf index d0e1ff4a81..af6180c303 100644 --- a/infra/modules/codedang-infra/ecs-api-admin.tf +++ b/infra/modules/codedang-infra/ecs-api-admin.tf @@ -113,6 +113,9 @@ resource "aws_ecs_task_definition" "admin_api" { testcase_bucket_name = aws_s3_bucket.testcase.id, testcase_access_key = aws_iam_access_key.testcase.id, testcase_secret_key = aws_iam_access_key.testcase.secret, + media_bucket_name = aws_s3_bucket.media.id, + media_access_key = aws_iam_access_key.media.id, + media_secret_key = aws_iam_access_key.media.secret, loki_url = var.loki_url, }) execution_role_arn = aws_iam_role.ecs_task_execution_role.arn diff --git a/infra/modules/codedang-infra/s3-media.tf b/infra/modules/codedang-infra/s3-media.tf new file mode 100644 index 0000000000..eabe1c4e36 --- /dev/null +++ b/infra/modules/codedang-infra/s3-media.tf @@ -0,0 +1,55 @@ +resource "aws_s3_bucket" "media" { + bucket = "codedang-media" + + tags = { + Name = "Codedang-Media" + } +} + +# public access for objects +resource "aws_s3_bucket_public_access_block" "block_public_access" { + bucket = aws_s3_bucket.media.id + block_public_acls = false + block_public_policy = false + ignore_public_acls = false + restrict_public_buckets = false +} + +data "aws_iam_policy_document" "media_permissions" { + statement { + actions = ["s3:GetObject"] + resources = ["${aws_s3_bucket.media.arn}/*"] + + principals { + type = "*" + identifiers = ["*"] + } + } +} + +resource "aws_s3_bucket_policy" "media" { + bucket = aws_s3_bucket.media.id + policy = data.aws_iam_policy_document.media_permissions.json +} + +# user for admin api +resource "aws_iam_user" "media" { + name = "user-codedang-media" +} + +data "aws_iam_policy_document" "media_s3" { + statement { + actions = ["s3:GetObject", "s3:PutObject", "s3:DeleteObject"] + resources = ["${aws_s3_bucket.media.arn}/*"] + } +} + +resource "aws_iam_user_policy" "media_s3" { + name = "codedang-media-s3" + user = aws_iam_user.media.name + policy = data.aws_iam_policy_document.media_s3.json +} + +resource "aws_iam_access_key" "media" { + user = aws_iam_user.media.name +} diff --git a/infra/modules/codedang-infra/testcase.tf b/infra/modules/codedang-infra/s3-testcase.tf similarity index 100% rename from infra/modules/codedang-infra/testcase.tf rename to infra/modules/codedang-infra/s3-testcase.tf