Skip to content

Commit

Permalink
Deploy SQS queue for crates.io to staging
Browse files Browse the repository at this point in the history
The SQS queue that was configured in rust-lang#377 has been deployed to the new
staging account for crates.io that was created in rust-lang#374. Slight
modifications were necessary to the configuration:

  - The resource and human-readable names of the SQS are now identical.
  - The `sid` for policies matches the naming rules of AWS.
  - The input variable has been changed, since the account number is not
    part of a bucket's ARN and can thus not be extracted from it.

The infrastructure has been deployed with the same version of the
Terraform provider for AWS as the other modules in simpleinfra to ensure
future compatibility.
  • Loading branch information
jdno committed Jan 9, 2024
1 parent bbab800 commit 7065ff6
Show file tree
Hide file tree
Showing 5 changed files with 78 additions and 22 deletions.
6 changes: 6 additions & 0 deletions terragrunt/accounts/crates-io-staging/account.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
{
"aws": {
"profile": "crates-io-staging",
"region": "us-east-2"
}
}

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
terraform {
source = "../../../..//terragrunt/modules/crates-io-logs"
}

include {
path = find_in_parent_folders()
merge_strategy = "deep"
}

inputs = {
bucket_account = 890664054962
bucket_arn = "arn:aws:s3:::rust-staging-crates-io-logs"
}
20 changes: 20 additions & 0 deletions terragrunt/modules/crates-io-logs/_terraform.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
terraform {
required_version = "~> 1"

required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 4.32"
}
}
}

variable "bucket_account" {
type = number
description = "Account ID of the S3 bucket which will send events to the SQS queue"
}

variable "bucket_arn" {
type = string
description = "ARN of the S3 bucket which will send events to the SQS queue"
}
36 changes: 14 additions & 22 deletions terragrunt/modules/crates-io-logs/main.tf
Original file line number Diff line number Diff line change
@@ -1,16 +1,16 @@
resource "aws_sqs_queue" "log_event_queue" {
name = "cdn-log-queue"
resource "aws_sqs_queue" "cdn_log_event_queue" {
name = "cdn-log-event-queue"
receive_wait_time_seconds = 20
}

resource "aws_sqs_queue_policy" "s3_push" {
queue_url = aws_sqs_queue.log_event_queue.id
queue_url = aws_sqs_queue.cdn_log_event_queue.id
policy = data.aws_iam_policy_document.s3_push_to_queue.json
}

data "aws_iam_policy_document" "s3_push_to_queue" {
statement {
sid = "allow-s3-to-push-events"
sid = "AllowS3ToPushEvents"
effect = "Allow"
principals {
type = "Service"
Expand All @@ -19,45 +19,37 @@ data "aws_iam_policy_document" "s3_push_to_queue" {

actions = ["sqs:SendMessage"]

resources = [aws_sqs_queue.log_event_queue.arn]
resources = [aws_sqs_queue.cdn_log_event_queue.arn]
condition {
test = "ArnLike"
variable = "aws:SourceArn"
values = [data.aws_arn.src_bucket.arn]
values = [var.bucket_arn]
}
condition {
test = "StringEquals"
variable = "aws:SourceAccount"
values = [data.aws_arn.src_bucket.account]
values = [var.bucket_account]
}
}
}

data "aws_arn" "src_bucket" {
arn = var.src_log_bucket_arn
}

variable "src_log_bucket_arn" {
type = string
description = "Bucket ARN which will send events to the SQS queue"
}

resource "aws_iam_user" "heroku_access" {
name = "crates-io-heroku-access"
}

resource "aws_iam_access_key" "crates_io" {
user = aws_iam_user.heroku_access
user = aws_iam_user.heroku_access.name
}

resouce "aws_iam_user_policy" "sqs_read" {
name = "heroku-access"
user = aws_iam_user.heroku_access.name
resource "aws_iam_user_policy" "sqs_read" {
name = "heroku-access"
user = aws_iam_user.heroku_access.name
policy = data.aws_iam_policy_document.heroku_access.json
}

data "aws_iam_policy_document" "heroku_access" {
statement {
sid = "allow-sqs"
sid = "AllowAccessToSQS"
effect = "Allow"

actions = [
Expand All @@ -67,6 +59,6 @@ data "aws_iam_policy_document" "heroku_access" {
"sqs:ReceiveMessage",
]

resources = [aws_sqs_queue.log_event_queue.arn]
resources = [aws_sqs_queue.cdn_log_event_queue.arn]
}
}

0 comments on commit 7065ff6

Please sign in to comment.