From e9ff85959bc50db72ac1da22cba3fef06e3492ef Mon Sep 17 00:00:00 2001 From: Mark Rousskov Date: Wed, 3 Jan 2024 22:04:57 -0500 Subject: [PATCH 1/2] Initial SQS queue + user policy --- terragrunt/modules/crates-io-logs/main.tf | 72 +++++++++++++++++++++++ 1 file changed, 72 insertions(+) create mode 100644 terragrunt/modules/crates-io-logs/main.tf diff --git a/terragrunt/modules/crates-io-logs/main.tf b/terragrunt/modules/crates-io-logs/main.tf new file mode 100644 index 000000000..b9ee3b98d --- /dev/null +++ b/terragrunt/modules/crates-io-logs/main.tf @@ -0,0 +1,72 @@ +resource "aws_sqs_queue" "log_event_queue" { + name = "cdn-log-queue" + receive_wait_time_seconds = 20 +} + +resource "aws_sqs_queue_policy" "s3_push" { + queue_url = aws_sqs_queue.log_event_queue.id + policy = data.aws_iam_policy_document.s3_push_to_queue.json +} + +data "aws_iam_policy_document" "s3_push_to_queue" { + statement { + sid = "allow-s3-to-push-events" + effect = "Allow" + principals { + type = "Service" + identifiers = ["s3.amazonaws.com"] + } + + actions = ["sqs:SendMessage"] + + resources = [aws_sqs_queue.log_event_queue.arn] + condition { + test = "ArnLike" + variable = "aws:SourceArn" + values = [data.aws_arn.src_bucket.arn] + } + condition { + test = "StringEquals" + variable = "aws:SourceAccount" + values = [data.aws_arn.account] + } + } +} + +data "aws_arn" "src_bucket" { + arn = var.src_log_bucket_arn +} + +variable "src_log_bucket_arn" { + type = string + description = "Bucket ARN which will send events to the SQS queue" +} + +resource "aws_iam_user" "heroku_access" { + name = "crates-io-heroku-access" +} + +resource "aws_iam_access_key" "crates_io" { + user = aws_iam_user.heroku_access +} + +resouce "aws_iam_user_policy" "sqs_read" { + name = "heroku-access" + user = aws_iam_user.heroku_access.name +} + +data "aws_iam_policy_document" "heroku_access" { + statement { + sid = "allow-sqs" + effect = "Allow" + + actions = [ + "sqs:GetQueueAttributes", + "sqs:DeleteMessage", + "sqs:DeleteMessageBatch", + "sqs:ReceiveMessage", + ] + + resources = [aws_sqs_queue.log_event_queue.arn] + } +} From 09292632bb30624c79adc8a96f7bb85a1436943b Mon Sep 17 00:00:00 2001 From: Mark Rousskov Date: Mon, 8 Jan 2024 08:29:18 -0500 Subject: [PATCH 2/2] Fix syntax Co-authored-by: Jan David --- terragrunt/modules/crates-io-logs/main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terragrunt/modules/crates-io-logs/main.tf b/terragrunt/modules/crates-io-logs/main.tf index b9ee3b98d..5360a44e8 100644 --- a/terragrunt/modules/crates-io-logs/main.tf +++ b/terragrunt/modules/crates-io-logs/main.tf @@ -28,7 +28,7 @@ data "aws_iam_policy_document" "s3_push_to_queue" { condition { test = "StringEquals" variable = "aws:SourceAccount" - values = [data.aws_arn.account] + values = [data.aws_arn.src_bucket.account] } } }