1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
|
# Header ######################################################################
terraform {
backend "s3" {}
required_providers {
aws = {
source = "hashicorp/aws"
version = "5.76.0"
}
}
}
locals {
name = "${var.prefix_name}-${var.base_name}"
port = 2024
}
provider "aws" {
region = var.region
}
module "storage" {
source = "../storage"
prefix_name = var.prefix_name
base_name = var.base_name
region = var.region
create_antispam_db = var.create_antispam_db
ephemeral = var.ephemeral
}
# Resources ####################################################################
## Virtual private network #####################################################
# This will be used for the containers to communicate between themselves, and
# the S3 bucket.
resource "aws_default_vpc" "default" {
tags = {
Name = "Default VPC"
}
}
## Connect S3 bucket to VPC ####################################################
# This allows the hammer to talk to a non public S3 bucket over HTTP.
resource "aws_vpc_endpoint" "s3" {
vpc_id = aws_default_vpc.default.id
service_name = "com.amazonaws.${var.region}.s3"
}
resource "aws_vpc_endpoint_route_table_association" "private_s3" {
vpc_endpoint_id = aws_vpc_endpoint.s3.id
route_table_id = aws_default_vpc.default.default_route_table_id
}
resource "aws_s3_bucket_policy" "allow_access_from_vpce" {
bucket = module.storage.log_bucket.id
policy = data.aws_iam_policy_document.allow_access_from_vpce.json
}
data "aws_iam_policy_document" "allow_access_from_vpce" {
statement {
principals {
type = "*"
identifiers = ["*"]
}
actions = [
"s3:GetObject",
]
resources = [
"${module.storage.log_bucket.arn}/*",
]
condition {
test = "StringEquals"
variable = "aws:sourceVpce"
values = [aws_vpc_endpoint.s3.id]
}
}
depends_on = [aws_vpc_endpoint.s3]
}
|
