1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80
|
# Header ######################################################################
terraform {
backend "s3" {}
required_providers {
aws = {
source = "hashicorp/aws"
version = "5.76.0"
}
}
}
locals {
name = "${var.prefix_name}-${var.base_name}"
port = 2024
}
provider "aws" {
region = var.region
}
module "storage" {
source = "../storage"
prefix_name = var.prefix_name
base_name = var.base_name
region = var.region
create_antispam_db = var.create_antispam_db
ephemeral = var.ephemeral
}
# Resources ####################################################################
## Virtual private network #####################################################
# This will be used for the containers to communicate between themselves, and
# the S3 bucket.
resource "aws_default_vpc" "default" {
tags = {
Name = "Default VPC"
}
}
## Connect S3 bucket to VPC ####################################################
# This allows the hammer to talk to a non public S3 bucket over HTTP.
resource "aws_vpc_endpoint" "s3" {
vpc_id = aws_default_vpc.default.id
service_name = "com.amazonaws.${var.region}.s3"
}
resource "aws_vpc_endpoint_route_table_association" "private_s3" {
vpc_endpoint_id = aws_vpc_endpoint.s3.id
route_table_id = aws_default_vpc.default.default_route_table_id
}
resource "aws_s3_bucket_policy" "allow_access_from_vpce" {
bucket = module.storage.log_bucket.id
policy = data.aws_iam_policy_document.allow_access_from_vpce.json
}
data "aws_iam_policy_document" "allow_access_from_vpce" {
statement {
principals {
type = "*"
identifiers = ["*"]
}
actions = [
"s3:GetObject",
]
resources = [
"${module.storage.log_bucket.arn}/*",
]
condition {
test = "StringEquals"
variable = "aws:sourceVpce"
values = [aws_vpc_endpoint.s3.id]
}
}
depends_on = [aws_vpc_endpoint.s3]
}
|