qmi-cloud-tf-modules/s3-bucket/main.tf

terraform {

  required_version = ">= 0.13"

  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = ">= 6.0.0"
    }
  }
}

locals {
  tags = {
    Deployment = "QMI"
    "Cost Center" = "3100"
    QMI_user = var.user_id
    Owner    = var.user_id
    ProvID   = var.provision_id
    Name     = "qmi-${var.provision_id}"
    forced_destroy = var.forced_destroy
  }
}

resource "aws_iam_user" "lb" {
  name = "qmi-user-${var.provision_id}"
  force_destroy = true

  tags = local.tags
}

resource "aws_iam_access_key" "lb" {
  user = aws_iam_user.lb.name
}


resource "aws_s3_bucket" "s3_bucket" {
  bucket = var.bucket_name!=null? var.bucket_name : "qmi-bucket-${var.provision_id}"

  tags = local.tags

  force_destroy = true
}



resource "aws_iam_user_policy" "lb_ro" {
    
  name = "s3only_policy_${aws_iam_user.lb.name}"
  user = aws_iam_user.lb.name

  # Terraform's "jsonencode" function converts a
  # Terraform expression result to valid JSON syntax.
  policy = jsonencode({
      "Version": "2012-10-17",
      "Statement": [
          {
              "Effect": "Allow",
              "Action": [
                          "s3:GetBucketLocation",
                          "s3:ListAllMyBuckets"
                        ],
              "Resource": "arn:aws:s3:::*"
          },
          {
              "Effect": "Allow",
              "Action": "s3:*",
              "Resource": [
                  aws_s3_bucket.s3_bucket.arn,
                  "${aws_s3_bucket.s3_bucket.arn}/*"
              ]
          }
      ]
  })
}

resource "aws_iam_role" "qmi_snowflake" {
    
  name = "qmi_snowflake_${var.provision_id}"

  # Terraform's "jsonencode" function converts a
  # Terraform expression result to valid JSON syntax.
  assume_role_policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        Effect = "Allow"
        Action = "sts:AssumeRole"
        Principal = {
          AWS = "arn:aws:iam::494544507972:user/n2y3-s-ssca0544"
        }
      },
      {
        Effect = "Allow"
        Action = "sts:AssumeRole"
        Principal = {
          AWS = ["338144066592", "494544507972"]
        }
        Condition = {
           StringEquals = {
                  "sts:ExternalId" = "iceberg_table_external_id"
            }
        }
      }
    ]
  })

  tags = local.tags
}

resource "aws_iam_role_policy" "qmi_snowflake_policy" {

  name = "qmi-bucket-${var.provision_id}_policy"
  role = aws_iam_role.qmi_snowflake.id

  policy = jsonencode({
      "Version": "2012-10-17",
      "Statement": [
          {
              "Effect": "Allow",
              "Action": [
                          "s3:GetBucketLocation",
                          "s3:ListAllMyBuckets"
                        ],
              "Resource": "arn:aws:s3:::*"
          },
          {
              "Effect": "Allow",
              "Action": "s3:*",
              "Resource": [
                  aws_s3_bucket.s3_bucket.arn,
                  "${aws_s3_bucket.s3_bucket.arn}/*"
              ]
          }
      ]
  })
}

resource "aws_iam_role" "qlik_s3" {
  
  count = var.tenant_id != null? 1 : 0
  
  name = "qlik_s3_${var.tenant_id}"

  # Terraform's "jsonencode" function converts a
  # Terraform expression result to valid JSON syntax.
  assume_role_policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        Effect = "Allow"
        Action = "sts:AssumeRole"
        Principal = {
          AWS = "338144066592"
        }
        Condition = {
           StringEquals = {
                  "sts:ExternalId" = "qlik_connection_${var.tenant_id}"
            }
        }
      }
    ]
  })

  tags = local.tags
}

resource "aws_iam_role_policy" "aws_s3_bucket_policy" {

  count = var.tenant_id != null? 1 : 0

  name = "qmi-bucket-${var.provision_id}_policy"
  role = aws_iam_role.qlik_s3[0].id

  # Terraform's "jsonencode" function converts a
  # Terraform expression result to valid JSON syntax.
  policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        Sid = ""
        Effect   = "Allow"
        Action = [
          "s3:GetObject",
          "s3:ListBucket"
        ]
        Resource = [
          "arn:aws:s3:::${aws_s3_bucket.s3_bucket.id}",
          "arn:aws:s3:::${aws_s3_bucket.s3_bucket.id}/*"
        ]
      },
    ]
  })
}