-
Notifications
You must be signed in to change notification settings - Fork 2
/
main.tf
84 lines (67 loc) · 2.82 KB
/
main.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
data "aws_caller_identity" "current" {}
data "aws_iam_policy_document" "qnap_glacier_iam_user_policy_document" {
# Global Glacier API permissions
statement {
effect = "Allow"
actions = [
"glacier:GetDataRetrievalPolicy",
# "glacier:InitiateVaultLock", # Not required for archive management
# "glacier:AbortVaultLock", # Not required for archive management
# "glacier:CompleteVaultLock", # Not required for archive management
"glacier:ListVaults",
]
resources = ["*"]
}
# Vault-Specific Glacier API permissions
statement {
effect = "Allow"
actions = [
"glacier:AbortMultipartUpload",
# "glacier:AddTagsToVault", # Not required for archive management
"glacier:CompleteMultipartUpload",
"glacier:CreateVault", # Annoyingly, required by QNAP implementation
"glacier:DeleteArchive",
# "glacier:DeleteVault", # Not required for archive management
# "glacier:DeleteVaultAccessPolicy", # Not required for archive management
# "glacier:DeleteVaultNotifications", # Not required for archive management
"glacier:DescribeJob",
"glacier:DescribeVault",
"glacier:GetJobOutput",
"glacier:GetVaultAccessPolicy",
"glacier:GetVaultLock",
"glacier:GetVaultNotifications",
"glacier:InitiateJob",
"glacier:InitiateMultipartUpload",
"glacier:ListJobs",
"glacier:ListMultipartUploads",
"glacier:ListParts",
"glacier:ListTagsForVault",
# "glacier:RemoveTagsFromVault", # Not required for archive management
# "glacier:SetDataRetrievalPolicy", # Not required for archive management
# "glacier:SetVaultAccessPolicy", # Not required for archive management
# "glacier:SetVaultNotifications", # Not required for archive management
"glacier:UploadArchive",
"glacier:UploadMultipartPart",
]
resources = [
"arn:aws:glacier:${var.region}:${data.aws_caller_identity.current.account_id}:vaults/${var.qnap_vault_name}",
]
}
}
resource "aws_iam_policy" "qnap_glacier_iam_user_policy" {
description = "Policy for QNAP Glacier User"
name = "QNAPGlacierIAMUserPolicy-${var.qnap_vault_name}"
path = "/automation/"
policy = "${data.aws_iam_policy_document.qnap_glacier_iam_user_policy_document.json}"
}
resource "aws_iam_user" "qnap_glacier_iam_user" {
name = "${var.qnap_glacier_user_name == "" ? "${var.qnap_vault_name}-user" : var.qnap_glacier_user_name}"
path = "/automation/"
}
resource "aws_iam_access_key" "qnap_glacier_iam_user_access_key" {
user = "${aws_iam_user.qnap_glacier_iam_user.name}"
}
resource "aws_iam_user_policy_attachment" "qnap_glacier_iam_user_policy_attachment" {
user = "${aws_iam_user.qnap_glacier_iam_user.name}"
policy_arn = "${aws_iam_policy.qnap_glacier_iam_user_policy.arn}"
}