Move S3 IAM policy creation to S3 module and create output for policy ARN usage outside module

Author: burmek

main.tf

@@ -53,14 +53,14 @@ module "vpc" {
 module "comet_ec2" {
   source = "./modules/comet_ec2"
   count  = var.enable_ec2 ? 1 : 0
-
-  s3_enabled = var.enable_s3
 
   vpc_id = module.vpc.vpc_id
   comet_ec2_ami = "ami-05842f1afbf311a43"
   comet_ec2_subnet = module.vpc.public_subnets[count.index % length(module.vpc.public_subnets)]
 
+  s3_enabled = var.enable_s3
   comet_ml_s3_bucket  = var.s3_bucket_name
+  comet_ec2_s3_iam_policy = module.comet_s3[0].comet_s3_iam_policy_arn
 }
 
 module "comet_eks" {
@@ -109,5 +109,5 @@ module "comet_s3" {
   source = "./modules/comet_s3"
   count  = var.enable_s3 ? 1 : 0
 
-  comet_ml_s3_bucket  = var.s3_bucket_name
+  comet_s3_bucket  = var.s3_bucket_name
 }

modules/comet_ec2/main.tf

@@ -100,6 +100,7 @@ resource "aws_iam_instance_profile" "comet-ec2-instance-profile" {
   role  = aws_iam_role.comet-ec2-s3-access-role.name
 }
 
+/*
 resource "aws_iam_policy" "comet-ml-s3-policy" {
   count       = var.s3_enabled ? 1 : 0
   name        = "comet-s3-access-policy"
@@ -118,9 +119,11 @@ resource "aws_iam_policy" "comet-ml-s3-policy" {
     ]
   })
 }
+*/
 
 resource "aws_iam_role_policy_attachment" "comet-ml-s3-access-attachment" {
   count      = var.s3_enabled ? 1 : 0
   role       = aws_iam_role.comet-ec2-s3-access-role.name
-  policy_arn = aws_iam_policy.comet-ml-s3-policy[0].arn
+  #policy_arn = aws_iam_policy.comet-ml-s3-policy[0].arn
+  policy_arn = var.comet_ec2_s3_iam_policy
 }

modules/comet_ec2/variables.tf

@@ -62,4 +62,8 @@ variable "comet_ml_s3_bucket" {
   description = "Name of the S3 bucket provisioned for Comet"
   type        = string
   default     = null
+}
+
+variable "comet_ec2_s3_iam_policy" {
+  description = "Policy granting access to Comet S3 bucket"
 }

modules/comet_s3/main.tf

@@ -5,18 +5,28 @@ locals {
   }
 }
 
-resource "aws_s3_bucket" "s3-comet-ml" {
-  bucket = var.comet_ml_s3_bucket
-
-  # server_side_encryption_configuration {
-  #  rule {
-  #    apply_server_side_encryption_by_default {
-  #        sse_algorithm     = "aws:kms"
-  #    }
-  #  }
-  # }
+resource "aws_s3_bucket" "comet_s3_bucket" {
+  bucket = var.comet_s3_bucket
 
   tags = merge(local.tags, {
-    Name = var.comet_ml_s3_bucket
+    Name = var.comet_s3_bucket
+  })
+}
+
+resource "aws_iam_policy" "comet_s3_iam_policy" {
+  name        = "comet-s3-access-policy"
+  description = "comet-s3-access-policy"
+  policy = jsonencode({
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Effect": "Allow",
+            "Action": "s3:*",
+            "Resource": [
+              "arn:aws:s3:::${var.comet_s3_bucket}",
+              "arn:aws:s3:::${var.comet_s3_bucket}/*"
+            ]
+        }
+    ]
   })
 }

modules/comet_s3/outputs.tf

@@ -0,0 +1,4 @@
+output "comet_s3_iam_policy_arn" {
+  description = "ARN of the IAM policy granting access to the provisioned bucket"
+  value = aws_iam_policy.comet_s3_iam_policy.arn
+}

modules/comet_s3/variables.tf

@@ -4,7 +4,7 @@ variable "environment" {
   default     = "dev"
 }
 
-variable "comet_ml_s3_bucket" {
+variable "comet_s3_bucket" {
   description = "Name of S3 bucket"
   type        = string
 }

terraform.tfvars

@@ -1,11 +1,11 @@
-enable_ec2 = false
+enable_ec2 = true
 
-enable_eks = true
+enable_eks = false
 
 enable_elasticache = true
 
 enable_rds = false
 
-enable_s3 = false
+enable_s3 = true
 
-s3_bucket_name = ""
+s3_bucket_name = "cometeoteoitheoihiahg"