ci: prepare terraform files (#187)

Signed-off-by: Matheus Cruz <[email protected]>

Author: mcruzdev

.github/workflows/build.yml

@@ -3,9 +3,12 @@ name: Timeless CI - Build & Publish
 on:
   push:
     branches: [ "main" ]
+    paths-ignore:
+      - 'infrastructure/**'
   pull_request:
     branches: [ "main" ]
-
+    paths-ignore:
+      - 'infrastructure/**'
 
 permissions:
   contents: read

.github/workflows/pull_request.yml

@@ -3,6 +3,8 @@ name: Timeless CI - Pull Request Build
 on:
   pull_request:
     branches: [ "main" ]
+    paths-ignore:
+      - 'infrastructure/**'
 
 permissions:
   contents: read

infrastructure/main.tf

@@ -1,66 +1,142 @@
+# S3 Bucket
 resource "aws_s3_bucket" "timeless_bucket" {
   bucket = var.bucket_assets_name
+}
+
+resource "aws_s3_bucket_acl" "timeless_bucket_acl" {
+  bucket = aws_s3_bucket.timeless_bucket.id
   acl    = "private"
 }
 
-resource "aws_iam_user" "timeless_assets_writer" {
-  name = var.timeless_assets_writer_name
+# IAM Users
+resource "aws_iam_user" "timeless_whatsapp_app" {
+  name = var.timeless_whatsapp_app_name
 }
 
-resource "aws_iam_policy" "bucket_write_policy" {
-  name        = "BucketWriteAccessPolicy"
-  description = "Allows write access to ${var.bucket_assets_name} bucket"
+resource "aws_iam_user" "timeless_api_app" {
+  name = var.timeless_api_app_name
+}
+
+# IAM Policies
+
+resource "aws_iam_policy" "timeless_whatsapp_sqs_policy" {
+  name = "AllowSendReceiveMessagePolicy"
   policy = jsonencode({
     Version = "2012-10-17",
     Statement = [
       {
         Effect = "Allow",
         Action = [
-          "s3:PutObject",
-          "s3:PutObjectAcl",
-          "s3:GetObject"
+          "sqs:SendMessage",
+          "sqs:GetQueueAttributes"
         ],
-        Resource = "${aws_s3_bucket.timeless_bucket.arn}/*"
+        Resource = ["${aws_sqs_queue.incoming_messages.arn}"]
       },
       {
         Effect = "Allow",
         Action = [
-          "sqs:SendMessage",
           "sqs:ReceiveMessage",
-          "sqs:GetQueueAttributes",
-          "sqs:DeleteMessage"
+          "sqs:DeleteMessage",
+          "sqs:GetQueueAttributes"
         ],
-        Resource = "${aws_sqs_queue.incoming_messages.arn}"
+        Resource = ["${aws_sqs_queue.message_processed.arn}"]
+      }
+    ]
+  })
+}
+
+resource "aws_iam_policy" "timeless_api_sqs_policy" {
+  name = "AllowTimelessAPISendReceiveMessagePolicy"
+  policy = jsonencode({
+    Version = "2012-10-17",
+    Statement = [
+      {
+        Effect = "Allow",
+        Action = [
+          "sqs:SendMessage",
+          "sqs:GetQueueAttributes"
+        ],
+        Resource = ["${aws_sqs_queue.message_processed.arn}"]
       },
       {
-        Effect = "Allow"
+        Effect = "Allow",
         Action = [
           "sqs:ReceiveMessage",
-          "sqs:GetQueueAttributes",
           "sqs:DeleteMessage",
-          "sqs:SendMessage",
+          "sqs:GetQueueAttributes"
+        ],
+        Resource = ["${aws_sqs_queue.incoming_messages.arn}"]
+      }
+    ]
+  })
+}
+
+resource "aws_iam_policy" "bucket_read_policy" {
+  name        = "TimelessAPIBucketReadAccessPolicy"
+  description = "Allows read access to ${var.bucket_assets_name} bucket"
+  policy = jsonencode({
+    Version = "2012-10-17",
+    Statement = [
+      {
+        Effect = "Allow",
+        Action = [
+          "s3:GetObject"
         ],
-        Resource = "${aws_sqs_queue.message_processed.arn}"
+        Resource = "${aws_s3_bucket.timeless_bucket.arn}/*"
       }
     ]
   })
 }
 
-resource "aws_iam_user_policy_attachment" "attach_policy" {
-  user       = aws_iam_user.timeless_assets_writer.name
+resource "aws_iam_policy" "bucket_write_policy" {
+  name        = "TimelessWhatsappBucketWriteAccessPolicy"
+  description = "Allows write access to ${var.bucket_assets_name} bucket"
+  policy = jsonencode({
+    Version = "2012-10-17",
+    Statement = [
+      {
+        Effect = "Allow",
+        Action = [
+          "s3:PutObject",
+          "s3:PutObjectAcl",
+          "s3:DeleteObject"
+        ],
+        Resource = "${aws_s3_bucket.timeless_bucket.arn}/*"
+      }
+    ]
+  })
+}
+
+# IAM User Policy Attachments
+
+resource "aws_iam_user_policy_attachment" "attach_bucket_write_policy" {
+  user       = aws_iam_user.timeless_whatsapp_app.name
   policy_arn = aws_iam_policy.bucket_write_policy.arn
 }
 
-resource "aws_sqs_queue" "incoming_messages" {
-  name = "incoming-messages.fifo"
+resource "aws_iam_user_policy_attachment" "attach_sqs_policy" {
+  user       = aws_iam_user.timeless_whatsapp_app.name
+  policy_arn = aws_iam_policy.timeless_whatsapp_sqs_policy.arn
+}
+
+resource "aws_iam_user_policy_attachment" "attach_api_bucket_read_policy" {
+  user       = aws_iam_user.timeless_api_app.name
+  policy_arn = aws_iam_policy.bucket_read_policy.arn
+}
+
+resource "aws_iam_user_policy_attachment" "attach_api_sqs_policy" {
+  user       = aws_iam_user.timeless_api_app.name
+  policy_arn = aws_iam_policy.timeless_api_sqs_policy.arn
+}
+
 
+# SQS Queues
+resource "aws_sqs_queue" "incoming_messages" {
   fifo_queue                  = true
   content_based_deduplication = true
 }
 
 resource "aws_sqs_queue" "message_processed" {
-  name = "messages-processed.fifo"
-
   fifo_queue                  = true
   content_based_deduplication = true
 }

infrastructure/variables.tf

@@ -2,6 +2,10 @@ variable "bucket_assets_name" {
   type = string
 }
 
-variable "timeless_assets_writer_name" {
+variable "timeless_whatsapp_app_name" {
   type = string
-}
+}
+
+variable "timeless_api_app_name" {
+  type = string
+}