From 50a2c4d64408fb05e98d7a70935c0ae1b9203d61 Mon Sep 17 00:00:00 2001 From: Yusuke Nakamura Date: Mon, 7 Apr 2025 01:06:45 +0900 Subject: [PATCH 1/4] Create s3 bucket for sponsor-app staging --- aws/sponsor-app/s3.tf | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) create mode 100644 aws/sponsor-app/s3.tf diff --git a/aws/sponsor-app/s3.tf b/aws/sponsor-app/s3.tf new file mode 100644 index 0000000..705e76c --- /dev/null +++ b/aws/sponsor-app/s3.tf @@ -0,0 +1,22 @@ +resource "aws_s3_bucket" "sponsor_app_staging" { + bucket = "kor-sponsor-app-staging" +} + +resource "aws_s3_bucket_ownership_controls" "sponsor_app_staging" { + bucket = aws_s3_bucket.sponsor_app_staging.id + + rule { + object_ownership = "BucketOwnerEnforced" + } +} + +resource "aws_s3_bucket_cors_configuration" "sponsor_app_staging" { + bucket = aws_s3_bucket.sponsor_app_staging.id + + cors_rule { + allowed_headers = ["*"] + allowed_methods = ["PUT", "POST"] + allowed_origins = ["https://sponsorships-staging.kaigionrails.org"] + max_age_seconds = 3000 + } +} From c650aa2f952863bcf15662b256210de1bfc6ca29 Mon Sep 17 00:00:00 2001 From: Yusuke Nakamura Date: Mon, 7 Apr 2025 01:07:22 +0900 Subject: [PATCH 2/4] Configure iam to put s3 bucket from browser (sponsor-app staging) --- aws/sponsor-app/apprunner.tf | 3 +- aws/sponsor-app/iam.tf | 60 ++++++++++++++++++++++++++++++++++++ 2 files changed, 62 insertions(+), 1 deletion(-) diff --git a/aws/sponsor-app/apprunner.tf b/aws/sponsor-app/apprunner.tf index 2260f84..673777f 100644 --- a/aws/sponsor-app/apprunner.tf +++ b/aws/sponsor-app/apprunner.tf @@ -90,7 +90,6 @@ resource "aws_apprunner_service" "sponsor_app_staging" { runtime_environment_variables = { AWS_ACCESS_KEY_ID = "sample" AWS_REGION = "ap-northeast-1" - AWS_SECRET_ACCESS_KEY = "sample" DEFAULT_EMAIL_ADDRESS = "sponsorships-staging@kaigionrails.org" DEFAULT_EMAIL_HOST = "sponsorships-staging.kaigionrails.org" DEFAULT_URL_HOST = "sponsorships-staging.kaigionrails.org" @@ -101,6 +100,8 @@ resource "aws_apprunner_service" "sponsor_app_staging" { RAILS_ENV = "production" RAILS_LOG_TO_STDOUT = "enabled" RAILS_SERVE_STATIC_FILES = "enabled" + S3_FILES_REGION = "ap-northeast-1" + S3_FILES_ROLE = aws_iam_role.sponsor_app_staging_user.arn SENTRY_ENV = "staging" } diff --git a/aws/sponsor-app/iam.tf b/aws/sponsor-app/iam.tf index c60a4d5..c4069eb 100644 --- a/aws/sponsor-app/iam.tf +++ b/aws/sponsor-app/iam.tf @@ -132,6 +132,16 @@ data "aws_iam_policy_document" "sponsor_app" { # # resources = ["arn:aws:iam::${local.kaigionrails_aws_account_id}:role/*"] # resources = ["*"] # } + statement { + effect = "Allow" + actions = [ + "sts:AssumeRole", + ] + resources = [ + aws_iam_role.sponsor_app_staging_user.arn, + ] + } + statement { effect = "Allow" actions = ["ssm:GetParameters"] @@ -155,6 +165,19 @@ data "aws_iam_policy_document" "sponsor_app" { ] resources = ["*"] } + + statement { + effect = "Allow" + actions = [ + "s3:GetObject", + "s3:PutObject", + "s3:ListBucket", + ] + resources = [ + aws_s3_bucket.sponsor_app_staging.arn, + "${aws_s3_bucket.sponsor_app_staging.arn}/*", + ] + } } resource "aws_iam_role" "sponsor_app_deployer" { @@ -271,3 +294,40 @@ data "aws_iam_policy_document" "sponsor_app_deployer" { ] } } + +resource "aws_iam_role" "sponsor_app_staging_user" { + name = "SponsorAppStagingUser" + description = "SponsorAppStagingUser" + assume_role_policy = data.aws_iam_policy_document.sponsor_app_staging_user_trust.json + max_session_duration = 43200 +} + +data "aws_iam_policy_document" "sponsor_app_staging_user_trust" { + statement { + effect = "Allow" + actions = ["sts:AssumeRole"] + principals { + type = "AWS" + identifiers = [ + "arn:aws:iam::${local.kaigionrails_aws_account_id}:root" + ] + } + } +} + +resource "aws_iam_role_policy" "sponsor_app_staging_user" { + role = aws_iam_role.sponsor_app_staging_user.name + policy = data.aws_iam_policy_document.sponsor_app_staging_user.json +} + +data "aws_iam_policy_document" "sponsor_app_staging_user" { + statement { + effect = "Allow" + actions = [ + "s3:PutObject", + ] + resources = [ + "${aws_s3_bucket.sponsor_app_staging.arn}/*", + ] + } +} From 1e85208f7817956b5e7b28b7bdfb40be04391a7d Mon Sep 17 00:00:00 2001 From: Yusuke Nakamura Date: Mon, 7 Apr 2025 01:26:34 +0900 Subject: [PATCH 3/4] Remove sample env vars from sponsor-app apprunner --- aws/sponsor-app/apprunner.tf | 5 ----- 1 file changed, 5 deletions(-) diff --git a/aws/sponsor-app/apprunner.tf b/aws/sponsor-app/apprunner.tf index 673777f..663d7a1 100644 --- a/aws/sponsor-app/apprunner.tf +++ b/aws/sponsor-app/apprunner.tf @@ -9,9 +9,6 @@ resource "aws_apprunner_service" "sponsor_app" { # See also kaigionrails/sponsor-app/deploy/task_definition.jsonnet runtime_environment_variables = { - AWS_ACCESS_KEY_ID = "sample" - AWS_REGION = "ap-northeast-1" - AWS_SECRET_ACCESS_KEY = "sample" DEFAULT_EMAIL_ADDRESS = "sponsorships@kaigionrails.org" DEFAULT_EMAIL_HOST = "sponsorships.kaigionrails.org" DEFAULT_URL_HOST = "sponsorships.kaigionrails.org" @@ -88,8 +85,6 @@ resource "aws_apprunner_service" "sponsor_app_staging" { # See also kaigionrails/sponsor-app/deploy/staging/task_definition.jsonnet runtime_environment_variables = { - AWS_ACCESS_KEY_ID = "sample" - AWS_REGION = "ap-northeast-1" DEFAULT_EMAIL_ADDRESS = "sponsorships-staging@kaigionrails.org" DEFAULT_EMAIL_HOST = "sponsorships-staging.kaigionrails.org" DEFAULT_URL_HOST = "sponsorships-staging.kaigionrails.org" From 3af324d67b8f460b55857e876ecedc9f2c47e638 Mon Sep 17 00:00:00 2001 From: Yusuke Nakamura Date: Mon, 7 Apr 2025 01:40:02 +0900 Subject: [PATCH 4/4] Create s3 bucket and configure iam roles for sponsor-app production --- aws/sponsor-app/apprunner.tf | 2 ++ aws/sponsor-app/iam.tf | 40 ++++++++++++++++++++++++++++++++++++ aws/sponsor-app/s3.tf | 23 +++++++++++++++++++++ 3 files changed, 65 insertions(+) diff --git a/aws/sponsor-app/apprunner.tf b/aws/sponsor-app/apprunner.tf index 663d7a1..7be9b31 100644 --- a/aws/sponsor-app/apprunner.tf +++ b/aws/sponsor-app/apprunner.tf @@ -19,6 +19,8 @@ resource "aws_apprunner_service" "sponsor_app" { RAILS_ENV = "production" RAILS_LOG_TO_STDOUT = "enabled" RAILS_SERVE_STATIC_FILES = "enabled" + S3_FILES_REGION = "ap-northeast-1" + S3_FILES_ROLE = aws_iam_role.sponsor_app_user.arn SENTRY_ENV = "production" } diff --git a/aws/sponsor-app/iam.tf b/aws/sponsor-app/iam.tf index c4069eb..6345336 100644 --- a/aws/sponsor-app/iam.tf +++ b/aws/sponsor-app/iam.tf @@ -138,6 +138,7 @@ data "aws_iam_policy_document" "sponsor_app" { "sts:AssumeRole", ] resources = [ + aws_iam_role.sponsor_app_user.arn, aws_iam_role.sponsor_app_staging_user.arn, ] } @@ -174,6 +175,8 @@ data "aws_iam_policy_document" "sponsor_app" { "s3:ListBucket", ] resources = [ + aws_s3_bucket.sponsor_app.arn, + "${aws_s3_bucket.sponsor_app.arn}/*", aws_s3_bucket.sponsor_app_staging.arn, "${aws_s3_bucket.sponsor_app_staging.arn}/*", ] @@ -295,6 +298,43 @@ data "aws_iam_policy_document" "sponsor_app_deployer" { } } +resource "aws_iam_role" "sponsor_app_user" { + name = "SponsorAppUser" + description = "SponsorAppUser" + assume_role_policy = data.aws_iam_policy_document.sponsor_app_user_trust.json + max_session_duration = 43200 +} + +data "aws_iam_policy_document" "sponsor_app_user_trust" { + statement { + effect = "Allow" + actions = ["sts:AssumeRole"] + principals { + type = "AWS" + identifiers = [ + "arn:aws:iam::${local.kaigionrails_aws_account_id}:root" + ] + } + } +} + +resource "aws_iam_role_policy" "sponsor_app_user" { + role = aws_iam_role.sponsor_app_user.name + policy = data.aws_iam_policy_document.sponsor_app_user.json +} + +data "aws_iam_policy_document" "sponsor_app_user" { + statement { + effect = "Allow" + actions = [ + "s3:PutObject", + ] + resources = [ + "${aws_s3_bucket.sponsor_app.arn}/*", + ] + } +} + resource "aws_iam_role" "sponsor_app_staging_user" { name = "SponsorAppStagingUser" description = "SponsorAppStagingUser" diff --git a/aws/sponsor-app/s3.tf b/aws/sponsor-app/s3.tf index 705e76c..9b542ed 100644 --- a/aws/sponsor-app/s3.tf +++ b/aws/sponsor-app/s3.tf @@ -1,3 +1,26 @@ +resource "aws_s3_bucket" "sponsor_app" { + bucket = "kor-sponsor-app-production" +} + +resource "aws_s3_bucket_ownership_controls" "sponsor_app" { + bucket = aws_s3_bucket.sponsor_app.id + + rule { + object_ownership = "BucketOwnerEnforced" + } +} + +resource "aws_s3_bucket_cors_configuration" "sponsor_app" { + bucket = aws_s3_bucket.sponsor_app.id + + cors_rule { + allowed_headers = ["*"] + allowed_methods = ["PUT", "POST"] + allowed_origins = ["https://sponsorships.kaigionrails.org"] + max_age_seconds = 3000 + } +} + resource "aws_s3_bucket" "sponsor_app_staging" { bucket = "kor-sponsor-app-staging" }