mirror of
https://github.com/FoggedLens/deflock.git
synced 2026-02-12 15:02:45 +00:00
106 lines
2.2 KiB
HCL
106 lines
2.2 KiB
HCL
|
|
resource "aws_s3_bucket" "directus_backup" {
|
|
bucket = var.bucket_name
|
|
}
|
|
|
|
resource "aws_s3_bucket_lifecycle_configuration" "directus_backup_lifecycle" {
|
|
bucket = aws_s3_bucket.directus_backup.id
|
|
|
|
rule {
|
|
id = "expire-old-backups"
|
|
status = "Enabled"
|
|
|
|
expiration {
|
|
days = 15
|
|
}
|
|
|
|
noncurrent_version_expiration {
|
|
noncurrent_days = 15
|
|
}
|
|
}
|
|
}
|
|
|
|
resource "aws_s3_bucket_versioning" "directus_backup_versioning" {
|
|
bucket = aws_s3_bucket.directus_backup.id
|
|
versioning_configuration {
|
|
status = "Enabled"
|
|
}
|
|
}
|
|
|
|
resource "aws_s3_bucket_server_side_encryption_configuration" "directus_backup_encryption" {
|
|
bucket = aws_s3_bucket.directus_backup.id
|
|
|
|
rule {
|
|
apply_server_side_encryption_by_default {
|
|
sse_algorithm = "aws:kms"
|
|
kms_master_key_id = aws_kms_key.s3_backup_key.arn
|
|
}
|
|
}
|
|
}
|
|
|
|
resource "aws_kms_key" "s3_backup_key" {
|
|
description = "KMS key for S3 backup bucket encryption"
|
|
deletion_window_in_days = 10
|
|
enable_key_rotation = true
|
|
}
|
|
|
|
resource "aws_iam_role" "directus_backup_writer" {
|
|
name = "directus-backup-writer"
|
|
assume_role_policy = jsonencode({
|
|
Version = "2012-10-17"
|
|
Statement = [
|
|
{
|
|
Action = "sts:AssumeRole"
|
|
Effect = "Allow"
|
|
Principal = {
|
|
Service = "ec2.amazonaws.com"
|
|
}
|
|
}
|
|
]
|
|
})
|
|
}
|
|
|
|
resource "aws_iam_policy" "directus_backup_write_policy" {
|
|
name = "directus-backup-write-policy"
|
|
description = "Allow write access to S3 backup bucket"
|
|
policy = jsonencode({
|
|
Version = "2012-10-17"
|
|
Statement = [
|
|
{
|
|
Effect = "Allow"
|
|
Action = [
|
|
"s3:PutObject",
|
|
"s3:PutObjectAcl",
|
|
"s3:GetObject",
|
|
"s3:ListBucket",
|
|
"s3:DeleteObject"
|
|
]
|
|
Resource = [
|
|
"${aws_s3_bucket.directus_backup.arn}/*",
|
|
"${aws_s3_bucket.directus_backup.arn}"
|
|
]
|
|
},
|
|
{
|
|
Effect = "Allow"
|
|
Action = [
|
|
"kms:Encrypt",
|
|
"kms:Decrypt",
|
|
"kms:GenerateDataKey*",
|
|
"kms:DescribeKey"
|
|
]
|
|
Resource = aws_kms_key.s3_backup_key.arn
|
|
}
|
|
]
|
|
})
|
|
}
|
|
|
|
resource "aws_iam_role_policy_attachment" "attach_write_policy" {
|
|
role = aws_iam_role.directus_backup_writer.name
|
|
policy_arn = aws_iam_policy.directus_backup_write_policy.arn
|
|
}
|
|
|
|
variable "bucket_name" {
|
|
description = "The name of the S3 bucket for Directus backups."
|
|
type = string
|
|
}
|