class Terrafying::Components::Security::Store
Attributes
arn[R]
key_arn[R]
name[R]
Public Class Methods
create(*args)
click to toggle source
# File lib/terrafying/components/security/store.rb, line 15 def self.create(*args) Store.new.create(*args) end
Public Instance Methods
create( name, bucket_policy: nil, key_policy: nil )
click to toggle source
# File lib/terrafying/components/security/store.rb, line 19 def create( name, bucket_policy: nil, key_policy: nil ) ident = tf_safe(name) @name = name @key = resource :aws_kms_key, ident, { policy: key_policy } @key_arn = @key["arn"] resource :aws_kms_alias, ident, { name: "alias/#{name}", target_key_id: @key["id"], } @bucket = resource :aws_s3_bucket, ident, { bucket: name, acl: "private", force_destroy: false, versioning: { enabled: true, }, policy: bucket_policy, server_side_encryption_configuration: { rule: { apply_server_side_encryption_by_default: { kms_master_key_id: @key["arn"], sse_algorithm: "aws:kms", } } }, tags: { Name: name, } } @arn = @bucket["arn"] self end
read_statements(prefix: "*")
click to toggle source
# File lib/terrafying/components/security/store.rb, line 62 def read_statements(prefix: "*") bucket_glob = [@bucket["arn"], prefix].join("/") [ { Effect: "Allow", Action: [ "s3:ListBucket", "s3:GetBucketAcl", ], Resource: @bucket["arn"], }, { Effect: "Allow", Action: [ "s3:GetObject*", ], Resource: bucket_glob, }, { Effect: "Allow", Action: [ "kms:Decrypt", ], Resource: @key["arn"], } ] end
write_statements(prefix: "*")
click to toggle source
# File lib/terrafying/components/security/store.rb, line 91 def write_statements(prefix: "*") bucket_glob = [@bucket["arn"], prefix].join("/") [ { Effect: "Allow", Action: [ "s3:ListBucket", "s3:GetBucketAcl", ], Resource: @bucket["arn"], }, { Effect: "Allow", Action: [ "s3:GetObject*", "s3:PutObject*", ], Resource: bucket_glob, }, { Effect: "Allow", Action: [ "kms:Encrypt", "kms:Decrypt", "kms:GenerateDataKey" ], Resource: @key["arn"], } ] end