Create usage bucket

amancevice · Jun 26, 2018 · d794e26 · d794e26
1 parent 6facedf
commit d794e26
Show file tree

Hide file tree

Showing 2 changed files with 52 additions and 9 deletions.
diff --git a/main.tf b/main.tf
@@ -9,7 +9,7 @@ data "aws_iam_policy_document" "assume_role" {
   }
 }
 
-data "aws_iam_policy_document" "policy" {
+data "aws_iam_policy_document" "delivery_status_inline_role_policy" {
   statement {
     resources = ["*"]
     actions   = [
@@ -22,24 +22,68 @@ data "aws_iam_policy_document" "policy" {
   }
 }
 
-resource "aws_iam_role" "role" {
+data "aws_iam_policy_document" "delivery_status_bucket_policy" {
+  policy_id = "sns-sms-daily-usage-policy"
+
+  statement {
+    sid       = "AllowPutObject"
+    actions   = ["s3:PutObject"]
+    resources = ["${aws_s3_bucket.delivery_status_bucket.arn}/*"]
+
+    principals {
+      type        = "Service"
+      identifiers = ["sns.amazonaws.com"]
+    }
+  }
+
+  statement {
+    sid       = "AllowGetBucketLocation"
+    actions   = ["s3:GetBucketLocation"]
+    resources = ["${aws_s3_bucket.delivery_status_bucket.arn}"]
+
+    principals {
+      type        = "Service"
+      identifiers = ["sns.amazonaws.com"]
+    }
+  }
+}
+
+resource "aws_iam_role" "delivery_status_role" {
   name               = "${var.role_name}"
   assume_role_policy = "${data.aws_iam_policy_document.assume_role.json}"
 }
 
-resource "aws_iam_role_policy" "role_policy" {
-  name   = "${aws_iam_role.role.name}Policy"
-  role   = "${aws_iam_role.role.id}"
-  policy = "${data.aws_iam_policy_document.policy.json}"
+resource "aws_iam_role_policy" "delivery_status_inline_role_policy" {
+  name   = "${aws_iam_role.delivery_status_role.name}InlinePolicy"
+  role   = "${aws_iam_role.delivery_status_role.id}"
+  policy = "${data.aws_iam_policy_document.delivery_status_inline_role_policy.json}"
+}
+
+resource "aws_s3_bucket" "delivery_status_bucket" {
+  bucket = "${var.usage_report_s3_bucket}"
+  acl    = "private"
+
+  server_side_encryption_configuration {
+    rule {
+      apply_server_side_encryption_by_default {
+        sse_algorithm = "AES256"
+      }
+    }
+  }
+}
+
+resource "aws_s3_bucket_policy" "delivery_status_bucket_policy" {
+  bucket = "${aws_s3_bucket.delivery_status_bucket.bucket}"
+  policy = "${data.aws_iam_policy_document.delivery_status_bucket_policy.json}"
 }
 
 resource "aws_sns_sms_preferences" "sms_preferences" {
   default_sender_id                     = "${var.default_sender_id}"
   default_sms_type                      = "${var.default_sms_type}"
-  delivery_status_iam_role_arn          = "${aws_iam_role.role.arn}"
+  delivery_status_iam_role_arn          = "${aws_iam_role.delivery_status_role.arn}"
   delivery_status_success_sampling_rate = "${var.delivery_status_success_sampling_rate}"
   monthly_spend_limit                   = "${var.monthly_spend_limit}"
-  usage_report_s3_bucket                = "${var.usage_report_s3_bucket}"
+  usage_report_s3_bucket                = "${aws_s3_bucket.delivery_status_bucket.bucket}"
 }
 
 resource "aws_sns_topic" "topic" {

diff --git a/variables.tf b/variables.tf
@@ -44,5 +44,4 @@ variable "topic_name" {
 
 variable "usage_report_s3_bucket" {
   description = "The Amazon S3 bucket to receive daily SMS usage reports. The bucket policy must grant write access to Amazon SNS."
-  default     = ""
 }