class Terrafying::Components::Security::Store

Attributes

arn[R]
key_arn[R]
name[R]

Public Class Methods

create(*args) click to toggle source
# File lib/terrafying/components/security/store.rb, line 15
def self.create(*args)
  Store.new.create(*args)
end

Public Instance Methods

create( name, bucket_policy: nil, key_policy: nil ) click to toggle source
# File lib/terrafying/components/security/store.rb, line 19
def create(
      name,
      bucket_policy: nil,
      key_policy: nil
    )

  ident = tf_safe(name)

  @name = name
  @key = resource :aws_kms_key, ident, { policy: key_policy }
  @key_arn = @key["arn"]

  resource :aws_kms_alias, ident, {
             name: "alias/#{name}",
             target_key_id: @key["id"],
           }

  @bucket = resource :aws_s3_bucket, ident, {
                       bucket: name,
                       acl: "private",
                       force_destroy: false,
                       versioning: {
                         enabled: true,
                       },
                       policy: bucket_policy,
                       server_side_encryption_configuration: {
                         rule: {
                           apply_server_side_encryption_by_default: {
                             kms_master_key_id: @key["arn"],
                             sse_algorithm: "aws:kms",
                           }
                         }
                       },
                       tags: {
                         Name: name,
                       }
                     }

  @arn = @bucket["arn"]

  self
end
read_statements(prefix: "*") click to toggle source
# File lib/terrafying/components/security/store.rb, line 62
def read_statements(prefix: "*")
  bucket_glob = [@bucket["arn"], prefix].join("/")

  [
    {
      Effect: "Allow",
      Action: [
        "s3:ListBucket",
        "s3:GetBucketAcl",
      ],
      Resource: @bucket["arn"],
    },
    {
      Effect: "Allow",
      Action: [
        "s3:GetObject*",
      ],
      Resource: bucket_glob,
    },
    {
      Effect: "Allow",
      Action: [
        "kms:Decrypt",
      ],
      Resource: @key["arn"],
    }
  ]
end
write_statements(prefix: "*") click to toggle source
# File lib/terrafying/components/security/store.rb, line 91
def write_statements(prefix: "*")
  bucket_glob = [@bucket["arn"], prefix].join("/")

  [
    {
      Effect: "Allow",
      Action: [
        "s3:ListBucket",
        "s3:GetBucketAcl",
      ],
      Resource: @bucket["arn"],
    },
    {
      Effect: "Allow",
      Action: [
        "s3:GetObject*",
        "s3:PutObject*",
      ],
      Resource: bucket_glob,
    },
    {
      Effect: "Allow",
      Action: [
        "kms:Encrypt",
        "kms:Decrypt",
        "kms:GenerateDataKey"
      ],
      Resource: @key["arn"],
    }
  ]
end