✨ terraform storage minio

2025-10-01 07:55:06 +02:00 · 2023-11-17 23:54:11 +01:00
parent 4746db000b
commit 6c9d3e3a87
6 changed files with 173 additions and 14 deletions
--- a/terraform/storage/minio/main.tf
+++ b/terraform/storage/minio/main.tf
@@ -0,0 +1,28 @@
+terraform {
+  cloud {
+    hostname     = "app.terraform.io"
+    organization = "onedr0p"
+    workspaces {
+      name = "arpa-home-storage"
+    }
+  }
+  required_providers {
+    kubernetes = {
+      source  = "hashicorp/kubernetes"
+      version = "2.23.0"
+    }
+    sops = {
+      source  = "carlpett/sops"
+      version = "1.0.0"
+    }
+    time = {
+      source  = "hashicorp/time"
+      version = "0.9.1"
+    }
+  }
+  required_version = ">= 1.3.0"
+}
+
+data "sops_file" "secrets" {
+  source_file = "secrets.sops.yaml"
+}
--- a/terraform/storage/minio/providers.tf
+++ b/terraform/storage/minio/providers.tf
@@ -0,0 +1,12 @@
+provider "aws" {
+  access_key = "your_access_key"
+  secret_key = "your_secret_key"
+  region     = "us-east-1"
+  endpoints {
+    s3 = "base64decode(data.sops_file.secrets.data["minio_endpoint"])"
+  }
+  skip_credentials_validation = true
+  skip_metadata_api_check     = true
+  skip_requesting_account_id  = true
+  s3_force_path_style         = true
+}
--- a/terraform/storage/minio/secrets.sops.yaml
+++ b/terraform/storage/minio/secrets.sops.yaml
@@ -0,0 +1,23 @@
+minio_endpoint: ENC[AES256_GCM,data:Lx05cjWbTqmXpGMVjJIuFS0blA7m9P0gJH0p+Z8OteM=,iv:SvcuQojEK4nMXY+80oSGSnovKtN221xgGtRHd0U5OaA=,tag:UrWetEvmP4qkBo5kMfzALg==,type:str]
+minio_root_user: ENC[AES256_GCM,data:9n5EvcU=,iv:hMpFlmvwYcjHdcdg6zNfHimjhltgTUe7nBUMV6HQi/U=,tag:nSwSU0ebzbH1SWR0ULLhKg==,type:str]
+minio_root_password: ENC[AES256_GCM,data:TE4Etq58bqOdB6ya13cLfZBdgnI=,iv:y0UF4eC1Gx6zdNEuXTS5GbiYran45w63YjEu4od+ExY=,tag:Qyk+r8NIMc3NltagK5Rrjw==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPVy9DRjhqOW05Wm4rNXZo
+            bFJxem9UZjNSQW5UaTRZaWQ1clZQSHJrNHpVCmo3Y0RPd1BRRC9ZZHJ0SndSUXJv
+            UkpPWTNOUWFPL1hCUGJrTFBPZml5QncKLS0tIGI5UUJKMXR0d1d3ZzRDSURuWVFl
+            ZFlyQ1lGbnVPaSs4cytQYzNwRnJabmcKP0ogZqsaoD6heCqmObwttBgE039aLqe2
+            R55NPkQJJyFSbDbdDmPApE4IwtXay54QGw2RR4AxOZW4G2dWhdzP3w==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2023-11-16T01:41:33Z"
+    mac: ENC[AES256_GCM,data:PBr4A9D6grWs7HgMGloDnDOhhT4/v4PvyqFxhdfzsm38FfZomceh7PpfMbdEH/Fv6Jsv9Z8f7aWTCt4IiSCGENJyZSGIL14ABDw/ao44Q1wtsh2Axjm4KWPr1iWWtu/Cbdv22vdbK2hlM0sXkCfiPboWIkVpaFTQQ5EW7+stryw=,iv:2Vdp7i4EdL/LVo9BD3PVCn5lan/J0khVdOcIIv66ayE=,tag:X5LdJESAcdDRXOQNlYoP3A==,type:str]
+    pgp: []
+    unencrypted_regex: ^(kind)$
+    version: 3.8.1
--- a/terraform/storage/minio/svc_volsync.tf
+++ b/terraform/storage/minio/svc_volsync.tf
@@ -0,0 +1,37 @@
+resource "aws_s3_bucket" "volsync" {
+  bucket = "volsync"
+  acl    = "private"
+}
+
+resource "aws_iam_user" "volsync_user" {
+  name = "volsync"
+}
+
+resource "aws_iam_policy" "volsync_private" {
+  name        = "volsync_private"
+  description = "Policy for volsync user to access volsync bucket"
+
+  policy = jsonencode({
+    Version = "2012-10-17",
+    Statement = [
+      {
+        Action = [
+          "s3:ListBucket",
+          "s3:PutObject",
+          "s3:GetObject",
+          "s3:DeleteObject"
+        ],
+        Effect = "Allow",
+        Resource = [
+          "arn:aws:s3:::volsync/*",
+          "arn:aws:s3:::volsync"
+        ]
+      }
+    ]
+  })
+}
+
+resource "aws_iam_user_policy_attachment" "volsync_user_policy_attachment" {
+  user       = aws_iam_user.volsync_user.name
+  policy_arn = aws_iam_policy.volsync_private.arn
+}