Add AWS resources for East and West regions, including S3 buckets and…

… KMS keys
CSVD · Mar 20, 2025 · 1fdce7d · 1fdce7d
1 parent de443e5
commit 1fdce7d
Show file tree

Hide file tree

Showing 4 changed files with 334 additions and 30 deletions.
diff --git a/.terraform_commits b/.terraform_commits
@@ -4,5 +4,11 @@
     "commit_message": "working on adding template repo for aws-image-pipeline",
     "author": "arnol377",
     "timestamp": "2025-03-18T17:55:41.004668"
+  },
+  {
+    "commit_hash": "de443e5fee4bda81fc3c7e8022577ea8cb184f4a",
+    "commit_message": "Implement code changes to enhance functionality and improve performance",
+    "author": "arnol377",
+    "timestamp": "2025-03-19T20:31:17.707462"
   }
 ]
diff --git a/actions-bucket.tf b/actions-bucket.tf
@@ -1,9 +1,9 @@
 locals {
-  bucket_name             = "csvd-dev-ew-github-actions"
-  kms_key_deletion_days   = 30
-  kms_alias_name         = "csvd-dev-ew-github-actions"
-  kms_description        = "KMS key for actions bucket encryption"
-  enable_key_rotation    = true
+  base_bucket_name      = "csvd-dev-ew-github-actions"
+  east_bucket_name      = "${local.base_bucket_name}-east"
+  kms_key_deletion_days = 30
+  kms_description       = "KMS key for actions bucket encryption"
+  enable_key_rotation   = true
 
   # S3 permissions for ECS role
   ecs_s3_actions = [
@@ -18,11 +18,12 @@ locals {
 data "aws_partition" "current" {}
 data "aws_caller_identity" "current" {}
 
-# KMS key for bucket encryption
-resource "aws_kms_key" "actions_bucket" {
-  description             = local.kms_description
+# West Region Resources
+resource "aws_kms_key" "actions_bucket_west" {
+  provider                = aws.west
+  description            = "${local.kms_description} (West)"
   deletion_window_in_days = local.kms_key_deletion_days
-  enable_key_rotation     = local.enable_key_rotation
+  enable_key_rotation    = local.enable_key_rotation
 
   policy = jsonencode({
     Version = "2012-10-17"
@@ -40,48 +41,49 @@ resource "aws_kms_key" "actions_bucket" {
   })
 }
 
-resource "aws_kms_alias" "actions_bucket" {
-  name          = "alias/${local.kms_alias_name}"
-  target_key_id = aws_kms_key.actions_bucket.key_id
+resource "aws_kms_alias" "actions_bucket_west" {
+  provider      = aws.west
+  name          = "alias/${local.base_bucket_name}"
+  target_key_id = aws_kms_key.actions_bucket_west.key_id
 }
 
-# S3 Bucket
-resource "aws_s3_bucket" "actions" {
-  bucket = local.bucket_name
+resource "aws_s3_bucket" "actions_west" {
+  provider = aws.west
+  bucket   = local.base_bucket_name
 }
 
-# Bucket versioning
-resource "aws_s3_bucket_versioning" "actions" {
-  bucket = aws_s3_bucket.actions.id
+resource "aws_s3_bucket_versioning" "actions_west" {
+  provider = aws.west
+  bucket   = aws_s3_bucket.actions_west.id
   versioning_configuration {
     status = "Enabled"
   }
 }
 
-# Bucket encryption
-resource "aws_s3_bucket_server_side_encryption_configuration" "actions" {
-  bucket = aws_s3_bucket.actions.id
+resource "aws_s3_bucket_server_side_encryption_configuration" "actions_west" {
+  provider = aws.west
+  bucket   = aws_s3_bucket.actions_west.id
 
   rule {
     apply_server_side_encryption_by_default {
-      kms_master_key_id = aws_kms_key.actions_bucket.arn
+      kms_master_key_id = aws_kms_key.actions_bucket_west.arn
       sse_algorithm     = "aws:kms"
     }
   }
 }
 
-# Block public access
-resource "aws_s3_bucket_public_access_block" "actions" {
-  bucket                  = aws_s3_bucket.actions.id
+resource "aws_s3_bucket_public_access_block" "actions_west" {
+  provider                = aws.west
+  bucket                  = aws_s3_bucket.actions_west.id
   block_public_acls       = true
   block_public_policy     = true
   ignore_public_acls      = true
   restrict_public_buckets = true
 }
 
-# Bucket policy
-resource "aws_s3_bucket_policy" "actions" {
-  bucket = aws_s3_bucket.actions.id
+resource "aws_s3_bucket_policy" "actions_west" {
+  provider = aws.west
+  bucket   = aws_s3_bucket.actions_west.id
 
   policy = jsonencode({
     Version = "2012-10-17"
@@ -94,8 +96,94 @@ resource "aws_s3_bucket_policy" "actions" {
         }
         Action   = local.ecs_s3_actions
         Resource = [
-          aws_s3_bucket.actions.arn,
-          "${aws_s3_bucket.actions.arn}/*"
+          aws_s3_bucket.actions_west.arn,
+          "${aws_s3_bucket.actions_west.arn}/*"
+        ]
+      }
+    ]
+  })
+}
+
+# East Region Resources
+resource "aws_kms_key" "actions_bucket_east" {
+  provider                = aws.east
+  description            = "${local.kms_description} (East)"
+  deletion_window_in_days = local.kms_key_deletion_days
+  enable_key_rotation    = local.enable_key_rotation
+
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Sid    = "Enable IAM User Permissions"
+        Effect = "Allow"
+        Principal = {
+          AWS = "arn:${data.aws_partition.current.partition}:iam::${data.aws_caller_identity.current.account_id}:root"
+        }
+        Action   = "kms:*"
+        Resource = "*"
+      }
+    ]
+  })
+}
+
+resource "aws_kms_alias" "actions_bucket_east" {
+  provider      = aws.east
+  name          = "alias/${local.east_bucket_name}"
+  target_key_id = aws_kms_key.actions_bucket_east.key_id
+}
+
+resource "aws_s3_bucket" "actions_east" {
+  provider = aws.east
+  bucket   = local.east_bucket_name
+}
+
+resource "aws_s3_bucket_versioning" "actions_east" {
+  provider = aws.east
+  bucket   = aws_s3_bucket.actions_east.id
+  versioning_configuration {
+    status = "Enabled"
+  }
+}
+
+resource "aws_s3_bucket_server_side_encryption_configuration" "actions_east" {
+  provider = aws.east
+  bucket   = aws_s3_bucket.actions_east.id
+
+  rule {
+    apply_server_side_encryption_by_default {
+      kms_master_key_id = aws_kms_key.actions_bucket_east.arn
+      sse_algorithm     = "aws:kms"
+    }
+  }
+}
+
+resource "aws_s3_bucket_public_access_block" "actions_east" {
+  provider                = aws.east
+  bucket                  = aws_s3_bucket.actions_east.id
+  block_public_acls       = true
+  block_public_policy     = true
+  ignore_public_acls      = true
+  restrict_public_buckets = true
+}
+
+resource "aws_s3_bucket_policy" "actions_east" {
+  provider = aws.east
+  bucket   = aws_s3_bucket.actions_east.id
+
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Sid    = "AllowECSServiceRole"
+        Effect = "Allow"
+        Principal = {
+          AWS = "arn:${data.aws_partition.current.partition}:iam::${data.aws_caller_identity.current.account_id}:role/aws-service-role/ecs.amazonaws.com/AWSServiceRoleForECS"
+        }
+        Action   = local.ecs_s3_actions
+        Resource = [
+          aws_s3_bucket.actions_east.arn,
+          "${aws_s3_bucket.actions_east.arn}/*"
         ]
       }
     ]