franzwong · July 3, 2022 01:34
diff --git a/synology_cloud_sync_s3.tf b/synology_cloud_sync_s3.tf
 terraform {
  required_providers {
    aws = {
      source = "hashicorp/aws"
      version = "~> 3.0"
    }
  }
  required_version = "~> 1.0.0"
 }

 provider "aws" {
  region  = var.aws_region
 }

 resource "aws_iam_user" "bucket_owner" {
  name  = var.sync_bucket_owner_username
 }

 resource "aws_iam_access_key" "bucket_owner" {
  user = aws_iam_user.bucket_owner.name
 }

 # View secret by `terraform output access_key_secret`
 output "access_key_secret" {
  value     = aws_iam_access_key.bucket_owner.secret
  sensitive = true
 }

 resource "aws_s3_bucket" "sync_bucket" {
  provider  = aws
  bucket    = var.sync_bucket_name
  policy    = data.aws_iam_policy_document.sync_bucket.json
 }

 resource "aws_s3_bucket_acl" "sync_bucket" {
  bucket = aws_s3_bucket.sync_bucket.id
  acl    = "private"
 }

 data "aws_iam_policy_document" "sync_bucket" {
  statement {
    actions   = [
      "s3:GetObject",
      "s3:PutObject",
      "s3:DeleteObject",
    ]

    effect    = "Allow"
    resources = ["arn:aws:s3:::${var.sync_bucket_name}/*"]

    principals {
      type        = "AWS"
      identifiers = [aws_iam_user.bucket_owner.arn]
    }
  }

  statement {
    actions   = [
      "s3:ListBucket",
    ]

    effect    = "Allow"
    resources = ["arn:aws:s3:::${var.sync_bucket_name}"]

    principals {
      type        = "AWS"
      identifiers = [aws_iam_user.bucket_owner.arn]
    }
  }
 }

 resource "aws_s3_bucket_public_access_block" "sync_bucket" {
  provider  = aws
  bucket    = aws_s3_bucket.sync_bucket.id

  block_public_acls       = true
  block_public_policy     = true
  ignore_public_acls      = true
  restrict_public_buckets = true
 }
diff --git a/variable.tf b/variable.tf
 variable "aws_region" {}

 variable "aws_account_id" {}

 variable "sync_bucket_name" {}

 variable "sync_bucket_owner_username" {}
	terraform {
	required_providers {
	aws = {
	source = "hashicorp/aws"
	version = "~> 3.0"
	}
	}
	required_version = "~> 1.0.0"
	}

	provider "aws" {
	region = var.aws_region
	}

	resource "aws_iam_user" "bucket_owner" {
	name = var.sync_bucket_owner_username
	}

	resource "aws_iam_access_key" "bucket_owner" {
	user = aws_iam_user.bucket_owner.name
	}

	# View secret by `terraform output access_key_secret`
	output "access_key_secret" {
	value = aws_iam_access_key.bucket_owner.secret
	sensitive = true
	}

	resource "aws_s3_bucket" "sync_bucket" {
	provider = aws
	bucket = var.sync_bucket_name
	policy = data.aws_iam_policy_document.sync_bucket.json
	}

	resource "aws_s3_bucket_acl" "sync_bucket" {
	bucket = aws_s3_bucket.sync_bucket.id
	acl = "private"
	}

	data "aws_iam_policy_document" "sync_bucket" {
	statement {
	actions = [
	"s3:GetObject",
	"s3:PutObject",
	"s3:DeleteObject",
	]

	effect = "Allow"
	resources = ["arn:aws:s3:::${var.sync_bucket_name}/*"]

	principals {
	type = "AWS"
	identifiers = [aws_iam_user.bucket_owner.arn]
	}
	}

	statement {
	actions = [
	"s3:ListBucket",
	]

	effect = "Allow"
	resources = ["arn:aws:s3:::${var.sync_bucket_name}"]

	principals {
	type = "AWS"
	identifiers = [aws_iam_user.bucket_owner.arn]
	}
	}
	}

	resource "aws_s3_bucket_public_access_block" "sync_bucket" {
	provider = aws
	bucket = aws_s3_bucket.sync_bucket.id

	block_public_acls = true
	block_public_policy = true
	ignore_public_acls = true
	restrict_public_buckets = true
	}
	variable "aws_region" {}

	variable "aws_account_id" {}

	variable "sync_bucket_name" {}

	variable "sync_bucket_owner_username" {}