The home for Hyperlane core contracts, sdk packages, and other infrastructure
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
hyperlane-monorepo/rust/main/terraform/modules/s3/main.tf

66 lines
3.0 KiB

# This resource creates an S3 bucket used to store validator signatures.
# The `force_destroy` attribute is set to true to allow the bucket to be destroyed even if it contains objects.
resource "aws_s3_bucket" "validator_bucket" {
bucket = "${var.validator_name}-signatures"
force_destroy = true # Enables deletion of non-empty bucket during destroy operation
}
# This resource applies a public access block configuration to the validator signatures bucket.
# It prevents public ACLs from being applied to the bucket and ignores any public ACLs already on the bucket.
resource "aws_s3_bucket_public_access_block" "validator_bucket_public_access_block" {
bucket = aws_s3_bucket.validator_bucket.id
block_public_acls = true # Blocks public ACLs from being added to the bucket
ignore_public_acls = true # Ignores any public ACLs currently associated with the bucket
block_public_policy = false # Allows public bucket policies (not recommended for sensitive data)
restrict_public_buckets = false # Allows unrestricted public access to the bucket (not recommended for sensitive data)
}
# This resource defines a bucket policy that allows public read access to the bucket and its objects.
# It also grants additional permissions to a specific IAM role to delete and put objects in the bucket.
resource "aws_s3_bucket_policy" "validator_bucket_policy" {
bucket = aws_s3_bucket.validator_bucket.id
policy = jsonencode({
Version = "2012-10-17",
Statement = [
{
Effect = "Allow",
Principal = "*",
Action = [
"s3:GetObject", # Allows retrieval of objects from the bucket
"s3:ListBucket" # Allows listing of the objects within the bucket
],
Resource = [
"${aws_s3_bucket.validator_bucket.arn}", # Bucket ARN
"${aws_s3_bucket.validator_bucket.arn}/*" # All objects within the bucket
]
},
{
Effect = "Allow",
Principal = {
AWS = var.validator_iam_user_arn # IAM user ARN of validator
},
Action = [
"s3:PutObject", # Allows uploading of new objects to the bucket
"s3:GetObject", # Allows retrieval of objects from the bucket
"s3:ListBucket", # Allows listing of the objects within the bucket
"s3:DeleteObject", # Allows deletion of objects within the bucket
],
Resource = [
"${aws_s3_bucket.validator_bucket.arn}", # Bucket ARN
"${aws_s3_bucket.validator_bucket.arn}/*" # All objects within the bucket
]
}
]
})
}
# This resource enables versioning for the S3 bucket to keep multiple versions of an object in the same bucket.
# Versioning is useful for data retention and recovery, as it allows you to recover from unintended user actions and application failures.
resource "aws_s3_bucket_versioning" "validator_bucket_versioning" {
bucket = aws_s3_bucket.validator_bucket.id
versioning_configuration {
status = "Enabled" # Enables versioning for the specified bucket
}
}