fleet/infrastructure/loadtesting/terraform/s3.tf

data "aws_iam_policy_document" "software_installers" {
  statement {
    actions = [
      "s3:GetObject*",
      "s3:PutObject*",
      "s3:ListBucket*",
      "s3:ListMultipartUploadParts*",
      "s3:DeleteObject",
      "s3:CreateMultipartUpload",
      "s3:AbortMultipartUpload",
      "s3:ListMultipartUploadParts",
      "s3:GetBucketLocation"
    ]
    resources = [aws_s3_bucket.software_installers.arn, "${aws_s3_bucket.software_installers.arn}/*"]
  }
  dynamic "statement" {
    for_each = local.software_installers_kms_policy
    content {
      sid       = try(statement.value.sid, "")
      actions   = try(statement.value.actions, [])
      resources = try(statement.value.resources, [])
      effect    = try(statement.value.effect, null)
      dynamic "principals" {
        for_each = try(statement.value.principals, [])
        content {
          type        = principals.value.type
          identifiers = principals.value.identifiers
        }
      }
      dynamic "condition" {
        for_each = try(statement.value.conditions, [])
        content {
          test     = condition.value.test
          variable = condition.value.variable
          values   = condition.value.values
        }
      }
    }
  }
}

resource "aws_iam_policy" "software_installers" {
  policy = data.aws_iam_policy_document.software_installers.json
}

resource "aws_iam_role_policy_attachment" "software_installers" {
  policy_arn = aws_iam_policy.software_installers.arn
  role       = aws_iam_role.main.name
}

resource "aws_s3_bucket" "software_installers" { #tfsec:ignore:aws-s3-encryption-customer-key:exp:2022-07-01  #tfsec:ignore:aws-s3-enable-versioning #tfsec:ignore:aws-s3-enable-bucket-logging:exp:2022-06-15
  bucket_prefix = terraform.workspace

  # Allow destroy of non-empty buckets
  force_destroy = true
}

resource "aws_s3_bucket_server_side_encryption_configuration" "software_installers" {
  bucket = aws_s3_bucket.software_installers.bucket
  rule {
    apply_server_side_encryption_by_default {
      kms_master_key_id = aws_kms_key.software_installers.id
      sse_algorithm     = "aws:kms"
    }
  }
}

resource "aws_s3_bucket_public_access_block" "software_installers" {
  bucket                  = aws_s3_bucket.software_installers.id
  block_public_acls       = true
  block_public_policy     = true
  ignore_public_acls      = true
  restrict_public_buckets = true
}

resource "aws_kms_key" "software_installers" {
  enable_key_rotation = true
}

resource "aws_kms_alias" "software_installers" {
  target_key_id = aws_kms_key.software_installers.id
  name          = "alias/${terraform.workspace}-software-installers"
}
add s3 installers to loadtest (#22306) 2024-09-23 18:28:23 +00:00			`data "aws_iam_policy_document" "software_installers" {`
			`statement {`
			`actions = [`
			`"s3:GetObject*",`
			`"s3:PutObject*",`
			`"s3:ListBucket*",`
			`"s3:ListMultipartUploadParts*",`
			`"s3:DeleteObject",`
			`"s3:CreateMultipartUpload",`
			`"s3:AbortMultipartUpload",`
			`"s3:ListMultipartUploadParts",`
			`"s3:GetBucketLocation"`
			`]`
			`resources = [aws_s3_bucket.software_installers.arn, "${aws_s3_bucket.software_installers.arn}/*"]`
			`}`
Loadtesting - Enable Cloudfront (#31073) # Added - Added kms.tf to support encrypting keys, specifically cloudfront keys. - Added template/cloudfront.tf.disabled for use in enabling cloudfront.- Modified ecs-iam.tf to support log-alb.tf, cloudfront.tf policies that are injected into `local.extra_execution_iam_policies` and `local.iam`. - Added log-alb.tf to enable logging alb, required by cloudfront.tf. # Changed - Modified ecs.tf to support adding of additional secrets from `local.secrets`. - Modified firehose.tf to support provider required updates for deprecated resource configurations. - Modified init.tf to support `> v5.0` of `hashicorp/aws` provider. - Modified locals.tf to add `extra_execution_iam_policies`, `iam`, `software_installers_kms_policy`, `extra_secrets`, secrets, and `cloudfront_key_basename`, to support cloudfront. - Modified readme.md with instructions on how to enable cloudfront.tf - Modified redis.tf to support provider required updates for deprecated resource configurations - Modified s3.tf to support kms keys and add kms iam. - Modified terraform version in .github/workflows/tfvalidate.yml - 1.9.0 -> 1.10.4 2025-07-21 20:41:06 +00:00			`dynamic "statement" {`
			`for_each = local.software_installers_kms_policy`
			`content {`
			`sid = try(statement.value.sid, "")`
			`actions = try(statement.value.actions, [])`
			`resources = try(statement.value.resources, [])`
			`effect = try(statement.value.effect, null)`
			`dynamic "principals" {`
			`for_each = try(statement.value.principals, [])`
			`content {`
			`type = principals.value.type`
			`identifiers = principals.value.identifiers`
			`}`
			`}`
			`dynamic "condition" {`
			`for_each = try(statement.value.conditions, [])`
			`content {`
			`test = condition.value.test`
			`variable = condition.value.variable`
			`values = condition.value.values`
			`}`
			`}`
			`}`
			`}`
add s3 installers to loadtest (#22306) 2024-09-23 18:28:23 +00:00			`}`

			`resource "aws_iam_policy" "software_installers" {`
			`policy = data.aws_iam_policy_document.software_installers.json`
			`}`

			`resource "aws_iam_role_policy_attachment" "software_installers" {`
			`policy_arn = aws_iam_policy.software_installers.arn`
			`role = aws_iam_role.main.name`
			`}`

			`resource "aws_s3_bucket" "software_installers" { #tfsec:ignore:aws-s3-encryption-customer-key:exp:2022-07-01 #tfsec:ignore:aws-s3-enable-versioning #tfsec:ignore:aws-s3-enable-bucket-logging:exp:2022-06-15`
			`bucket_prefix = terraform.workspace`
Loadtesting - Enable Cloudfront (#31073) # Added - Added kms.tf to support encrypting keys, specifically cloudfront keys. - Added template/cloudfront.tf.disabled for use in enabling cloudfront.- Modified ecs-iam.tf to support log-alb.tf, cloudfront.tf policies that are injected into `local.extra_execution_iam_policies` and `local.iam`. - Added log-alb.tf to enable logging alb, required by cloudfront.tf. # Changed - Modified ecs.tf to support adding of additional secrets from `local.secrets`. - Modified firehose.tf to support provider required updates for deprecated resource configurations. - Modified init.tf to support `> v5.0` of `hashicorp/aws` provider. - Modified locals.tf to add `extra_execution_iam_policies`, `iam`, `software_installers_kms_policy`, `extra_secrets`, secrets, and `cloudfront_key_basename`, to support cloudfront. - Modified readme.md with instructions on how to enable cloudfront.tf - Modified redis.tf to support provider required updates for deprecated resource configurations - Modified s3.tf to support kms keys and add kms iam. - Modified terraform version in .github/workflows/tfvalidate.yml - 1.9.0 -> 1.10.4 2025-07-21 20:41:06 +00:00
Allow Loadtesting environment non-empty s3 bucket cleanup on terraform destroy (#30899) * Modified resource aws_s3_bucket blocks to include `force_destroy = true` in firehose.tf and s3.tf. 2025-07-16 16:15:27 +00:00			`# Allow destroy of non-empty buckets`
			`force_destroy = true`
add s3 installers to loadtest (#22306) 2024-09-23 18:28:23 +00:00			`}`

			`resource "aws_s3_bucket_server_side_encryption_configuration" "software_installers" {`
			`bucket = aws_s3_bucket.software_installers.bucket`
			`rule {`
			`apply_server_side_encryption_by_default {`
Loadtesting - Enable Cloudfront (#31073) # Added - Added kms.tf to support encrypting keys, specifically cloudfront keys. - Added template/cloudfront.tf.disabled for use in enabling cloudfront.- Modified ecs-iam.tf to support log-alb.tf, cloudfront.tf policies that are injected into `local.extra_execution_iam_policies` and `local.iam`. - Added log-alb.tf to enable logging alb, required by cloudfront.tf. # Changed - Modified ecs.tf to support adding of additional secrets from `local.secrets`. - Modified firehose.tf to support provider required updates for deprecated resource configurations. - Modified init.tf to support `> v5.0` of `hashicorp/aws` provider. - Modified locals.tf to add `extra_execution_iam_policies`, `iam`, `software_installers_kms_policy`, `extra_secrets`, secrets, and `cloudfront_key_basename`, to support cloudfront. - Modified readme.md with instructions on how to enable cloudfront.tf - Modified redis.tf to support provider required updates for deprecated resource configurations - Modified s3.tf to support kms keys and add kms iam. - Modified terraform version in .github/workflows/tfvalidate.yml - 1.9.0 -> 1.10.4 2025-07-21 20:41:06 +00:00			`kms_master_key_id = aws_kms_key.software_installers.id`
			`sse_algorithm = "aws:kms"`
add s3 installers to loadtest (#22306) 2024-09-23 18:28:23 +00:00			`}`
			`}`
			`}`

			`resource "aws_s3_bucket_public_access_block" "software_installers" {`
			`bucket = aws_s3_bucket.software_installers.id`
			`block_public_acls = true`
			`block_public_policy = true`
			`ignore_public_acls = true`
			`restrict_public_buckets = true`
			`}`
Loadtesting - Enable Cloudfront (#31073) # Added - Added kms.tf to support encrypting keys, specifically cloudfront keys. - Added template/cloudfront.tf.disabled for use in enabling cloudfront.- Modified ecs-iam.tf to support log-alb.tf, cloudfront.tf policies that are injected into `local.extra_execution_iam_policies` and `local.iam`. - Added log-alb.tf to enable logging alb, required by cloudfront.tf. # Changed - Modified ecs.tf to support adding of additional secrets from `local.secrets`. - Modified firehose.tf to support provider required updates for deprecated resource configurations. - Modified init.tf to support `> v5.0` of `hashicorp/aws` provider. - Modified locals.tf to add `extra_execution_iam_policies`, `iam`, `software_installers_kms_policy`, `extra_secrets`, secrets, and `cloudfront_key_basename`, to support cloudfront. - Modified readme.md with instructions on how to enable cloudfront.tf - Modified redis.tf to support provider required updates for deprecated resource configurations - Modified s3.tf to support kms keys and add kms iam. - Modified terraform version in .github/workflows/tfvalidate.yml - 1.9.0 -> 1.10.4 2025-07-21 20:41:06 +00:00
			`resource "aws_kms_key" "software_installers" {`
			`enable_key_rotation = true`
			`}`

			`resource "aws_kms_alias" "software_installers" {`
			`target_key_id = aws_kms_key.software_installers.id`
			`name = "alias/${terraform.workspace}-software-installers"`
			`}`