aws: Add example w/ S3 & cross-account access

11 years ago · 0a637be9b3
parent 2c30ff276e
commit 0a637be9b3
6 changed files with 94 additions and 0 deletions
--- a/examples/aws-s3-cross-account-access/README.md
+++ b/examples/aws-s3-cross-account-access/README.md
@ -0,0 +1,20 @@
+# S3 bucket with cross-account access
+
+This example describes how to create an S3 bucket in one AWS account and give access to that bucket to another user from another AWS account using bucket policy.
+It demonstrates capabilities of provider aliases.
+
+See [more in the S3 documentation](http://docs.aws.amazon.com/AmazonS3/latest/dev/example-walkthroughs-managing-access-example2.html).
+
+## How to run
+
+Either `cp terraform.template.tfvars terraform.tfvars` and modify that new file accordingly or provide variables via CLI:
+
+```
+terraform apply \
+	-var="prod_access_key=AAAAAAAAAAAAAAAAAAA" \
+	-var="prod_secret_key=SuperSecretKeyForAccountA" \
+	-var="test_account_id=123456789012" \
+	-var="test_access_key=BBBBBBBBBBBBBBBBBBB" \
+	-var="test_secret_key=SuperSecretKeyForAccountB" \
+	-var="bucket_name=tf-bucket-in-prod" \
+```
--- a/examples/aws-s3-cross-account-access/main.tf
+++ b/examples/aws-s3-cross-account-access/main.tf
@ -0,0 +1,54 @@
+provider "aws" {
+	alias = "prod"
+
+	region = "us-east-1"
+	access_key = "${var.prod_access_key}"
+	secret_key = "${var.prod_secret_key}"
+}
+
+resource "aws_s3_bucket" "prod" {
+	provider = "aws.prod"
+
+	bucket = "${var.bucket_name}"
+	acl = "private"
+	policy = <<POLICY
+{
+    "Version": "2008-10-17",
+    "Statement": [
+        {
+            "Sid": "AllowTest",
+            "Effect": "Allow",
+            "Principal": {
+                "AWS": "arn:aws:iam::${var.test_account_id}:root"
+            },
+            "Action": "s3:*",
+            "Resource": "arn:aws:s3:::${var.bucket_name}/*"
+        }
+    ]
+}
+POLICY
+}
+
+resource "aws_s3_bucket_object" "prod" {
+	provider = "aws.prod"
+
+    bucket = "${aws_s3_bucket.prod.id}"
+    key = "object-uploaded-via-prod-creds"
+    source = "${path.module}/prod.txt"
+}
+
+provider "aws" {
+	alias = "test"
+
+	region = "us-east-1"
+	access_key = "${var.test_access_key}"
+	secret_key = "${var.test_secret_key}"
+}
+
+resource "aws_s3_bucket_object" "test" {
+	provider = "aws.test"
+
+    bucket = "${aws_s3_bucket.prod.id}"
+    key = "object-uploaded-via-test-creds"
+    source = "${path.module}/test.txt"
+}
--- a/examples/aws-s3-cross-account-access/prod.txt
+++ b/examples/aws-s3-cross-account-access/prod.txt
@ -0,0 +1 @@
+Hello from PROD
--- a/examples/aws-s3-cross-account-access/terraform.template.tfvars
+++ b/examples/aws-s3-cross-account-access/terraform.template.tfvars
@ -0,0 +1,10 @@
+# prod account
+prod_access_key = "AAAAAAAAAAAAAAAAAAA"
+prod_secret_key = "SuperSecretKeyForAccountA"
+
+# test account
+test_account_id = "123456789012"
+test_access_key = "BBBBBBBBBBBBBBBBBBB"
+test_secret_key = "SuperSecretKeyForAccountB"
+
+bucket_name = "tf-test-bucket-in-prod"
--- a/examples/aws-s3-cross-account-access/test.txt
+++ b/examples/aws-s3-cross-account-access/test.txt
@ -0,0 +1 @@
+Hello from Test
--- a/examples/aws-s3-cross-account-access/variables.tf
+++ b/examples/aws-s3-cross-account-access/variables.tf
@ -0,0 +1,8 @@
+variable "prod_access_key" {}
+variable "prod_secret_key" {}
+
+variable "test_account_id" {}
+variable "test_access_key" {}
+variable "test_secret_key" {}
+
+variable "bucket_name" {}