From 5620165b3334e9a8b8a6ef4eb6c2685b103ae5ce Mon Sep 17 00:00:00 2001 From: kirby Date: Wed, 28 May 2025 12:02:11 +0200 Subject: [PATCH] terraform: add applications module --- terraform/modules/applications/.gitignore | 7 + .../modules/applications/.terraform-docs.yml | 47 +++++ terraform/modules/applications/README.md | 118 +++++++++++ terraform/modules/applications/buckets.tf | 115 +++++++++++ terraform/modules/applications/docs/header.md | 37 ++++ terraform/modules/applications/iam.tf | 41 ++++ terraform/modules/applications/main.tf | 8 + terraform/modules/applications/outputs.tf | 76 +++++++ terraform/modules/applications/sns.tf | 24 +++ terraform/modules/applications/sqs.tf | 28 +++ terraform/modules/applications/variables.tf | 192 ++++++++++++++++++ 11 files changed, 693 insertions(+) create mode 100644 terraform/modules/applications/.gitignore create mode 100644 terraform/modules/applications/.terraform-docs.yml create mode 100644 terraform/modules/applications/README.md create mode 100644 terraform/modules/applications/buckets.tf create mode 100644 terraform/modules/applications/docs/header.md create mode 100644 terraform/modules/applications/iam.tf create mode 100644 terraform/modules/applications/main.tf create mode 100644 terraform/modules/applications/outputs.tf create mode 100644 terraform/modules/applications/sns.tf create mode 100644 terraform/modules/applications/sqs.tf create mode 100644 terraform/modules/applications/variables.tf diff --git a/terraform/modules/applications/.gitignore b/terraform/modules/applications/.gitignore new file mode 100644 index 0000000..df50a6a --- /dev/null +++ b/terraform/modules/applications/.gitignore @@ -0,0 +1,7 @@ +*.swp +.terraform* +main.tfvars +terraform.tfstate* +plan.tfplan +errored.tfstate +!.terraform-docs.yml diff --git a/terraform/modules/applications/.terraform-docs.yml b/terraform/modules/applications/.terraform-docs.yml new file mode 100644 index 0000000..73058d1 --- /dev/null +++ b/terraform/modules/applications/.terraform-docs.yml @@ -0,0 +1,47 @@ +formatter: "md table" # this is required + +version: "" + +header-from: docs/header.md +footer-from: "" + +recursive: + enabled: false + path: modules + +sections: + hide: [] + show: [] + +content: "" + +output: + file: "" + mode: inject + template: |- + + {{ .Content }} + + +output-values: + enabled: false + from: "" + +sort: + enabled: true + by: name + +settings: + anchor: true + color: true + default: true + description: false + escape: true + hide-empty: false + html: true + indent: 2 + lockfile: true + read-comments: true + required: true + sensitive: true + type: true diff --git a/terraform/modules/applications/README.md b/terraform/modules/applications/README.md new file mode 100644 index 0000000..1a7b5ae --- /dev/null +++ b/terraform/modules/applications/README.md @@ -0,0 +1,118 @@ + +## Description du module + +Ce module a pour but de gérer les applications et leur ressources associées dans le cloud public Scaleway. + +## Fonctionnement du module + +- Ce module prend en charge la gestion des ressources suivantes : + - Les applications, groupes et policies de l'IAM Scaleway. + - Les buckets S3 et de leur policy associée. + - Les file d'attente de type SQS et leurs identifiants associés. + +### Fonctionnement bucket S3 + +#### Pré-requis + +- Une liste de bucket est déclarée au sein de l'application. +- Pour déclarer des règles de cycle de vie (lifecycle\_rules), au moins expiration\_days ou le couple transition\_days et transition\_sc doivent être déclarés. + +#### Fonctionnement + +- Pour chaque bucket de la liste buckets\_list, une resource va être déclarée. Dans cette ressource, une lifecycle\_rule va être déclarée pour chaque membre de la liste de lifecycle\_rule. +- Pour chaque bucket de la liste buckets\_list, une policy est attachée et contient 3 sections : + - Une section pour autoriser l'application principale à accéder au bucket. + - Une section pour donner accès aux user\_id et application\_id des administrateurs. + - Une section pour donner accès à d'autres user\_id pour une application tierce. + +### Fonctionnement SQS + +#### Pré-requis + +- Avoir activé le module SQS dans l'interface Scaleway -> Messaging. +- Une liste de queue est déclarée au sein de l'application. + +#### Informations + +- On utilise une resource de type scaleway\_mnq\_sqs\_credentials.admin\_creds par projet. En effet, en lui donnant uniquement le droit "can\_manage", elle peut créer, supprimer et modifier des queues mais pas accéder à leur contenu. +- En parallèle, on créé un jeu d'identifiant par application et par queue qui ne disposent que des droits de publication/réception. + +## Requirements + +| Name | Version | +|------|---------| +| [scaleway](#requirement\_scaleway) | >= 1.11.0 | + +## Providers + +| Name | Version | +|------|---------| +| [scaleway](#provider\_scaleway) | >= 1.11.0 | + +## Modules + +No modules. + +## Resources + +| Name | Type | +|------|------| +| [scaleway_iam_api_key.keys](https://registry.terraform.io/providers/scaleway/scaleway/latest/docs/resources/iam_api_key) | resource | +| [scaleway_iam_application.apps](https://registry.terraform.io/providers/scaleway/scaleway/latest/docs/resources/iam_application) | resource | +| [scaleway_iam_group.groups](https://registry.terraform.io/providers/scaleway/scaleway/latest/docs/resources/iam_group) | resource | +| [scaleway_iam_policy.group_policies](https://registry.terraform.io/providers/scaleway/scaleway/latest/docs/resources/iam_policy) | resource | +| [scaleway_mnq_sns_credentials.app_creds](https://registry.terraform.io/providers/scaleway/scaleway/latest/docs/resources/mnq_sns_credentials) | resource | +| [scaleway_mnq_sns_topic.main](https://registry.terraform.io/providers/scaleway/scaleway/latest/docs/resources/mnq_sns_topic) | resource | +| [scaleway_mnq_sqs_credentials.app_creds](https://registry.terraform.io/providers/scaleway/scaleway/latest/docs/resources/mnq_sqs_credentials) | resource | +| [scaleway_mnq_sqs_queue.main](https://registry.terraform.io/providers/scaleway/scaleway/latest/docs/resources/mnq_sqs_queue) | resource | +| [scaleway_object_bucket.s3_buckets](https://registry.terraform.io/providers/scaleway/scaleway/latest/docs/resources/object_bucket) | resource | +| [scaleway_object_bucket_policy.s3_policies](https://registry.terraform.io/providers/scaleway/scaleway/latest/docs/resources/object_bucket_policy) | resource | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [admin\_creds\_access\_key](#input\_admin\_creds\_access\_key) | SQS Admin access key | `string` | `""` | no | +| [admin\_creds\_secret\_key](#input\_admin\_creds\_secret\_key) | SQS Admin secret key | `string` | `""` | no | +| [admins\_user\_id](#input\_admins\_user\_id) | List of s3 admin user's ID | `list(string)` | `[]` | no | +| [app\_desc](#input\_app\_desc) | Application's description | `string` | `""` | no | +| [app\_name](#input\_app\_name) | Name of the application | `string` | `"changeme"` | no | +| [app\_tags](#input\_app\_tags) | Application's tags | `map(string)` | `{}` | no | +| [buckets\_list](#input\_buckets\_list) | List of the application's buckets | 
list(object({
            bucket_name            = string
            bucket_region          = optional(string)
            bucket_versioning      = optional(bool)
            bucket_tags            = optional(map(string))
            bucket_policy_actions  = optional(list(string))
            bucket_lifecycle_rules = optional(list(object({
                id              = string
                enabled         = bool
                prefix          = optional(string)
                expiration_days = optional(number)
                transition_days = optional(number)
                transition_sc   = optional(string)
                tags            = optional(map(string))
            })))
            other_app_access        = optional(list(string))
            other_app_policy_actions= optional(list(string))
    }))
| n/a | yes | +| [env](#input\_env) | App's environment (dev/stg/prd) | `string` | `"dev"` | no | +| [policy\_permissions](#input\_policy\_permissions) | Policy permissions for app | `list(string)` | `[]` | no | +| [project\_id](#input\_project\_id) | App's project ID | `string` | `"changeme"` | no | +| [readonly\_users\_id](#input\_readonly\_users\_id) | List of readonly user's ID | `list(string)` | `[]` | no | +| [sns\_admin\_creds\_access\_key](#input\_sns\_admin\_creds\_access\_key) | SNS Admin access key | `string` | `""` | no | +| [sns\_admin\_creds\_secret\_key](#input\_sns\_admin\_creds\_secret\_key) | SNS Admin secret key | `string` | `""` | no | +| [sns\_can\_manage](#input\_sns\_can\_manage) | Can SNS credentials manage the topic | `bool` | `false` | no | +| [sns\_can\_publish](#input\_sns\_can\_publish) | Can SNS credentials publish message to the topic | `bool` | `true` | no | +| [sns\_can\_receive](#input\_sns\_can\_receive) | Can SNS credentials receive message from the topic | `bool` | `true` | no | +| [sns\_fifo\_topic](#input\_sns\_fifo\_topic) | Is the topic in FIFO mode ? (name must end with .fifo) | `bool` | `false` | no | +| [sns\_topic\_list](#input\_sns\_topic\_list) | List of the SNS topics | 
list(object({
            sns_topic_name  = string
            sns_fifo_topic  = optional(bool)
    }))
| n/a | yes | +| [sqs\_can\_manage](#input\_sqs\_can\_manage) | Can SQS credentials manage the queue | `bool` | `false` | no | +| [sqs\_can\_publish](#input\_sqs\_can\_publish) | Can SQS credentials publish message to the queue | `bool` | `true` | no | +| [sqs\_can\_receive](#input\_sqs\_can\_receive) | Can SQS credentials receive message from the queue | `bool` | `true` | no | +| [sqs\_fifo\_queue](#input\_sqs\_fifo\_queue) | Is the queue in FIFO mode ? | `bool` | `false` | no | +| [sqs\_message\_max\_age](#input\_sqs\_message\_max\_age) | Max age of message before being deleted in seconds | `number` | `345600` | no | +| [sqs\_message\_max\_size](#input\_sqs\_message\_max\_size) | Max size of message accepted in octet | `number` | `262144` | no | +| [sqs\_queue\_list](#input\_sqs\_queue\_list) | List of the SQS queues | 
list(object({
            sqs_queue_name  = string
            sqs_fifo_queue  = optional(bool)
            sqs_message_max_age = optional(string)
            sqs_message_max_size= optional(string)
    }))
| n/a | yes | + +## Outputs + +| Name | Description | +|------|-------------| +| [api\_access\_key](#output\_api\_access\_key) | App access key | +| [api\_secret\_key](#output\_api\_secret\_key) | App secret key | +| [app\_desc](#output\_app\_desc) | Description of the application | +| [app\_id](#output\_app\_id) | ID of the application | +| [app\_name](#output\_app\_name) | Name of the application | +| [bucket\_ID](#output\_bucket\_ID) | ID of the bucket | +| [bucket\_endpoint](#output\_bucket\_endpoint) | Bucket's endpoint | +| [sns\_creds\_access\_key](#output\_sns\_creds\_access\_key) | SNS Credentials access key | +| [sns\_creds\_secret\_key](#output\_sns\_creds\_secret\_key) | SNS Credentials secret key | +| [sns\_topic\_arn](#output\_sns\_topic\_arn) | SNS Topic ARN | +| [sqs\_creds\_access\_key](#output\_sqs\_creds\_access\_key) | SQS Credentials access key | +| [sqs\_creds\_secret\_key](#output\_sqs\_creds\_secret\_key) | SQS Credentials secret key | +| [sqs\_url\_endpoint](#output\_sqs\_url\_endpoint) | SQS URL Endpoint | + \ No newline at end of file diff --git a/terraform/modules/applications/buckets.tf b/terraform/modules/applications/buckets.tf new file mode 100644 index 0000000..6e3b0fd --- /dev/null +++ b/terraform/modules/applications/buckets.tf @@ -0,0 +1,115 @@ +resource "scaleway_object_bucket" "s3_buckets" { + for_each = (var.buckets_list == null) ? {} : { for b in var.buckets_list : b.bucket_name => b } + + name = each.value.bucket_name + tags = each.value.bucket_tags + region = each.value.bucket_region + project_id = var.project_id + versioning { + enabled = each.value.bucket_versioning + } + + /* Dans cette section, on ajoute un bloc lifecycle_rule pour chaque + élément présent dans la liste lifecycle_rules de l'objet buckets. + */ + dynamic "lifecycle_rule" { + for_each = each.value.bucket_lifecycle_rules + content { + id = lifecycle_rule.value["id"] + prefix = lifecycle_rule.value["prefix"] + enabled = lifecycle_rule.value["enabled"] + tags = lifecycle_rule.value["tags"] + /* On ajoute les blocs expiration ou transition en fonction + de la présence ou non des variables expiration_days, + transition_days et transition_sc. Au moins l'un de ces blocs + est obligatoire pour que la règle soit valide. + */ + dynamic "expiration" { + for_each = lifecycle_rule.value["expiration_days"] == null ? [] : [1] + content { + days = lifecycle_rule.value["expiration_days"] + } + } + dynamic "transition" { + for_each = (lifecycle_rule.value["transition_days"] == null) && (lifecycle_rule.value["transition_sc"] == null) ? [] : [1] + content { + days = lifecycle_rule.value["transition_days"] + storage_class = lifecycle_rule.value["transition_sc"] + } + } + } + } + + depends_on = [ + scaleway_iam_api_key.keys + ] +} + +resource "scaleway_object_bucket_policy" "s3_policies" { + for_each = (var.buckets_list == null) ? {} : { for b in var.buckets_list : b.bucket_name => b } + + bucket = each.value.bucket_name + policy = jsonencode({ + Version = "2023-04-17", + Id = "${each.value.bucket_name}", + Statement = [ + { + Sid = "RW-${each.value.bucket_name}", + Effect = "Allow", + Principal = { + SCW = "application_id:${scaleway_iam_application.apps.id}" + }, + Action = "${each.value.bucket_policy_actions}", + Resource = [ + "${each.value.bucket_name}", + "${each.value.bucket_name}/*" + ], + }, + { + Sid = "Other-${each.value.bucket_name}", + Effect = "Allow", + Principal = { + SCW = "${each.value.other_app_access}" + }, + Action = "${each.value.other_app_policy_actions}", + Resource = [ + "${each.value.bucket_name}", + "${each.value.bucket_name}/*" + ], + }, + { + Sid = "Admin-${each.value.bucket_name}", + Effect = "Allow", + Principal = { + SCW = var.admins_user_id + }, + Action = "s3:*", + Resource = [ + "${each.value.bucket_name}", + "${each.value.bucket_name}/*" + ], + }, + { + Sid = "Readonly-${each.value.bucket_name}", + Effect = "Allow", + Principal = { + SCW = var.readonly_users_id + }, + Action = ["s3:*"], + Resource = [ + "${each.value.bucket_name}", + "${each.value.bucket_name}/*" + ], + "Condition": { + "StringLike": { + "aws:Referer": "https://console.scaleway.com/*" + } + } + } + ] + }) + + depends_on = [ + scaleway_object_bucket.s3_buckets + ] +} diff --git a/terraform/modules/applications/docs/header.md b/terraform/modules/applications/docs/header.md new file mode 100644 index 0000000..a95a97e --- /dev/null +++ b/terraform/modules/applications/docs/header.md @@ -0,0 +1,37 @@ +## Description du module + +Ce module a pour but de gérer les applications et leur ressources associées dans le cloud public Scaleway. + +## Fonctionnement du module + +- Ce module prend en charge la gestion des ressources suivantes : + - Les applications, groupes et policies de l'IAM Scaleway. + - Les buckets S3 et de leur policy associée. + - Les file d'attente de type SQS et leurs identifiants associés. + +### Fonctionnement bucket S3 + +#### Pré-requis + +- Une liste de bucket est déclarée au sein de l'application. +- Pour déclarer des règles de cycle de vie (lifecycle_rules), au moins expiration_days ou le couple transition_days et transition_sc doivent être déclarés. + +#### Fonctionnement + +- Pour chaque bucket de la liste buckets_list, une resource va être déclarée. Dans cette ressource, une lifecycle_rule va être déclarée pour chaque membre de la liste de lifecycle_rule. +- Pour chaque bucket de la liste buckets_list, une policy est attachée et contient 3 sections : + - Une section pour autoriser l'application principale à accéder au bucket. + - Une section pour donner accès aux user_id et application_id des administrateurs. + - Une section pour donner accès à d'autres user_id pour une application tierce. + +### Fonctionnement SQS + +#### Pré-requis + +- Avoir activé le module SQS dans l'interface Scaleway -> Messaging. +- Une liste de queue est déclarée au sein de l'application. + +#### Informations + +- On utilise une resource de type scaleway_mnq_sqs_credentials.admin_creds par projet. En effet, en lui donnant uniquement le droit "can_manage", elle peut créer, supprimer et modifier des queues mais pas accéder à leur contenu. +- En parallèle, on créé un jeu d'identifiant par application et par queue qui ne disposent que des droits de publication/réception. diff --git a/terraform/modules/applications/iam.tf b/terraform/modules/applications/iam.tf new file mode 100644 index 0000000..55076b0 --- /dev/null +++ b/terraform/modules/applications/iam.tf @@ -0,0 +1,41 @@ +resource "scaleway_iam_application" "apps" { + name = "${var.app_name}-${var.env}" + description = "${var.app_desc} env : ${var.env}" +} + +resource "scaleway_iam_api_key" "keys" { + application_id = scaleway_iam_application.apps.id + description = "${var.app_name}-${var.env} api key" + default_project_id = var.project_id + + depends_on = [ + scaleway_iam_application.apps + ] +} + +resource "scaleway_iam_group" "groups" { + name = "group-${var.app_name}-${var.env}" + description = "${var.app_name} IAM group for env ${var.env}" + + application_ids = [ + scaleway_iam_application.apps.id + ] + + depends_on = [ + scaleway_iam_application.apps + ] +} + +resource scaleway_iam_policy "group_policies" { + name = "policy-${var.app_name}-${var.env}" + description = "${var.app_name} policy for group ${scaleway_iam_group.groups.name} in env ${var.env}" + group_id = scaleway_iam_group.groups.id + rule { + project_ids = [var.project_id] + permission_set_names = var.policy_permissions + } + + depends_on = [ + scaleway_iam_group.groups + ] +} diff --git a/terraform/modules/applications/main.tf b/terraform/modules/applications/main.tf new file mode 100644 index 0000000..8f55cfd --- /dev/null +++ b/terraform/modules/applications/main.tf @@ -0,0 +1,8 @@ +terraform { + required_providers { + scaleway = { + source = "scaleway/scaleway" + version = ">= 1.11.0" + } + } +} diff --git a/terraform/modules/applications/outputs.tf b/terraform/modules/applications/outputs.tf new file mode 100644 index 0000000..f074fdb --- /dev/null +++ b/terraform/modules/applications/outputs.tf @@ -0,0 +1,76 @@ +output "app_name" { + description = "Name of the application" + value = scaleway_iam_application.apps.name +} + +output "app_id" { + description = "ID of the application" + value = scaleway_iam_application.apps.id +} + +output "app_desc" { + description = "Description of the application" + value = scaleway_iam_application.apps.description +} + +output "api_access_key" { + description = "App access key" + value = scaleway_iam_api_key.keys.access_key +} + +output "api_secret_key" { + description = "App secret key" + value = scaleway_iam_api_key.keys.secret_key +} + +############## +# BUCKET OUTPUT +############## + +output "bucket_ID" { + description = "ID of the bucket" + value = [ for b in scaleway_object_bucket.s3_buckets: b.id ] +} + +output "bucket_endpoint" { + description = "Bucket's endpoint" + value = [ for b in scaleway_object_bucket.s3_buckets: b.endpoint ] +} + +############## +# SQS OUTPUT +############## + +output "sqs_creds_access_key" { + description = "SQS Credentials access key" + value = [ for c in scaleway_mnq_sqs_credentials.app_creds : c.access_key ] +} + +output "sqs_creds_secret_key" { + description = "SQS Credentials secret key" + value = [ for c in scaleway_mnq_sqs_credentials.app_creds : c.secret_key ] +} + +output "sqs_url_endpoint" { + description = "SQS URL Endpoint" + value = [ for c in scaleway_mnq_sqs_queue.main : c.url ] +} + +############## +# SQS OUTPUT +############## + +output "sns_creds_access_key" { + description = "SNS Credentials access key" + value = [ for c in scaleway_mnq_sns_credentials.app_creds : c.access_key ] +} + +output "sns_creds_secret_key" { + description = "SNS Credentials secret key" + value = [ for c in scaleway_mnq_sns_credentials.app_creds : c.secret_key ] +} + +output "sns_topic_arn" { + description = "SNS Topic ARN" + value = [ for a in scaleway_mnq_sns_topic.main : a.arn ] +} diff --git a/terraform/modules/applications/sns.tf b/terraform/modules/applications/sns.tf new file mode 100644 index 0000000..4376908 --- /dev/null +++ b/terraform/modules/applications/sns.tf @@ -0,0 +1,24 @@ +resource "scaleway_mnq_sns_credentials" "app_creds" { + for_each = (var.sns_topic_list == null) ? {} : {for q in var.sns_topic_list : q.sns_topic_name => q } + + project_id = var.project_id + name = "${var.app_name}-${each.value.sns_topic_name}" + permissions { + can_manage = false + can_receive = var.sns_can_receive + can_publish = var.sns_can_publish + } +} + +resource "scaleway_mnq_sns_topic" "main" { + for_each = (var.sns_topic_list == null) ? {} : {for q in var.sns_topic_list : q.sns_topic_name => q } + + project_id = var.project_id + name = each.value.sns_topic_name + access_key = var.sns_admin_creds_access_key + secret_key = var.sns_admin_creds_secret_key + + depends_on = [ + scaleway_mnq_sns_credentials.app_creds + ] +} diff --git a/terraform/modules/applications/sqs.tf b/terraform/modules/applications/sqs.tf new file mode 100644 index 0000000..5ae465c --- /dev/null +++ b/terraform/modules/applications/sqs.tf @@ -0,0 +1,28 @@ +resource "scaleway_mnq_sqs_credentials" "app_creds" { + for_each = (var.sqs_queue_list == null) ? {} : {for q in var.sqs_queue_list : q.sqs_queue_name => q } + + project_id = var.project_id + name = "${var.app_name}-${each.value.sqs_queue_name}" + permissions { + can_manage = false + can_receive = var.sqs_can_receive + can_publish = var.sqs_can_publish + } +} + +resource "scaleway_mnq_sqs_queue" "main" { + for_each = (var.sqs_queue_list == null) ? {} : {for q in var.sqs_queue_list : q.sqs_queue_name => q } + + project_id = var.project_id + name = each.value.sqs_queue_name + access_key = var.admin_creds_access_key + secret_key = var.admin_creds_secret_key + + fifo_queue = each.value.sqs_fifo_queue + message_max_age = each.value.sqs_message_max_age + message_max_size= each.value.sqs_message_max_size + + depends_on = [ + scaleway_mnq_sqs_credentials.app_creds + ] +} diff --git a/terraform/modules/applications/variables.tf b/terraform/modules/applications/variables.tf new file mode 100644 index 0000000..d480569 --- /dev/null +++ b/terraform/modules/applications/variables.tf @@ -0,0 +1,192 @@ +################### +# GLOBAL VARIABLES +################### + +variable "project_id" { + description = "App's project ID" + type = string + default = "changeme" +} +################### +# APP VARIABLES +################### + +variable "app_name" { + description = "Name of the application" + type = string + default = "changeme" +} + +variable "app_desc" { + description = "Application's description" + type = string + default = "" +} + +variable "app_tags" { + description = "Application's tags" + type = map(string) + default = {} +} + +variable "env" { + description = "App's environment (dev/stg/prd)" + type = string + default = "dev" +} + +variable "policy_permissions" { + description = "Policy permissions for app" + type = list(string) + default = [] +} + +################### +# BUCKETS VARIABLE +################### + +variable "buckets_list" { + description = "List of the application's buckets" + type = list(object({ + bucket_name = string + bucket_region = optional(string) + bucket_versioning = optional(bool) + bucket_tags = optional(map(string)) + bucket_policy_actions = optional(list(string)) + bucket_lifecycle_rules = optional(list(object({ + id = string + enabled = bool + prefix = optional(string) + expiration_days = optional(number) + transition_days = optional(number) + transition_sc = optional(string) + tags = optional(map(string)) + }))) + other_app_access = optional(list(string)) + other_app_policy_actions= optional(list(string)) + })) +} + + +# 09/01/2024 - Pas possible de mettre des group_id comme principal +# cf https://feature-request.scaleway.com/posts/714/bucket-policy-with-group_id +variable "admins_user_id" { + description = "List of s3 admin user's ID" + type = list(string) + default = [] +} +variable "readonly_users_id" { + description = "List of readonly user's ID" + type = list(string) + default = [] +} + +################### +# SQS VARIABLES +################### + +variable "sqs_queue_list" { + description = "List of the SQS queues" + type = list(object({ + sqs_queue_name = string + sqs_fifo_queue = optional(bool) + sqs_message_max_age = optional(string) + sqs_message_max_size= optional(string) + })) +} + +variable "sqs_can_manage" { + description = "Can SQS credentials manage the queue" + type = bool + default = false +} + +variable "sqs_can_receive" { + description = "Can SQS credentials receive message from the queue" + type = bool + default = true +} + +variable "sqs_can_publish" { + description = "Can SQS credentials publish message to the queue" + type = bool + default = true +} + +variable "sqs_fifo_queue" { + description = "Is the queue in FIFO mode ?" + type = bool + default = false +} + +variable "sqs_message_max_age" { + description = "Max age of message before being deleted in seconds" + type = number + default = 345600 +} + +variable "sqs_message_max_size" { + description = "Max size of message accepted in octet" + type = number + default = 262144 +} + +variable "admin_creds_access_key" { + description = "SQS Admin access key" + type = string + default = "" +} + +variable "admin_creds_secret_key" { + description = "SQS Admin secret key" + type = string + default = "" +} + +################### +# SNS VARIABLES +################### + +variable "sns_topic_list" { + description = "List of the SNS topics" + type = list(object({ + sns_topic_name = string + sns_fifo_topic = optional(bool) + })) +} + +variable "sns_can_manage" { + description = "Can SNS credentials manage the topic" + type = bool + default = false +} + +variable "sns_can_receive" { + description = "Can SNS credentials receive message from the topic" + type = bool + default = true +} + +variable "sns_can_publish" { + description = "Can SNS credentials publish message to the topic" + type = bool + default = true +} + +variable "sns_fifo_topic" { + description = "Is the topic in FIFO mode ? (name must end with .fifo)" + type = bool + default = false +} + +variable "sns_admin_creds_access_key" { + description = "SNS Admin access key" + type = string + default = "" +} + +variable "sns_admin_creds_secret_key" { + description = "SNS Admin secret key" + type = string + default = "" +}