resource "vault_mount" "cluster" { path = var.name type = "kv" options = { version = "2" } description = "KV Version 2 secret engine mount for ${var.name}" } resource "minio_s3_bucket" "cluster" { bucket = var.name acl = "private" } # TODO: Enable encryption and versioning on the bucket # resource "minio_s3_bucket_server_side_encryption" "encryption" { # bucket = minio_s3_bucket.management.bucket # encryption_type = "aws:kms" # kms_key_id = var.aws_kms_key_id # } resource "minio_iam_user" "cluster" { name = var.name } resource "minio_iam_policy" "cluster" { name = minio_s3_bucket.cluster.bucket policy = jsonencode({ Version = "2012-10-17" Statement = [ { Effect = "Allow" Action = ["s3:ListBucket"] Resource = ["arn:aws:s3:::${var.name}"] }, { Effect = "Allow" Action = [ "s3:GetObject", "s3:PutObject", "s3:DeleteObject" ] Resource = ["arn:aws:s3:::${var.name}/*"] } ] }) } resource "minio_iam_user_policy_attachment" "cluster" { user_name = minio_iam_user.cluster.id policy_name = minio_iam_policy.cluster.id } resource "minio_iam_service_account" "cluster" { target_user = minio_iam_user.cluster.name policy = jsonencode({ Version = "2012-10-17" Statement = [ { Effect = "Allow" Action = ["s3:ListBucket"] Resource = ["arn:aws:s3:::${var.name}"] }, { Effect = "Allow" Action = [ "s3:GetObject", "s3:PutObject", "s3:DeleteObject" ] Resource = ["arn:aws:s3:::${var.name}/*"] } ] }) } resource "vault_kv_secret_v2" "cluster" { mount = var.name name = "minio" delete_all_versions = true data_json = jsonencode({ access_key = minio_iam_service_account.cluster.access_key secret_key = minio_iam_service_account.cluster.secret_key }) depends_on = [ vault_mount.cluster, minio_iam_service_account.cluster ] } resource "vault_policy" "cluster" { name = var.name policy = <