devops/infra/modules/minio/tenant/main.tf

resource "minio_s3_bucket" "overlay" {
  depends_on = [var.wait_on]
  bucket = var.name
  acl    = "private"
}

resource "minio_s3_bucket_policy" "overlay" {
  bucket = minio_s3_bucket.overlay.bucket
  policy = jsonencode({
    "Version" : "2012-10-17",
    "Statement" : [
      {
        "Effect" : "Allow",
        "Principal" : {
          "AWS" : [
            "*"
          ]
        },
        "Action" : [
          "s3:GetBucketLocation"
        ],
        "Resource" : [
          "arn:aws:s3:::bouwroute"
        ]
      },
      {
        "Effect" : "Allow",
        "Principal" : {
          "AWS" : [
            "*"
          ]
        },
        "Action" : [
          "s3:ListBucket"
        ],
        "Resource" : [
          "arn:aws:s3:::bouwroute"
        ],
        "Condition" : {
          "StringEquals" : {
            "s3:prefix" : [
              "*"
            ]
          }
        }
      },
      {
        "Effect" : "Allow",
        "Principal" : {
          "AWS" : [
            "*"
          ]
        },
        "Action" : [
          "s3:GetObject"
        ],
        "Resource" : [
          "arn:aws:s3:::bouwroute/**"
        ]
      }
    ]
  })
}

resource "minio_iam_user" "overlay" {
  name = var.name
}

resource "minio_iam_policy" "overlay" {
  name = minio_s3_bucket.overlay.bucket
  policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        Effect = "Allow"
        Action = ["s3:ListBucket"]
        Resource = ["arn:aws:s3:::${var.name}"]
      },
      {
        Effect = "Allow"
        Action = [
          "s3:GetObject",
          "s3:PutObject",
          "s3:DeleteObject"
        ]
        Resource = ["arn:aws:s3:::${var.name}/*"]
      }
    ]
  })
}


resource "minio_iam_user_policy_attachment" "overlay" {
  user_name   = minio_iam_user.overlay.id
  policy_name = minio_iam_policy.overlay.id
}

resource "minio_iam_service_account" "overlay" {
  target_user = minio_iam_user.overlay.name
  policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        Effect = "Allow"
        Action = ["s3:ListBucket"]
        Resource = ["arn:aws:s3:::${var.name}"]
      },
      {
        Effect = "Allow"
        Action = [
          "s3:GetObject",
          "s3:PutObject",
          "s3:DeleteObject"
        ]
        Resource = ["arn:aws:s3:::${var.name}/*"]
      }
    ]
  })
}

output "access_key" {
  value     = minio_iam_service_account.overlay.access_key
  sensitive = true
}

output "secret_key" {
  value     = minio_iam_service_account.overlay.secret_key
  sensitive = true
}