vmfarms · kainlite · Aug 6, 2024 · Aug 6, 2024 · Aug 6, 2024 · Aug 6, 2024
diff --git a/.gitignore b/.gitignore
@@ -1,3 +1,6 @@
 *.pyc
 venv/
-k8s/*
+k8s/*
+test.yaml
+
+*.stack.yaml
diff --git a/Pulumi.yaml b/Pulumi.yaml
@@ -5,6 +5,7 @@ runtime:
     virtualenv: venv
 description: A minimal Minio Python Pulumi program
 config:
+  policy: ""
   pulumi:tags:
     value:
       pulumi:template: ""
diff --git a/__main__.py b/__main__.py
@@ -12,7 +12,7 @@
 serviceName = config.require("Name")
 serviceNamespace = config.require("Namespace")
 releaseName = config.require("ReleaseName")
-
+policy = config.require("Policy")
 
 secret_labels = {
   "epinio.io/configuration": "true",
@@ -23,16 +23,63 @@
   "app.kubernetes.io/name": "minio-bucket"
 }
 
-user = minio.IamUser(f"minio-iam-user",
-                     name=f"{serviceNamespace}-{serviceName}",
-                     force_destroy=True)
+user = minio.IamUser(f"minio-iam-user", name=f"{serviceNamespace}-{serviceName}", force_destroy=True)
 
-bucket = minio.S3Bucket(f"minio-s3-bucket",
-                        bucket=f"{serviceNamespace}-{releaseName}")
+bucket = minio.S3Bucket(f"minio-s3-bucket", bucket=f"{serviceNamespace}-{releaseName}")
 
 pulumi.export("bucket_arn",bucket.arn)
 
-def iam_user_policy(bucket_arn):
+def iam_user_policy(bucket_arn, principal_arn):
+  return pulumi.Output.all(bucket_arn, principal_arn).apply(
+    lambda args: json.dumps(
+      {
+        "Version":"2012-10-17",
+        "Statement": [
+          {
+            "Sid":"FullControl",
+            "Effect": "Allow",
+            "Action": [
+              "s3:*",
+            ],
+            "Principal": principal_arn,
+            "Resource": [
+              f"arn:aws:s3:::{args[0]}",
+              f"arn:aws:s3:::{args[0]}/*"
+            ]
+          }
+        ]
+      }
+    )
+  )
+
+def bucket_policy_public(bucket_arn):
+  return pulumi.Output.all(bucket_arn).apply(
+    lambda args: json.dumps(
+      {
+        "Version":"2012-10-17",
+        "Statement": [
+          {
+            "Sid":"RoBucket",
+            "Effect": "Allow",
+            "Action": [
+                "s3:Get*",
+                "s3:List*",
+                "s3:Describe*",
+                "s3:PutObject", 
+                "s3:DeleteObject"
+            ],
+            "Principal": "*",
+            "Resource": [
+              f"arn:aws:s3:::{args[0]}",
+              f"arn:aws:s3:::{args[0]}/*"
+            ]
+          }
+        ]
+      }
+    )
+  )
+
+def bucket_policy_ro(bucket_arn):
   return pulumi.Output.all(bucket_arn).apply(
     lambda args: json.dumps(
       {
@@ -42,35 +89,47 @@ def iam_user_policy(bucket_arn):
             "Sid":"ListAllBucket",
             "Effect": "Allow",
             "Action": [
-              "s3:ListBucket",
-              "s3:PutObject",
-              "s3:GetObject",
-              "s3:DeleteObject"
+                "s3:Get*",
+                "s3:List*",
+                "s3:Describe*",
             ],
-            "Principal":"*",
+            "Principal": "*",
             "Resource": [
-              f"{args[0]}",
-              f"{args[0]}/*"
+              f"arn:aws:s3:::{args[0]}",
+              f"arn:aws:s3:::{args[0]}/*"
               ]
           }
         ]
       }
     )
   )
 
+if policy == "public":
+    s3bucket_policy_resource = minio.S3BucketPolicy("s3bucketPolicyResource",
+                                                     bucket=bucket.bucket,
+                                                     policy=bucket.bucket.apply(bucket_policy_public)
+                                                    )
+elif policy == "readonly":
+    s3bucket_policy_resource = minio.S3BucketPolicy("s3bucketPolicyResource",
+                                                     bucket=bucket.bucket,
+                                                     policy=bucket.bucket.apply(bucket_policy_ro)
+                                                    )
+
+service_account = minio.IamServiceAccount("service-account",
+                                           target_user=user.name,
+                                           policy=bucket.arn.apply(iam_user_policy)
+                                          )
 
 iam_policy = minio.IamPolicy("minio-iam-policy",
                              name=f"{serviceNamespace}-{serviceName}",
-                             policy=bucket.arn.apply(iam_user_policy)
+                             policy=bucket.arn.apply(iam_user_policy(service_account.id))
                             )
 
 iam_user_policy_attachment = minio.IamUserPolicyAttachment("minio-user-policy",
-                                                           user_name=user.name,
-                                                           policy_name=iam_policy.name)
+                                                            user_name=user.name,
+                                                            policy_name=iam_policy.name
+                                                           )
 
-service_account = minio.IamServiceAccount("service-account",
-                                          target_user=user.name,
-                                          policy=bucket.arn.apply(iam_user_policy))
 
 service_account_secret = Secret("service-account-secret",
                                 metadata=ObjectMetaArgs(
@@ -80,8 +139,6 @@ def iam_user_policy(bucket_arn):
                                 string_data = {
                                   "ACCESS_KEY": service_account.access_key,
                                   "SECRET_KEY": service_account.secret_key
-                                }
-                                )
-
+                                })
 
-pulumi.export("secret_name",service_account_secret.metadata["name"])
+pulumi.export("secret_name",service_account_secret.metadata["name"])