feat(sks): add support to new Exoscale IAM keys

Author: lentidas

examples/sks/s3_buckets.tf

@@ -7,6 +7,8 @@ locals {
 }
 
 resource "aws_s3_bucket" "this" {
+  provider = aws.exoscale-s3
+
   for_each = toset(local.s3_buckets)
 
   bucket        = "${local.cluster_name}-${each.key}"
@@ -20,48 +22,44 @@ resource "aws_s3_bucket" "this" {
   }
 }
 
-resource "exoscale_iam_access_key" "s3_iam_key" {
+# Role based on the example available https://github.com/exoscale/terraform-provider-exoscale/blob/28da8e40dca37d93e4f3438f3bf906ef400f5b07/examples/iam-bucket-access/main.tf
+resource "exoscale_iam_role" "s3_role" {
   for_each = toset(local.s3_buckets)
 
-  name      = "${local.cluster_name}-${each.key}-s3-iam-key"
-  resources = ["sos/bucket:${local.cluster_name}-${each.key}"]
+  name        = "${local.cluster_name}-${each.key}-s3-role"
+  description = "Role for SOS bucket ${each.key} for the ${local.cluster_name} SKS cluster. Created using Terraform."
+  editable    = true
 
-  # Probably not all these permissions are needed. However, these IAM keys are resource-scoped, so there should be no 
-  # issue. The only SOS permissions commented out are the ones related to the creation and deletion of an SOS bucket.
-  operations = [
-    "abort-sos-multipart-upload",
-    "by-pass-sos-governance-retention",
-    # "create-sos-bucket",
-    # "delete-sos-bucket",
-    "delete-sos-object",
-    "get-sos-bucket-acl",
-    "get-sos-bucket-cors",
-    "get-sos-bucket-location",
-    "get-sos-bucket-object-lock-configuration",
-    "get-sos-bucket-ownership-controls",
-    "get-sos-bucket-versioning",
-    "get-sos-object",
-    "get-sos-object-acl",
-    "get-sos-object-legal-hold",
-    "get-sos-object-retention",
-    "get-sos-presigned-url",
-    "list-sos-bucket",
-    "list-sos-bucket-multipart-uploads",
-    "list-sos-bucket-versions",
-    "list-sos-buckets",
-    "list-sos-buckets-usage",
-    "put-sos-bucket-acl",
-    "put-sos-bucket-cors",
-    "put-sos-bucket-object-lock-configuration",
-    "put-sos-bucket-ownership-controls",
-    "put-sos-bucket-versioning",
-    "put-sos-object",
-    "put-sos-object-acl",
-    "put-sos-object-legal-hold",
-    "put-sos-object-retention",
-  ]
+  policy = {
+    default_service_strategy = "deny"
+    services = {
+      sos = {
+        # These rules are used in order, so if a rule does not match, the following rules are NOT evaluated.
+        # In these settings, we first allow all operations except create-bucket and delete-bucket, then we deny all
+        # operations on buckets that are not the one that the role relates to.
+        type = "rules"
+        rules = [
+          {
+            expression = "!(operation in ['create-bucket', 'delete-bucket'])"
+            action     = "allow"
+          },
+          {
+            expression = "!(parameters.bucket in ['${each.key}'])"
+            action     = "deny"
+          },
+        ]
+      }
+    }
+  }
+}
+
+resource "exoscale_iam_api_key" "s3_iam_api_key" {
+  for_each = toset(local.s3_buckets)
+
+  name    = "${local.cluster_name}-${each.key}-s3-iam-key"
+  role_id = resource.exoscale_iam_role.s3_role[each.key].id
 
   depends_on = [
-    aws_s3_bucket.this,
+    resource.aws_s3_bucket.this,
   ]
 }

examples/sks/terraform.tf

@@ -12,7 +12,7 @@ terraform {
   required_providers {
     exoscale = {
       source  = "exoscale/exoscale"
-      version = "~> 0.51"
+      version = "~> 0.59"
     }
     aws = { # Needed to store the state file in S3 and to create S3 buckets (provider configuration bellow)
       source  = "hashicorp/aws"
@@ -37,7 +37,11 @@ terraform {
   }
 }
 
+provider "aws" {}
+
 provider "aws" {
+  alias = "exoscale-s3"
+
   endpoints {
     s3 = "https://sos-${local.zone}.exo.io"
   }