Add minio to terraform

This commit is contained in:
Tobias Reisinger 2025-06-08 19:33:26 +02:00
parent 4264017641
commit 37a304d161
Signed by: serguzim
GPG key ID: 13AD60C237A28DFE
9 changed files with 130 additions and 0 deletions

View file

@ -4,6 +4,10 @@ terraform {
source = "goauthentik/authentik"
version = "~> 2025.2.0"
}
minio = {
source = "aminueza/minio"
version = "~> 3.5.2"
}
mailcow = {
source = "l-with/mailcow"
version = "~> 0.7.5"
@ -19,4 +23,7 @@ locals {
services_auth = {for key, val in var.services : key => val if val.auth}
services_database = {for key, val in var.services : key => val if val.database}
services_mail = {for key, val in var.services : key => val if val.mail != null}
services_s3 = {for key, val in var.services : key => (val.s3_buckets != null) ? val.s3_buckets : [key] if (val.s3 == "internal")}
buckets_s3 = merge([for key, val in local.services_s3 : {for bucket in val : bucket => key}]...)
}

56
modules/services/minio.tf Normal file
View file

@ -0,0 +1,56 @@
# Create a user first
resource "minio_iam_user" "service_users" {
for_each = local.services_s3
name = each.key
}
resource "minio_accesskey" "service_access_keys" {
for_each = local.services_s3
user = minio_iam_user.service_users[each.key].name
}
resource "minio_s3_bucket" "service_buckets" {
for_each = local.buckets_s3
bucket = replace("${each.key}.serguzim.me", "_", "-")
lifecycle {
prevent_destroy = true
}
}
resource "minio_iam_policy" "service_bucket_policies" {
for_each = local.buckets_s3
name = each.key
policy = jsonencode({
Version = "2012-10-17",
Statement = [
{
Sid = "${each.key} statement"
Effect = "Allow",
Action = ["s3:*"],
Principal = "*",
Resource = "${minio_s3_bucket.service_buckets[each.key].arn}/*"
}
]
})
}
resource "minio_iam_user_policy_attachment" "service_bucket_policy_attachments" {
for_each = local.buckets_s3
user_name = minio_iam_user.service_users[each.value].id
policy_name = minio_iam_policy.service_bucket_policies[each.key].id
}
//resource "minio_iam_service_account" "service_accounts" {
// for_each = minio_iam_user.service_users
// target_user = each.value.name
// policy = jsonencode({
// Version = "2012-10-17",
// Statement = [{
// Action = [
// "s3:*",
// ],
// "Effect": "Allow",
// "Resource": []
// }]
// })
//}

View file

@ -9,6 +9,19 @@ output "authentik_data" {
sensitive = true
}
output "minio_data" {
value = {
for key, val in local.buckets_s3 : key => {
access_key = minio_accesskey.service_access_keys[val].access_key
secret_key = minio_accesskey.service_access_keys[val].secret_key
name = minio_s3_bucket.service_buckets[key].bucket
region = "eu-de-1" // TODO make dynamic
api_endpoint = "https://s3.serguzim.me" // TODO make dynamic
}
}
sensitive = true
}
output "postgresql_data" {
value = {
for key in keys(postgresql_database.service_databases) : key => {

View file

@ -17,6 +17,8 @@ variable "services" {
auth = bool
auth_cert = optional(string)
auth_redirects = optional(list(string))
s3 = optional(string)
s3_buckets = optional(list(string))
database = bool
mail = optional(string)
}))