Add minio to terraform

2025-06-08 19:33:26 +02:00 · 2025-06-08 19:33:26 +02:00 · 37a304d161
commit 37a304d161
parent 4264017641
9 changed files with 130 additions and 0 deletions
--- a/modules/services/main.tf
+++ b/modules/services/main.tf
@ -4,6 +4,10 @@ terraform {
      source = "goauthentik/authentik"
      version = "~> 2025.2.0"
    }
+    minio = {
+      source  = "aminueza/minio"
+      version = "~> 3.5.2"
+    }
    mailcow = {
      source = "l-with/mailcow"
      version = "~> 0.7.5"
@ -19,4 +23,7 @@ locals {
  services_auth = {for key, val in var.services : key => val if val.auth}
  services_database = {for key, val in var.services : key => val if val.database}
  services_mail = {for key, val in var.services : key => val if val.mail != null}
+
+  services_s3 = {for key, val in var.services : key => (val.s3_buckets != null) ? val.s3_buckets : [key] if (val.s3 == "internal")}
+  buckets_s3 = merge([for key, val in local.services_s3 : {for bucket in val : bucket => key}]...)
 }
--- a/modules/services/minio.tf
+++ b/modules/services/minio.tf
@ -0,0 +1,56 @@
+# Create a user first
+resource "minio_iam_user" "service_users" {
+  for_each = local.services_s3
+  name = each.key
+}
+
+resource "minio_accesskey" "service_access_keys" {
+  for_each = local.services_s3
+  user = minio_iam_user.service_users[each.key].name
+}
+
+resource "minio_s3_bucket" "service_buckets" {
+  for_each = local.buckets_s3
+  bucket = replace("${each.key}.serguzim.me", "_", "-")
+  lifecycle {
+    prevent_destroy = true
+  }
+}
+
+resource "minio_iam_policy" "service_bucket_policies" {
+  for_each = local.buckets_s3
+  name     = each.key
+  policy   = jsonencode({
+    Version = "2012-10-17",
+    Statement = [
+      {
+        Sid = "${each.key} statement"
+        Effect = "Allow",
+        Action = ["s3:*"],
+        Principal = "*",
+        Resource = "${minio_s3_bucket.service_buckets[each.key].arn}/*"
+      }
+    ]
+  })
+}
+
+resource "minio_iam_user_policy_attachment" "service_bucket_policy_attachments" {
+  for_each    = local.buckets_s3
+  user_name   = minio_iam_user.service_users[each.value].id
+  policy_name = minio_iam_policy.service_bucket_policies[each.key].id
+}
+
+//resource "minio_iam_service_account" "service_accounts" {
+//  for_each = minio_iam_user.service_users
+//  target_user = each.value.name
+//  policy = jsonencode({
+//    Version = "2012-10-17",
+//    Statement = [{
+//      Action = [
+//        "s3:*",
+//      ],
+//      "Effect": "Allow",
+//      "Resource": []
+//    }]
+//  })
+//}
--- a/modules/services/output.tf
+++ b/modules/services/output.tf
@ -9,6 +9,19 @@ output "authentik_data" {
  sensitive = true
 }

+output "minio_data" {
+  value = {
+    for key, val in local.buckets_s3 : key => {
+      access_key   = minio_accesskey.service_access_keys[val].access_key
+      secret_key   = minio_accesskey.service_access_keys[val].secret_key
+      name         = minio_s3_bucket.service_buckets[key].bucket
+      region       = "eu-de-1" // TODO make dynamic
+      api_endpoint = "https://s3.serguzim.me" // TODO make dynamic
+    }
+  }
+  sensitive = true
+}
+
 output "postgresql_data" {
  value = {
    for key in keys(postgresql_database.service_databases) : key => {
--- a/modules/services/variables.tf
+++ b/modules/services/variables.tf
@ -17,6 +17,8 @@ variable "services" {
    auth = bool
    auth_cert = optional(string)
    auth_redirects = optional(list(string))
+    s3 = optional(string)
+    s3_buckets = optional(list(string))
    database = bool
    mail = optional(string)
  }))