feat: create new Postgres backups bucket (#120)

The current bucket has a hardcoded identifier and should be pretty easy to swap over as it just needs to update a script on the Postgres instance. This change: * Marks the old one for deletion * Creates a new one with a random ID * Assigns temporary permissions for data migration * Allows the backup role to write to the new location
alexander-jackson · Oct 7, 2023 · cbe2ad9 · cbe2ad9
1 parent f8d23cd
commit cbe2ad9
Showing 1 changed file with 36 additions and 8 deletions.
diff --git a/terraform/aws.tf b/terraform/aws.tf
@@ -11,8 +11,15 @@ module "remote_state_bucket" {
 }
 
 module "postgres_backups" {
-  source      = "./modules/s3-bucket"
-  bucket_name = "postgres-backups-tr1pjq"
+  source           = "./modules/s3-bucket"
+  bucket_name      = "postgres-backups-tr1pjq"
+  pending_deletion = true
+}
+
+module "postgres_backups_bucket" {
+  source         = "./modules/s3-bucket"
+  bucket_name    = "postgres-backups"
+  with_random_id = true
 }
 
 module "configuration_bucket" {
@@ -106,6 +113,21 @@ resource "aws_iam_user_policy" "personal" {
         Effect   = "Allow"
         Resource = "*"
       },
+      {
+        Action   = ["s3:ListBucket"]
+        Effect   = "Allow"
+        Resource = [module.postgres_backups.arn, module.postgres_backups_bucket.arn]
+      },
+      {
+        Action   = ["s3:GetObject"]
+        Effect   = "Allow"
+        Resource = format("%s/*", module.postgres_backups.arn)
+      },
+      {
+        Action   = ["s3:PutObject"]
+        Effect   = "Allow"
+        Resource = format("%s/*", module.postgres_backups_bucket.arn)
+      },
       {
         Action   = "sts:AssumeRole",
         Effect   = "Allow",
@@ -162,14 +184,20 @@ resource "aws_iam_user_policy" "postgres_backups" {
     Version = "2012-10-17"
     Statement = [
       {
-        Action   = ["s3:ListBucket"]
-        Effect   = "Allow"
-        Resource = module.postgres_backups.arn
+        Action = ["s3:ListBucket"]
+        Effect = "Allow"
+        Resource = [
+          module.postgres_backups.arn,
+          module.postgres_backups_bucket.arn
+        ]
       },
       {
-        Action   = ["s3:PutObject"]
-        Effect   = "Allow"
-        Resource = format("%s/*", module.postgres_backups.arn)
+        Action = ["s3:PutObject"]
+        Effect = "Allow"
+        Resource = [
+          format("%s/*", module.postgres_backups.arn),
+          format("%s/*", module.postgres_backups_bucket.arn)
+        ]
       },
     ]
   })