Add kudo-matic S3 buckets and IAM user

.gitignore

@@ -28,4 +28,6 @@ tmp/storage
 storage
 
 # redis
-dump.rdb
+dump.rdb
+
+**/.terraform/

README.md

@@ -119,14 +119,21 @@ bin/rails s
 Congratulations, you did just set up the Kudos-o-Matic!  
 You can optionally set up the dependencies listed below to get the most out of your Kudos-o-Matic.
 
-### Amazon AWS S3 setup
+### Amazon AWS and Terraform
 
-Follow these instructions to setup the Amazon AWS S3 cloud storage service for images attached to Kudo posts:
+The Kudos-o-Matic project uses Amazon AWS S3 buckets for storage. The following S3 buckets are created and managed via Terraform:
 
-- [Create an AWS S3 account](https://aws.amazon.com/resources/create-account/).
-- Setup a Amazon S3 Bucket.
-- Set the `AWS_S3_HOST_NAME`, `AWS_S3_REGION`, `AWS_S3_BUCKET`, `AWS_S3_BUCKET` and `AWS_SECRET_ACCESS_KEY` environment variables.
-- Restart the server.
+- kudo-o-matic-production
+- kudo-o-matic-development
+- kudo-o-matic-staging
+
+These buckets are used to store assets and application-related data. The setup and configuration of these S3 buckets are defined in the Terraform configuration within the terraform folder of this project.
+
+Additionally, an AWS IAM user is created with a policy that grants access to these S3 buckets. The IAM policy ensures that the necessary permissions are in place for managing objects within these buckets securely.
+
+For more details on the exact implementation, refer to the Terraform configuration in the terraform folder.
+
+The required S3 environment variables have been configured in Heroku to ensure seamless integration with the application. These variables are set in the Heroku environment and automatically applied during deployment or restart.
 
 ### Mail setup
 

terraform/.terraform-version

@@ -0,0 +1 @@
+1.11.0

terraform/aws.tf

@@ -0,0 +1,21 @@
+terraform {
+  backend "s3" {
+    region         = "eu-west-1"
+    bucket         = "kabisa-terraform-statefiles"
+    dynamodb_table = "kabisa-terraform-lockfiles"
+    key            = "kudo-o-matic/terraform.tfstate"
+    encrypt        = true
+
+    assume_role = {
+        role_arn = "arn:aws:iam::003476575487:role/admin"
+    }
+  }
+}
+
+provider "aws" {
+  region = var.region
+
+  assume_role {
+    role_arn = "arn:aws:iam::${var.account_id}:role/admin"
+  }
+}

terraform/main.tf

@@ -0,0 +1,53 @@
+resource "aws_s3_bucket" "kudo_o_matic_production" {
+  bucket = "kudo-o-matic-production"
+}
+
+resource "aws_s3_bucket" "kudo_o_matic_development" {
+  bucket = "kudo-o-matic-development"
+}
+
+resource "aws_s3_bucket" "kudo_o_matic_staging" {
+  bucket = "kudo-o-matic-staging"
+}
+
+resource "aws_iam_user" "kudo_user" {
+  name = "kudo-user"
+}
+
+resource "aws_iam_policy" "kudo_policy" {
+  name        = "kudo-s3-access-policy"
+  description = "Policy to allow full access to kudo S3 buckets"
+
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Effect   = "Allow"
+        Action   = "s3:ListAllMyBuckets"
+        Resource = "arn:aws:s3:::*"
+      },
+      {
+        Effect   = "Allow"
+        Action   = "s3:*"
+        Resource = [
+          aws_s3_bucket.kudo_o_matic_development.arn,
+          "${aws_s3_bucket.kudo_o_matic_development.arn}/*",
+          aws_s3_bucket.kudo_o_matic_staging.arn,
+          "${aws_s3_bucket.kudo_o_matic_staging.arn}/*",
+          aws_s3_bucket.kudo_o_matic_production.arn,
+          "${aws_s3_bucket.kudo_o_matic_production.arn}/*"
+        ]
+      }
+    ]
+  })
+}
+
+resource "aws_iam_user_policy_attachment" "kudo_user_policy_attachment" {
+  user       = aws_iam_user.kudo_user.name
+  policy_arn = aws_iam_policy.kudo_policy.arn
+}
+
+resource "aws_iam_access_key" "kudo_user_iam_access_key" {
+  user = aws_iam_user.kudo_user.name
+}
+

terraform/terraform.tfvars

@@ -0,0 +1 @@
+account_id = "299159644482"

terraform/variables.tf

@@ -0,0 +1,5 @@
+variable "region" {
+  default = "eu-west-1"
+}
+
+variable "account_id" {}