chore: fix buckets and iam for staging env (#5475)

2026-02-22 10:08:42 -06:00 · 2025-04-23 13:54:45 +05:30
parent 7d7f6ed04a
commit 27da540846
2 changed files with 33 additions and 61 deletions
--- a/infra/terraform/main.tf
+++ b/infra/terraform/main.tf
@@ -437,62 +437,24 @@ module "eks_blueprints_addons" {
 }

 ### Formbricks App
-data "aws_iam_policy_document" "replication_bucket_policy" {
-  statement {
-    sid    = "Set-permissions-for-objects"
-    effect = "Allow"

-    principals {
-      type = "AWS"
-      identifiers = [
-        "arn:aws:iam::050559574035:role/service-role/s3crr_role_for_formbricks-cloud-uploads"
-      ]
-    }
-
-    actions = [
-      "s3:ReplicateObject",
-      "s3:ReplicateDelete"
-    ]
-
-    resources = [
-      "arn:aws:s3:::formbricks-cloud-eks/*"
-    ]
-  }
-
-  statement {
-    sid    = "Set permissions on bucket"
-    effect = "Allow"
-
-    principals {
-      type = "AWS"
-      identifiers = [
-        "arn:aws:iam::050559574035:role/service-role/s3crr_role_for_formbricks-cloud-uploads"
-      ]
-    }
-
-    actions = [
-      "s3:GetBucketVersioning",
-      "s3:PutBucketVersioning"
-    ]
-
-    resources = [
-      "arn:aws:s3:::formbricks-cloud-eks"
-    ]
-  }
+moved {
+  from = module.formbricks_s3_bucket
+  to   = module.formbricks_s3_bucket["prod"]
 }

 module "formbricks_s3_bucket" {
-  source  = "terraform-aws-modules/s3-bucket/aws"
-  version = "4.6.0"
+  for_each = local.envs
+  source   = "terraform-aws-modules/s3-bucket/aws"
+  version  = "4.6.0"

-  bucket                   = "formbricks-cloud-eks"
+  bucket                   = each.key == "prod" ? "formbricks-cloud-eks" : "formbricks-cloud-eks-${each.key}"
  force_destroy            = true
  control_object_ownership = true
  object_ownership         = "BucketOwnerPreferred"
  versioning = {
    enabled = true
  }
-  policy = data.aws_iam_policy_document.replication_bucket_policy.json
  cors_rule = [
    {
      allowed_methods = ["POST"]
@@ -503,11 +465,17 @@ module "formbricks_s3_bucket" {
  ]
 }

-module "formbricks_app_iam_policy" {
-  source  = "terraform-aws-modules/iam/aws//modules/iam-policy"
-  version = "5.53.0"
+moved {
+  from = module.formbricks_app_iam_policy
+  to   = module.formbricks_app_iam_policy["prod"]
+}

-  name_prefix = "formbricks-"
+module "formbricks_app_iam_policy" {
+  for_each = local.envs
+  source   = "terraform-aws-modules/iam/aws//modules/iam-policy"
+  version  = "5.53.0"
+
+  name_prefix = each.key == "prod" ? "formbricks-" : "formbricks-${each.key}-"
  path        = "/"
  description = "Policy for fombricks app"

@@ -520,31 +488,35 @@ module "formbricks_app_iam_policy" {
          "s3:*",
        ]
        Resource = [
-          module.formbricks_s3_bucket.s3_bucket_arn,
-          "${module.formbricks_s3_bucket.s3_bucket_arn}/*",
-          "arn:aws:s3:::formbricks-cloud-uploads",
-          "arn:aws:s3:::formbricks-cloud-uploads/*"
+          module.formbricks_s3_bucket[each.key].s3_bucket_arn,
+          "${module.formbricks_s3_bucket[each.key].s3_bucket_arn}/*"
        ]
      }
    ]
  })
 }

-module "formbricks_app_iam_role" {
-  source  = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
-  version = "5.53.0"
+moved {
+  from = module.formbricks_app_iam_role
+  to   = module.formbricks_app_iam_role["prod"]
+}

-  role_name_prefix = "formbricks-"
+module "formbricks_app_iam_role" {
+  for_each = local.envs
+  source   = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
+  version  = "5.53.0"
+
+  role_name_prefix = each.key == "prod" ? "formbricks-" : "formbricks-${each.key}-"

  role_policy_arns = {
-    "formbricks" = module.formbricks_app_iam_policy.arn
+    "formbricks" = module.formbricks_app_iam_policy[each.key].arn
  }
  assume_role_condition_test = "StringLike"

  oidc_providers = {
    eks = {
      provider_arn               = module.eks.oidc_provider_arn
-      namespace_service_accounts = ["formbricks:*"]
+      namespace_service_accounts = each.key == "prod" ? ["formbricks:*"] : ["formbricks-${each.key}:*"]
    }
  }
 }
--- a/infra/terraform/secrets.tf
+++ b/infra/terraform/secrets.tf
@@ -6,7 +6,7 @@ moved {

 resource "aws_secretsmanager_secret" "formbricks_app_secrets" {
  for_each = local.envs
-  name = "${each.key}/formbricks/secrets"
+  name     = "${each.key}/formbricks/secrets"
 }

 moved {
@@ -15,7 +15,7 @@ moved {
 }

 resource "aws_secretsmanager_secret_version" "formbricks_app_secrets" {
-  for_each = local.envs
+  for_each  = local.envs
  secret_id = aws_secretsmanager_secret.formbricks_app_secrets[each.key].id
  secret_string = jsonencode({
    REDIS_URL = "rediss://:${random_password.valkey[each.key].result}@${module.valkey[each.key].replication_group_primary_endpoint_address}:6379"