Dev (#22)

lindsaygelle · May 31, 2024 · 423acf2 · 423acf2
1 parent 37148f8
commit 423acf2
Show file tree

Hide file tree

Showing 17 changed files with 1,916 additions and 42 deletions.
diff --git a/aws_iam_policy_document.tf b/aws_iam_policy_document.tf
@@ -1,3 +1,29 @@
+data "aws_iam_policy_document" "assume_role_pipes_pipe_s3_object_created_image" {
+  statement {
+    actions = [
+      "sts:AssumeRole"
+    ]
+    effect = "Allow"
+    principals {
+      identifiers = ["pipes.amazonaws.com"]
+      type        = "Service"
+    }
+  }
+}
+
+data "aws_iam_policy_document" "assume_role_sfn_state_machine_rekognition" {
+  statement {
+    actions = [
+      "sts:AssumeRole"
+    ]
+    effect = "Allow"
+    principals {
+      identifiers = ["states.amazonaws.com"]
+      type        = "Service"
+    }
+  }
+}
+
 data "aws_iam_policy_document" "assume_role_sfn_state_machine_rekognition_detect_faces" {
   statement {
     actions = [
@@ -50,6 +76,85 @@ data "aws_iam_policy_document" "assume_role_sfn_state_machine_rekognition_detect
   }
 }
 
+data "aws_iam_policy_document" "assume_role_sfn_state_machine_rekognition_detect_text" {
+  statement {
+    actions = [
+      "sts:AssumeRole"
+    ]
+    effect = "Allow"
+    principals {
+      identifiers = ["states.amazonaws.com"]
+      type        = "Service"
+    }
+  }
+}
+
+data "aws_iam_policy_document" "pipes_pipe_s3_object_created_image" {
+  statement {
+    actions = [
+      "sqs:DeleteMessage",
+      "sqs:GetQueueAttributes",
+      "sqs:ReceiveMessage",
+    ]
+    effect = "Allow"
+    resources = [
+      aws_sqs_queue.s3_object_created_image.arn
+    ]
+  }
+  statement {
+    actions = [
+      "states:StartExecution"
+    ]
+    effect = "Allow"
+    resources = [
+      "${aws_sfn_state_machine.rekognition.arn}"
+    ]
+  }
+}
+
+data "aws_iam_policy_document" "sfn_state_machine_rekognition" {
+  statement {
+    actions = [
+      "states:StartExecution"
+    ]
+    effect = "Allow"
+    resources = [
+      "${aws_sfn_state_machine.rekognition_detect_faces.arn}",
+      "${aws_sfn_state_machine.rekognition_detect_labels.arn}",
+      "${aws_sfn_state_machine.rekognition_detect_moderation_labels.arn}",
+      "${aws_sfn_state_machine.rekognition_detect_protective_equipment.arn}",
+      "${aws_sfn_state_machine.rekognition_detect_text.arn}"
+    ]
+  }
+
+  statement {
+    actions = [
+      "states:DescribeExecution",
+      "states:StopExecution"
+    ]
+    effect = "Allow"
+    resources = [
+      "arn:aws:states:${data.aws_region.main.name}:${data.aws_caller_identity.main.account_id}:execution:${aws_sfn_state_machine.rekognition_detect_faces.name}:*",
+      "arn:aws:states:${data.aws_region.main.name}:${data.aws_caller_identity.main.account_id}:execution:${aws_sfn_state_machine.rekognition_detect_labels.name}:*",
+      "arn:aws:states:${data.aws_region.main.name}:${data.aws_caller_identity.main.account_id}:execution:${aws_sfn_state_machine.rekognition_detect_moderation_labels.name}:*",
+      "arn:aws:states:${data.aws_region.main.name}:${data.aws_caller_identity.main.account_id}:execution:${aws_sfn_state_machine.rekognition_detect_protective_equipment.name}:*",
+      "arn:aws:states:${data.aws_region.main.name}:${data.aws_caller_identity.main.account_id}:execution:${aws_sfn_state_machine.rekognition_detect_text.name}:*"
+    ]
+  }
+
+  statement {
+    actions = [
+      "events:PutTargets",
+      "events:PutRule",
+      "events:DescribeRule"
+    ]
+    effect = "Allow"
+    resources = [
+      "arn:aws:events:${data.aws_region.main.name}:${data.aws_caller_identity.main.account_id}:rule/StepFunctionsGetEventsForStepFunctionsExecutionRule"
+    ]
+  }
+}
+
 data "aws_iam_policy_document" "sfn_state_machine_rekognition_detect_faces" {
   statement {
     actions = [
@@ -189,3 +294,61 @@ data "aws_iam_policy_document" "sfn_state_machine_rekognition_detect_protective_
     ]
   }
 }
+
+data "aws_iam_policy_document" "sfn_state_machine_rekognition_detect_text" {
+  statement {
+    actions = [
+      "s3:GetObject",
+      "s3:GetObjectAttributes",
+      "s3:GetObjectVersion"
+    ]
+    effect = "Allow"
+    resources = [
+      "${aws_s3_bucket.main.arn}/${aws_s3_object.images.key}*"
+    ]
+  }
+
+  statement {
+    actions = [
+      "s3:GetBucketVersioning",
+      "s3:ListBucket"
+    ]
+    effect = "Allow"
+    resources = [
+      "${aws_s3_bucket.main.arn}"
+    ]
+  }
+
+  statement {
+    actions = [
+      "rekognition:DetectText"
+    ]
+    effect = "Allow"
+    resources = [
+      "*"
+    ]
+  }
+}
+
+data "aws_iam_policy_document" "sqs_queue_s3_bucket_notification_created_image" {
+  statement {
+    actions = ["SQS:SendMessage"]
+
+    condition {
+      test     = "ArnLike"
+      values   = [aws_s3_bucket.main.arn]
+      variable = "aws:SourceArn"
+    }
+
+    effect = "Allow"
+
+    principals {
+      type        = "Service"
+      identifiers = ["s3.amazonaws.com"]
+    }
+
+    resources = [
+      aws_sqs_queue.s3_object_created_image.arn
+    ]
+  }
+}
diff --git a/aws_iam_role.tf b/aws_iam_role.tf
@@ -1,3 +1,31 @@
+resource "aws_iam_role" "pipes_pipe_s3_object_created_image" {
+  assume_role_policy = data.aws_iam_policy_document.assume_role_pipes_pipe_s3_object_created_image.json
+  name               = "${local.organization}-pipes-pipe-s3-object-created-text"
+  path               = "/${local.organization}/"
+  tags = {
+    account_arn  = data.aws_caller_identity.main.arn
+    account_id   = data.aws_caller_identity.main.account_id
+    organization = local.organization
+    region       = data.aws_region.main.name
+    workspace    = terraform.workspace
+  }
+}
+
+resource "aws_iam_role" "sfn_state_machine_rekognition" {
+  assume_role_policy = data.aws_iam_policy_document.assume_role_sfn_state_machine_rekognition.json
+  name               = "sfn-state-machine-rekognition"
+  path               = "/${local.organization}/"
+  tags = {
+    caller_identity_account_arn = data.aws_caller_identity.main.arn
+    caller_identity_account_id  = data.aws_caller_identity.main.account_id
+    caller_identity_user_id     = data.aws_caller_identity.main.user_id
+    canonical_user_id           = data.aws_canonical_user_id.main.id
+    organization                = local.organization
+    region                      = data.aws_region.main.name
+    workspace                   = terraform.workspace
+  }
+}
+
 resource "aws_iam_role" "sfn_state_machine_rekognition_detect_faces" {
   assume_role_policy = data.aws_iam_policy_document.assume_role_sfn_state_machine_rekognition_detect_faces.json
   name               = "sfn-state-machine-rekognition-detect-faces"
@@ -57,3 +85,18 @@ resource "aws_iam_role" "sfn_state_machine_rekognition_detect_protective_equipme
     workspace                   = terraform.workspace
   }
 }
+
+resource "aws_iam_role" "sfn_state_machine_rekognition_detect_text" {
+  assume_role_policy = data.aws_iam_policy_document.assume_role_sfn_state_machine_rekognition_detect_text.json
+  name               = "sfn-state-machine-rekognition-detect-text"
+  path               = "/${local.organization}/"
+  tags = {
+    caller_identity_account_arn = data.aws_caller_identity.main.arn
+    caller_identity_account_id  = data.aws_caller_identity.main.account_id
+    caller_identity_user_id     = data.aws_caller_identity.main.user_id
+    canonical_user_id           = data.aws_canonical_user_id.main.id
+    organization                = local.organization
+    region                      = data.aws_region.main.name
+    workspace                   = terraform.workspace
+  }
+}
diff --git a/aws_iam_role_policy.tf b/aws_iam_role_policy.tf
@@ -1,3 +1,13 @@
+resource "aws_iam_role_policy" "pipes_pipe_s3_object_created_image" {
+  policy = data.aws_iam_policy_document.pipes_pipe_s3_object_created_image.json
+  role   = aws_iam_role.pipes_pipe_s3_object_created_image.id
+}
+
+resource "aws_iam_role_policy" "sfn_state_machine_rekognition" {
+  policy = data.aws_iam_policy_document.sfn_state_machine_rekognition.json
+  role   = aws_iam_role.sfn_state_machine_rekognition.id
+}
+
 resource "aws_iam_role_policy" "sfn_state_machine_rekognition_detect_faces" {
   policy = data.aws_iam_policy_document.sfn_state_machine_rekognition_detect_faces.json
   role   = aws_iam_role.sfn_state_machine_rekognition_detect_faces.id
@@ -17,3 +27,8 @@ resource "aws_iam_role_policy" "sfn_state_machine_rekognition_detect_protective_
   policy = data.aws_iam_policy_document.sfn_state_machine_rekognition_detect_protective_equipment.json
   role   = aws_iam_role.sfn_state_machine_rekognition_detect_protective_equipment.id
 }
+
+resource "aws_iam_role_policy" "sfn_state_machine_rekognition_detect_text" {
+  policy = data.aws_iam_policy_document.sfn_state_machine_rekognition_detect_text.json
+  role   = aws_iam_role.sfn_state_machine_rekognition_detect_text.id
+}
diff --git a/aws_pipes_pipe.tf b/aws_pipes_pipe.tf
@@ -0,0 +1,14 @@
+resource "aws_pipes_pipe" "sfn_state_machine_rekognition" {
+  depends_on = [
+    aws_iam_role_policy.pipes_pipe_s3_object_created_image
+  ]
+  name     = aws_sfn_state_machine.rekognition.name
+  role_arn = aws_iam_role.pipes_pipe_s3_object_created_image.arn
+  source   = aws_sqs_queue.s3_object_created_image.arn
+  target   = aws_sfn_state_machine.rekognition.arn
+  target_parameters {
+    step_function_state_machine_parameters {
+      invocation_type = "FIRE_AND_FORGET"
+    }
+  }
+}
diff --git a/aws_s3_bucket_intelligent_tiering_configuration.tf b/aws_s3_bucket_intelligent_tiering_configuration.tf
@@ -23,16 +23,3 @@ resource "aws_s3_bucket_intelligent_tiering_configuration" "logs" {
     days        = 180
   }
 }
-
-resource "aws_s3_bucket_intelligent_tiering_configuration" "s3_bucket_notification" {
-  bucket = aws_s3_bucket.main.bucket
-  filter {
-    prefix = aws_s3_object.s3_bucket_notification.key
-  }
-  name   = trimsuffix(replace(aws_s3_object.s3_bucket_notification.key, "/", "-"), "-")
-  status = "Enabled"
-  tiering {
-    access_tier = "ARCHIVE_ACCESS"
-    days        = 180
-  }
-}
diff --git a/aws_s3_bucket_metric.tf b/aws_s3_bucket_metric.tf
@@ -13,11 +13,3 @@ resource "aws_s3_bucket_metric" "logs" {
   }
   name = trimsuffix(replace(aws_s3_object.logs.key, "/", "-"), "-")
 }
-
-resource "aws_s3_bucket_metric" "s3_bucket_notification" {
-  bucket = aws_s3_bucket.main.bucket
-  filter {
-    prefix = aws_s3_object.s3_bucket_notification.key
-  }
-  name = trimsuffix(replace(aws_s3_object.s3_bucket_notification.key, "/", "-"), "-")
-}
diff --git a/aws_s3_bucket_notification.tf b/aws_s3_bucket_notification.tf
@@ -0,0 +1,14 @@
+resource "aws_s3_bucket_notification" "main" {
+  bucket = aws_s3_bucket.main.id
+
+  depends_on = [
+    aws_sqs_queue_policy.s3_object_created_image
+  ]
+
+  queue {
+    events        = ["s3:ObjectCreated:*"]
+    filter_prefix = aws_s3_object.images.key
+    id            = aws_sqs_queue.s3_object_created_image.id
+    queue_arn     = aws_sqs_queue.s3_object_created_image.arn
+  }
+}
diff --git a/aws_s3_object.tf b/aws_s3_object.tf
@@ -24,12 +24,3 @@ resource "aws_s3_object" "rekognition" {
   force_destroy    = true
   key              = "rekognition/"
 }
-
-resource "aws_s3_object" "s3_bucket_notification" {
-  acl              = "private"
-  bucket           = aws_s3_bucket.main.bucket
-  content_language = "en-US"
-  content_type     = "application/x-directory"
-  force_destroy    = true
-  key              = "s3_bucket_notification/"
-}
diff --git a/aws_sfn_state_machine.tf b/aws_sfn_state_machine.tf
@@ -1,3 +1,26 @@
+resource "aws_sfn_state_machine" "rekognition" {
+  definition = templatefile("./state_machine/Rekognition.json", {
+    rekognition_detect_faces                = aws_sfn_state_machine.rekognition_detect_faces.arn
+    rekognition_detect_labels               = aws_sfn_state_machine.rekognition_detect_labels.arn
+    rekognition_detect_moderation_labels    = aws_sfn_state_machine.rekognition_detect_moderation_labels.arn
+    rekognition_detect_protective_equipment = aws_sfn_state_machine.rekognition_detect_protective_equipment.arn
+    rekognition_detect_text                 = aws_sfn_state_machine.rekognition_detect_text.arn
+  })
+  name     = "rekognition"
+  role_arn = aws_iam_role.sfn_state_machine_rekognition.arn
+  tags = {
+    bucket                      = aws_s3_bucket.main.bucket
+    bucket_key                  = aws_s3_object.images.key
+    caller_identity_account_arn = data.aws_caller_identity.main.arn
+    caller_identity_account_id  = data.aws_caller_identity.main.account_id
+    caller_identity_user_id     = data.aws_caller_identity.main.user_id
+    canonical_user_id           = data.aws_canonical_user_id.main.id
+    organization                = local.organization
+    region                      = data.aws_region.main.name
+    workspace                   = terraform.workspace
+  }
+}
+
 resource "aws_sfn_state_machine" "rekognition_detect_faces" {
   definition = templatefile("./state_machine/RekognitionDetectFaces.json", {})
   name       = "rekognition-detect-faces"
@@ -69,3 +92,21 @@ resource "aws_sfn_state_machine" "rekognition_detect_protective_equipment" {
     workspace                   = terraform.workspace
   }
 }
+
+resource "aws_sfn_state_machine" "rekognition_detect_text" {
+  definition = templatefile("./state_machine/RekognitionDetectText.json", {})
+  name       = "rekognition-detect-text"
+  role_arn   = aws_iam_role.sfn_state_machine_rekognition_detect_text.arn
+  tags = {
+    bucket                      = aws_s3_bucket.main.bucket
+    bucket_key                  = aws_s3_object.images.key
+    caller_identity_account_arn = data.aws_caller_identity.main.arn
+    caller_identity_account_id  = data.aws_caller_identity.main.account_id
+    caller_identity_user_id     = data.aws_caller_identity.main.user_id
+    canonical_user_id           = data.aws_canonical_user_id.main.id
+    organization                = local.organization
+    rekognition                 = "DetectText"
+    region                      = data.aws_region.main.name
+    workspace                   = terraform.workspace
+  }
+}
diff --git a/aws_sqs_queue.tf b/aws_sqs_queue.tf
@@ -0,0 +1,13 @@
+resource "aws_sqs_queue" "s3_object_created_image" {
+  name                      = "s3-object-created-images"
+  message_retention_seconds = 86400
+  tags = {
+    account_arn  = data.aws_caller_identity.main.arn
+    account_id   = data.aws_caller_identity.main.account_id
+    bucket       = aws_s3_bucket.main.id
+    bucket_key   = aws_s3_object.images.key
+    organization = local.organization
+    region       = data.aws_region.main.name
+    workspace    = terraform.workspace
+  }
+}
diff --git a/aws_sqs_queue_policy.tf b/aws_sqs_queue_policy.tf
@@ -0,0 +1,4 @@
+resource "aws_sqs_queue_policy" "s3_object_created_image" {
+  policy    = data.aws_iam_policy_document.sqs_queue_s3_bucket_notification_created_image.json
+  queue_url = aws_sqs_queue.s3_object_created_image.id
+}