From 7fc02c1d048abc990e250dfa3aaa2445bee75108 Mon Sep 17 00:00:00 2001
From: Bryce Covert <github@brycecovertoperations.com>
Date: Thu, 5 Apr 2018 17:13:48 -0700
Subject: [PATCH] security

---
 .gitignore                         |   1 +
 terraform/main.tf                  |  73 +++++++++++
 terraform/terraform.tfstate        | 192 +++++++++++++++++++++++++++++
 terraform/terraform.tfstate.backup | 119 ++++++++++++++++++
 4 files changed, 385 insertions(+)
 create mode 100644 terraform/main.tf
 create mode 100644 terraform/terraform.tfstate
 create mode 100644 terraform/terraform.tfstate.backup

diff --git a/.gitignore b/.gitignore
index 452e1f9e..e427e975 100644
--- a/.gitignore
+++ b/.gitignore
@@ -13,3 +13,4 @@ pom.xml.asc
 examples/
 data/
 \#*\#
+\.terraform
diff --git a/terraform/main.tf b/terraform/main.tf
new file mode 100644
index 00000000..917efbb1
--- /dev/null
+++ b/terraform/main.tf
@@ -0,0 +1,73 @@
+provider "aws" {}
+
+data "aws_caller_identity" "current" {}
+
+resource "aws_ses_receipt_rule_set" "main" {
+  rule_set_name = "default-rule-set"
+}
+
+resource "aws_ses_receipt_rule" "store" {
+  depends_on = ["aws_ses_receipt_rule_set.main"]
+  name          = "store"
+  rule_set_name = "default-rule-set"
+  recipients    = ["invoices@mail.integreat.aws.brycecovertoperations.com"]
+  enabled       = true
+  scan_enabled  = true
+
+  s3_action {
+    bucket_name = "${aws_s3_bucket.invoices.id}"
+    position = 0
+  }
+}
+
+resource "aws_s3_bucket" "invoices" {
+  bucket = "integreat-mail-prod"
+  acl    = "private"
+  policy = <<EOF
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Sid": "AllowSESPuts",
+            "Effect": "Allow",
+            "Principal": {
+                "Service": "ses.amazonaws.com"
+            },
+            "Action": "s3:PutObject",
+            "Resource": "arn:aws:s3:::integreat-mail-prod/*",
+            "Condition": {
+                "StringEquals": {
+                    "aws:Referer": "${data.aws_caller_identity.current.account_id}"
+                }
+            }
+        }
+    ]
+}
+EOF
+}
+
+resource "aws_iam_user" "app_user" {
+  name = "integreat"
+}
+
+resource "aws_iam_access_key" "app_user" {
+  user    = "${aws_iam_user.app_user.name}"
+}
+
+resource "aws_iam_user_policy_attachment" "app_user_policy" {
+    user       = "${aws_iam_user.app_user.name}"
+    policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
+}
+
+output "aws_access_key_id" {
+  value = "${aws_iam_access_key.app_user.id}"
+}
+
+output "aws_secret_access_key" {
+  value = "${aws_iam_access_key.app_user.secret}"
+}
+
+output "aws_default_region" {
+  value = "us-east-1"
+}
+
diff --git a/terraform/terraform.tfstate b/terraform/terraform.tfstate
new file mode 100644
index 00000000..feec0bf0
--- /dev/null
+++ b/terraform/terraform.tfstate
@@ -0,0 +1,192 @@
+{
+    "version": 3,
+    "terraform_version": "0.11.5",
+    "serial": 7,
+    "lineage": "9b630886-8cee-a57d-c7a2-4f19f13f9c51",
+    "modules": [
+        {
+            "path": [
+                "root"
+            ],
+            "outputs": {
+                "aws_access_key_id": {
+                    "sensitive": false,
+                    "type": "string",
+                    "value": "AKIAIRKDGLBX7J7VJZ6Q"
+                },
+                "aws_default_region": {
+                    "sensitive": false,
+                    "type": "string",
+                    "value": "us-east-1"
+                },
+                "aws_secret_access_key": {
+                    "sensitive": false,
+                    "type": "string",
+                    "value": "OtRw2t/xktJBDjP8Jnx1Yf6G+uzBfIkrQEc6nmgo"
+                }
+            },
+            "resources": {
+                "aws_iam_access_key.app_user": {
+                    "type": "aws_iam_access_key",
+                    "depends_on": [
+                        "aws_iam_user.app_user"
+                    ],
+                    "primary": {
+                        "id": "AKIAIRKDGLBX7J7VJZ6Q",
+                        "attributes": {
+                            "id": "AKIAIRKDGLBX7J7VJZ6Q",
+                            "secret": "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",
+                            "ses_smtp_password": "ApPp+ffnGJ/nH8OmP/3dB6ASbZDSNPF3sRyRtZNrEl5D",
+                            "status": "Active",
+                            "user": "integreat"
+                        },
+                        "meta": {},
+                        "tainted": false
+                    },
+                    "deposed": [],
+                    "provider": "provider.aws"
+                },
+                "aws_iam_user.app_user": {
+                    "type": "aws_iam_user",
+                    "depends_on": [],
+                    "primary": {
+                        "id": "integreat",
+                        "attributes": {
+                            "arn": "arn:aws:iam::679918342773:user/integreat",
+                            "force_destroy": "false",
+                            "id": "integreat",
+                            "name": "integreat",
+                            "path": "/",
+                            "unique_id": "AIDAINFBWI2I7A3TKPGW2"
+                        },
+                        "meta": {},
+                        "tainted": false
+                    },
+                    "deposed": [],
+                    "provider": "provider.aws"
+                },
+                "aws_iam_user_policy_attachment.app_user_policy": {
+                    "type": "aws_iam_user_policy_attachment",
+                    "depends_on": [
+                        "aws_iam_user.app_user"
+                    ],
+                    "primary": {
+                        "id": "integreat-20180405235730902200000001",
+                        "attributes": {
+                            "id": "integreat-20180405235730902200000001",
+                            "policy_arn": "arn:aws:iam::aws:policy/AdministratorAccess",
+                            "user": "integreat"
+                        },
+                        "meta": {},
+                        "tainted": false
+                    },
+                    "deposed": [],
+                    "provider": "provider.aws"
+                },
+                "aws_s3_bucket.invoices": {
+                    "type": "aws_s3_bucket",
+                    "depends_on": [
+                        "data.aws_caller_identity.current"
+                    ],
+                    "primary": {
+                        "id": "integreat-mail-prod",
+                        "attributes": {
+                            "acceleration_status": "",
+                            "acl": "private",
+                            "arn": "arn:aws:s3:::integreat-mail-prod",
+                            "bucket": "integreat-mail-prod",
+                            "bucket_domain_name": "integreat-mail-prod.s3.amazonaws.com",
+                            "force_destroy": "false",
+                            "hosted_zone_id": "Z3AQBSTGFYJSTF",
+                            "id": "integreat-mail-prod",
+                            "logging.#": "0",
+                            "policy": "{\"Statement\":[{\"Action\":\"s3:PutObject\",\"Condition\":{\"StringEquals\":{\"aws:Referer\":\"679918342773\"}},\"Effect\":\"Allow\",\"Principal\":{\"Service\":\"ses.amazonaws.com\"},\"Resource\":\"arn:aws:s3:::integreat-mail-prod/*\",\"Sid\":\"AllowSESPuts\"}],\"Version\":\"2012-10-17\"}",
+                            "region": "us-east-1",
+                            "replication_configuration.#": "0",
+                            "request_payer": "BucketOwner",
+                            "server_side_encryption_configuration.#": "0",
+                            "tags.%": "0",
+                            "versioning.#": "1",
+                            "versioning.0.enabled": "false",
+                            "versioning.0.mfa_delete": "false",
+                            "website.#": "0"
+                        },
+                        "meta": {},
+                        "tainted": false
+                    },
+                    "deposed": [],
+                    "provider": "provider.aws"
+                },
+                "aws_ses_receipt_rule.store": {
+                    "type": "aws_ses_receipt_rule",
+                    "depends_on": [
+                        "aws_s3_bucket.invoices",
+                        "aws_ses_receipt_rule_set.main"
+                    ],
+                    "primary": {
+                        "id": "store",
+                        "attributes": {
+                            "add_header_action.#": "0",
+                            "bounce_action.#": "0",
+                            "enabled": "true",
+                            "id": "store",
+                            "lambda_action.#": "0",
+                            "name": "store",
+                            "recipients.#": "1",
+                            "recipients.2059710502": "invoices@mail.integreat.aws.brycecovertoperations.com",
+                            "rule_set_name": "default-rule-set",
+                            "s3_action.#": "1",
+                            "s3_action.4268582484.bucket_name": "integreat-mail-prod",
+                            "s3_action.4268582484.kms_key_arn": "",
+                            "s3_action.4268582484.object_key_prefix": "",
+                            "s3_action.4268582484.position": "1",
+                            "s3_action.4268582484.topic_arn": "",
+                            "scan_enabled": "true",
+                            "sns_action.#": "0",
+                            "stop_action.#": "0",
+                            "tls_policy": "Optional",
+                            "workmail_action.#": "0"
+                        },
+                        "meta": {},
+                        "tainted": false
+                    },
+                    "deposed": [],
+                    "provider": "provider.aws"
+                },
+                "aws_ses_receipt_rule_set.main": {
+                    "type": "aws_ses_receipt_rule_set",
+                    "depends_on": [],
+                    "primary": {
+                        "id": "default-rule-set",
+                        "attributes": {
+                            "id": "default-rule-set",
+                            "rule_set_name": "default-rule-set"
+                        },
+                        "meta": {},
+                        "tainted": false
+                    },
+                    "deposed": [],
+                    "provider": "provider.aws"
+                },
+                "data.aws_caller_identity.current": {
+                    "type": "aws_caller_identity",
+                    "depends_on": [],
+                    "primary": {
+                        "id": "2018-04-05 23:57:10.202315014 +0000 UTC",
+                        "attributes": {
+                            "account_id": "679918342773",
+                            "arn": "arn:aws:iam::679918342773:user/bryce",
+                            "id": "2018-04-05 23:57:10.202315014 +0000 UTC",
+                            "user_id": "AIDAJPUJFTOKO4IRADMV4"
+                        },
+                        "meta": {},
+                        "tainted": false
+                    },
+                    "deposed": [],
+                    "provider": "provider.aws"
+                }
+            },
+            "depends_on": []
+        }
+    ]
+}
diff --git a/terraform/terraform.tfstate.backup b/terraform/terraform.tfstate.backup
new file mode 100644
index 00000000..3e4edb37
--- /dev/null
+++ b/terraform/terraform.tfstate.backup
@@ -0,0 +1,119 @@
+{
+    "version": 3,
+    "terraform_version": "0.11.5",
+    "serial": 7,
+    "lineage": "9b630886-8cee-a57d-c7a2-4f19f13f9c51",
+    "modules": [
+        {
+            "path": [
+                "root"
+            ],
+            "outputs": {},
+            "resources": {
+                "aws_s3_bucket.invoices": {
+                    "type": "aws_s3_bucket",
+                    "depends_on": [
+                        "data.aws_caller_identity.current"
+                    ],
+                    "primary": {
+                        "id": "integreat-mail-prod",
+                        "attributes": {
+                            "acceleration_status": "",
+                            "acl": "private",
+                            "arn": "arn:aws:s3:::integreat-mail-prod",
+                            "bucket": "integreat-mail-prod",
+                            "bucket_domain_name": "integreat-mail-prod.s3.amazonaws.com",
+                            "force_destroy": "false",
+                            "hosted_zone_id": "Z3AQBSTGFYJSTF",
+                            "id": "integreat-mail-prod",
+                            "logging.#": "0",
+                            "policy": "{\"Statement\":[{\"Action\":\"s3:PutObject\",\"Condition\":{\"StringEquals\":{\"aws:Referer\":\"679918342773\"}},\"Effect\":\"Allow\",\"Principal\":{\"Service\":\"ses.amazonaws.com\"},\"Resource\":\"arn:aws:s3:::integreat-mail-prod/*\",\"Sid\":\"AllowSESPuts\"}],\"Version\":\"2012-10-17\"}",
+                            "region": "us-east-1",
+                            "replication_configuration.#": "0",
+                            "request_payer": "BucketOwner",
+                            "server_side_encryption_configuration.#": "0",
+                            "tags.%": "0",
+                            "versioning.#": "1",
+                            "versioning.0.enabled": "false",
+                            "versioning.0.mfa_delete": "false",
+                            "website.#": "0"
+                        },
+                        "meta": {},
+                        "tainted": false
+                    },
+                    "deposed": [],
+                    "provider": "provider.aws"
+                },
+                "aws_ses_receipt_rule.store": {
+                    "type": "aws_ses_receipt_rule",
+                    "depends_on": [
+                        "aws_s3_bucket.invoices",
+                        "aws_ses_receipt_rule_set.main"
+                    ],
+                    "primary": {
+                        "id": "store",
+                        "attributes": {
+                            "add_header_action.#": "0",
+                            "bounce_action.#": "0",
+                            "enabled": "true",
+                            "id": "store",
+                            "lambda_action.#": "0",
+                            "name": "store",
+                            "recipients.#": "1",
+                            "recipients.2059710502": "invoices@mail.integreat.aws.brycecovertoperations.com",
+                            "rule_set_name": "default-rule-set",
+                            "s3_action.#": "1",
+                            "s3_action.4268582484.bucket_name": "integreat-mail-prod",
+                            "s3_action.4268582484.kms_key_arn": "",
+                            "s3_action.4268582484.object_key_prefix": "",
+                            "s3_action.4268582484.position": "1",
+                            "s3_action.4268582484.topic_arn": "",
+                            "scan_enabled": "true",
+                            "sns_action.#": "0",
+                            "stop_action.#": "0",
+                            "tls_policy": "Optional",
+                            "workmail_action.#": "0"
+                        },
+                        "meta": {},
+                        "tainted": false
+                    },
+                    "deposed": [],
+                    "provider": "provider.aws"
+                },
+                "aws_ses_receipt_rule_set.main": {
+                    "type": "aws_ses_receipt_rule_set",
+                    "depends_on": [],
+                    "primary": {
+                        "id": "default-rule-set",
+                        "attributes": {
+                            "id": "default-rule-set",
+                            "rule_set_name": "default-rule-set"
+                        },
+                        "meta": {},
+                        "tainted": false
+                    },
+                    "deposed": [],
+                    "provider": "provider.aws"
+                },
+                "data.aws_caller_identity.current": {
+                    "type": "aws_caller_identity",
+                    "depends_on": [],
+                    "primary": {
+                        "id": "2018-04-05 23:38:43.421813463 +0000 UTC",
+                        "attributes": {
+                            "account_id": "679918342773",
+                            "arn": "arn:aws:iam::679918342773:user/bryce",
+                            "id": "2018-04-05 23:38:43.421813463 +0000 UTC",
+                            "user_id": "AIDAJPUJFTOKO4IRADMV4"
+                        },
+                        "meta": {},
+                        "tainted": false
+                    },
+                    "deposed": [],
+                    "provider": "provider.aws"
+                }
+            },
+            "depends_on": []
+        }
+    ]
+}