diff --git a/service-account/aws/main.tf b/service-account/aws/main.tf
new file mode 100644
index 000000000..a21bf4d32
--- /dev/null
+++ b/service-account/aws/main.tf
@@ -0,0 +1,45 @@
+
+
+locals {
+ prefix = var.prefix
+ tags = merge(var.tags, { module = "aws-service-account" })
+ oidc_arn = var.oidc_provider_arn
+ oidc_url = trimprefix(var.oidc_issuer_url, "https://")
+}
+
+resource "aws_iam_role" "armonik" {
+ name = "${local.prefix}-eks-pod-identity-${var.name}"
+ assume_role_policy = jsonencode({
+ Version = "2012-10-17"
+ Statement = [
+ {
+ Effect = "Allow"
+ Principal = {
+ Federated = local.oidc_arn
+ }
+ Action = "sts:AssumeRoleWithWebIdentity"
+ Condition = {
+ StringEquals = {
+ "${local.oidc_url}:aud" = "sts.amazonaws.com"
+ "${local.oidc_url}:sub" = [
+ "system:serviceaccount:${var.namespace}:${var.name}",
+ ]
+ }
+ }
+ }
+ ]
+ })
+ tags = local.tags
+}
+
+resource "kubernetes_service_account" "armonik" {
+ metadata {
+ name = var.name
+ namespace = var.namespace
+
+ annotations = {
+ "eks.amazonaws.com/role-arn" = aws_iam_role.armonik.arn
+ }
+ }
+ automount_service_account_token = var.automount_token
+}
diff --git a/service-account/aws/outputs.tf b/service-account/aws/outputs.tf
new file mode 100644
index 000000000..5c1caa6a4
--- /dev/null
+++ b/service-account/aws/outputs.tf
@@ -0,0 +1,4 @@
+output "service_account_iam_role_name" {
+ description = "name of the IAM role associated to the created Kubernetes service account"
+ value = aws_iam_role.armonik.name
+}
diff --git a/service-account/aws/variables.tf b/service-account/aws/variables.tf
new file mode 100644
index 000000000..c33fca11c
--- /dev/null
+++ b/service-account/aws/variables.tf
@@ -0,0 +1,38 @@
+variable "prefix" {
+ description = "Prefix to use for service account related resources"
+ type = string
+}
+
+# Tags
+variable "tags" {
+ description = "Tags for resource"
+ type = map(string)
+ default = {}
+}
+
+variable "namespace" {
+ description = "Namespace of ArmoniK service account related resources"
+ type = string
+ default = "armonik"
+}
+
+variable "name" {
+ description = "Name of the service account to create"
+ type = string
+}
+
+variable "automount_token" {
+ description = "To enable automatic mounting of the Kubernetes service account token."
+ type = bool
+ default = true
+}
+
+variable "oidc_provider_arn" {
+ description = "ARN of the OIDC provider"
+ type = string
+}
+
+variable "oidc_issuer_url" {
+ description = "URL of the OIDC issuer"
+ type = string
+}
diff --git a/service-account/aws/versions.tf b/service-account/aws/versions.tf
new file mode 100644
index 000000000..2082d6d72
--- /dev/null
+++ b/service-account/aws/versions.tf
@@ -0,0 +1,13 @@
+terraform {
+ required_version = ">= 1.0"
+ required_providers {
+ aws = {
+ source = "hashicorp/aws"
+ version = ">= 5.61"
+ }
+ kubernetes = {
+ source = "hashicorp/kubernetes"
+ version = ">= 2.7.1"
+ }
+ }
+}
diff --git a/storage/aws/s3/README.md b/storage/aws/s3/README.md
index 674fa9980..de335fd65 100644
--- a/storage/aws/s3/README.md
+++ b/storage/aws/s3/README.md
@@ -29,6 +29,8 @@ No modules.
| Name | Type |
|------|------|
+| [aws_iam_policy.s3](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
+| [aws_iam_policy_attachment.s3](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy_attachment) | resource |
| [aws_s3_bucket.s3_bucket](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource |
| [aws_s3_bucket_acl.acl](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_acl) | resource |
| [aws_s3_bucket_ownership_controls.ownership](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_ownership_controls) | resource |
@@ -39,6 +41,7 @@ No modules.
| [aws_iam_policy_document.combined](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_policy_document.deny_insecure_transport](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_policy_document.require_latest_tls](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.s3](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
## Inputs
@@ -59,6 +62,7 @@ No modules.
| [ownership](#input\_ownership) | Object ownership | `string` | `"BucketOwnerPreferred"` | no |
| [policy](#input\_policy) | Text of the policy | `string` | `null` | no |
| [restrict\_public\_buckets](#input\_restrict\_public\_buckets) | Whether Amazon S3 should restrict public bucket policies for this bucket | `bool` | `true` | no |
+| [role\_name](#input\_role\_name) | Name of the IAM role to give the S3 permissions to | `string` | `""` | no |
| [sse\_algorithm](#input\_sse\_algorithm) | SSE algorithm to encrypt S3 object data | `string` | `"aws:kms"` | no |
| [tags](#input\_tags) | Tags for resource | `any` | `{}` | no |
| [versioning](#input\_versioning) | Enable or disable versioning | `string` | `"Disabled"` | no |
diff --git a/storage/aws/s3/main.tf b/storage/aws/s3/main.tf
index eabf92d97..f2ea1fb22 100644
--- a/storage/aws/s3/main.tf
+++ b/storage/aws/s3/main.tf
@@ -121,3 +121,56 @@ resource "aws_s3_bucket_public_access_block" "s3_bucket" {
ignore_public_acls = var.ignore_public_acls
restrict_public_buckets = var.restrict_public_buckets
}
+
+data "aws_iam_policy_document" "s3" {
+
+ statement {
+ sid = "AllowBucketAdminActions"
+ actions = [
+ "s3:ListBucket",
+ "s3:ListBucketMultipartUploads",
+ ]
+ effect = "Allow"
+ resources = [aws_s3_bucket.s3_bucket.arn]
+ }
+
+ statement {
+ sid = "AllowObjectAdminActions"
+ actions = [
+ "s3:PutObject",
+ "s3:GetObject",
+ "s3:DeleteObject",
+ "s3:PutObjectAcl",
+ "s3:GetObjectAcl",
+ "s3:AbortMultipartUpload",
+ "s3:ListMultipartUploadParts"
+ ]
+ effect = "Allow"
+ resources = ["${aws_s3_bucket.s3_bucket.arn}/*"]
+ }
+
+ statement {
+ sid = "AllowBucketLifecycleActions"
+ actions = [
+ "s3:PutLifecycleConfiguration",
+ "s3:GetLifecycleConfiguration",
+ ]
+ effect = "Allow"
+ resources = [aws_s3_bucket.s3_bucket.arn]
+ }
+}
+
+resource "aws_iam_policy" "s3" {
+ count = can(coalesce(var.role_name)) ? 1 : 0
+ name_prefix = "${var.name}-s3-admin"
+ description = "Policy for allowing S3 admin access"
+ policy = data.aws_iam_policy_document.s3.json
+ tags = local.tags
+}
+
+resource "aws_iam_policy_attachment" "s3" {
+ count = can(coalesce(var.role_name)) ? 1 : 0
+ name = "${var.name}-s3"
+ roles = [var.role_name]
+ policy_arn = aws_iam_policy.s3[0].arn
+}
diff --git a/storage/aws/s3/variables.tf b/storage/aws/s3/variables.tf
index 229386898..4d609419c 100644
--- a/storage/aws/s3/variables.tf
+++ b/storage/aws/s3/variables.tf
@@ -115,3 +115,9 @@ variable "adapter_absolute_path" {
type = string
default = "/adapters/object/s3/ArmoniK.Core.Adapters.S3.dll"
}
+
+variable "role_name" {
+ description = "Name of the IAM role to give the S3 permissions to"
+ type = string
+ default = ""
+}
diff --git a/storage/aws/sqs/main.tf b/storage/aws/sqs/main.tf
new file mode 100644
index 000000000..1a235d681
--- /dev/null
+++ b/storage/aws/sqs/main.tf
@@ -0,0 +1,39 @@
+locals {
+ prefix = var.prefix
+ region = var.region
+ tags = merge(var.tags, { module = "amazon-sqs" })
+}
+
+
+data "aws_iam_policy_document" "sqs" {
+ statement {
+ sid = "SqsAdmin"
+ actions = [
+ "sqs:CreateQueue",
+ "sqs:DeleteQueue",
+ "sqs:ListQueues",
+ "sqs:GetQueueAttributes",
+ "sqs:PurgeQueue",
+ "sqs:GetQueueUrl",
+ "sqs:ReceiveMessage",
+ "sqs:SendMessage",
+ "sqs:DeleteMessage",
+ "sqs:ChangeMessageVisibility"
+ ]
+ effect = "Allow"
+ resources = ["arn:aws:sqs:::${local.prefix}*"]
+ }
+}
+
+resource "aws_iam_policy" "sqs" {
+ name_prefix = "${local.prefix}-sqs-admin"
+ description = "Policy for allowing SQS admin access"
+ policy = data.aws_iam_policy_document.sqs.json
+ tags = local.tags
+}
+
+resource "aws_iam_policy_attachment" "sqs" {
+ name = "${local.prefix}-sqs"
+ roles = [var.service_account_role_name]
+ policy_arn = aws_iam_policy.sqs.arn
+}
diff --git a/storage/aws/sqs/outputs.tf b/storage/aws/sqs/outputs.tf
new file mode 100644
index 000000000..d1e9489e4
--- /dev/null
+++ b/storage/aws/sqs/outputs.tf
@@ -0,0 +1,9 @@
+output "env" {
+ description = "Environment variables to pass to ArmoniK.Core"
+ value = {
+ "Components__QueueAdaptorSettings__ClassName" = "ArmoniK.Core.Adapters.SQS.QueueBuilder"
+ "Components__QueueAdaptorSettings__AdapterAbsolutePath" = "/adapters/queue/sqs/ArmoniK.Core.Adapters.SQS.dll"
+ "SQS__ServiceURL" = "https://sqs.${local.region}.amazonaws.com"
+ "SQS__Prefix" = local.prefix
+ }
+}
diff --git a/storage/aws/sqs/variables.tf b/storage/aws/sqs/variables.tf
new file mode 100644
index 000000000..fff3f4188
--- /dev/null
+++ b/storage/aws/sqs/variables.tf
@@ -0,0 +1,20 @@
+variable "region" {
+ description = "Region"
+ type = string
+}
+
+variable "prefix" {
+ description = "Prefix to use for SQS queues"
+ type = string
+}
+
+variable "tags" {
+ description = "Tags for resource"
+ type = map(string)
+ default = {}
+}
+
+variable "service_account_role_name" {
+ description = "Name of the IAM role to give the SQS permissions to"
+ type = string
+}
diff --git a/storage/aws/sqs/versions.tf b/storage/aws/sqs/versions.tf
new file mode 100644
index 000000000..5cb7783be
--- /dev/null
+++ b/storage/aws/sqs/versions.tf
@@ -0,0 +1,9 @@
+terraform {
+ required_version = ">= 1.0"
+ required_providers {
+ aws = {
+ source = "hashicorp/aws"
+ version = ">= 5.61"
+ }
+ }
+}