This repository contains a Terraform module that creates an IAM user, including access keys, that can then be used in the QNAP Glacier app.
For further information, see the corresponding article on https://www.how-hard-can-it.be/qnap-glacier-iam-user/.
Before you can use the Terraform module in this repository out of the box, you need
- an AWS account
- a Terraform CLI
After running the Terraform module in this repository you get an IAM user with corresponding access key and secret access key that can be used in the QNAP Glacier app. Here, the IAM user is only permitted to work with archives in a given AWS Glacier Vault. Modifying or deleting the vault is not permitted.
The input variables for the module are defined in settings/example.tfvars to be
region = "<your-region>"
shared_credentials_file = "/path/to/.aws/credentials"
profile = "<your-profile>"
qnap_vault_name = "<your-QNAP-Glacier-vault>"Here, you need to replace the example values with your settings. Note that you also need to update the qnap_vault_name to the name of an AWS Glacier Vault that does not exist. Moreover, the current value is not a valid input
Initialise Terraform by running
terraform init
As a best practice, create a new workspace by running
terraform workspace new example
The QNAP Glacier IAM user can be planned by running
terraform plan -var-file=settings/example.tfvars
and created by running
terraform apply -var-file=settings/example.tfvars
The module has two outputs, namely qnap_glacier_user_access_key and qnap_glacier_user_secret_access_key which are the access key and secret access key of the newly created IAM user.
The access key and secret access key are intended to be used in the QNAP Glacier app as is.
The QNAP Glacier IAM user can be deleted by running
terraform destroy -var-file=settings/example.tfvars
Why Do I Have to Specify the AWS Glacier Vault but then it does not get Created by the Terraform Module?
The QNAP Glacier app expects to be able to create the AWS Glacier vault to be used. This makes sense when considering that AWS Glacier vault inventories are generated approximately once a day. It's the safest way to create a brand new AWS Glacier Vault for the QNAP Glacier app.
However, this limits the ability to leverage other functions of AWS Glacier vaults, such as notifications via SQS queues.
The IAM policy being used for the QNAP Glacier IAM User is
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Action": [
"glacier:ListVaults",
"glacier:GetDataRetrievalPolicy"
],
"Resource": "*"
},
{
"Sid": "",
"Effect": "Allow",
"Action": [
"glacier:UploadMultipartPart",
"glacier:UploadArchive",
"glacier:ListTagsForVault",
"glacier:ListParts",
"glacier:ListMultipartUploads",
"glacier:ListJobs",
"glacier:InitiateMultipartUpload",
"glacier:InitiateJob",
"glacier:GetVaultNotifications",
"glacier:GetVaultLock",
"glacier:GetVaultAccessPolicy",
"glacier:GetJobOutput",
"glacier:DescribeVault",
"glacier:DescribeJob",
"glacier:DeleteArchive",
"glacier:CreateVault",
"glacier:CompleteMultipartUpload",
"glacier:AbortMultipartUpload"
],
"Resource": "arn:aws:glacier:<your-region>:<your-account>:vaults/<your-vault>"
}
]
}Here, the value of Resource will be tailored to your region, account, and vault.
The QNAP Glacier app expects to be able to create the AWS Glacier vault to be used. This makes sense when considering that AWS Glacier vault inventories are generated approximately once a day. It's the safest way to create a brand new AWS Glacier Vault for the QNAP Glacier app.
No. The glacier:CreateVault permission is only granted on the AWS Glacier vault provided in the input variables.
No. The IAM user is specifically designed to work with a dedicated AWS Glacier vault. This limits the blast radius in case something goes wrong.
Simply create another Terraform workspace by running
terraform workspace new second-example
and then plan and apply the Terraform module again.