-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy paths3.tf
More file actions
103 lines (87 loc) · 3.08 KB
/
Copy paths3.tf
File metadata and controls
103 lines (87 loc) · 3.08 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
# General-purpose S3 bucket for the proxy. LiteLLM uses S3 for:
# - Cache backend (cache_params.s3_bucket_name in proxy_config)
# - Request log archival (S3_REQUEST_LOGS_BUCKET_NAME)
# - /v1/files endpoint passthrough storage
#
# The bucket name + region are exposed to gateway + backend as S3_BUCKET_NAME
# / S3_REGION_NAME so proxy_config can reference them via
# `os.environ/S3_BUCKET_NAME`. The task role is scoped to this bucket only.
resource "random_id" "s3_suffix" {
byte_length = 4
}
resource "aws_s3_bucket" "this" {
bucket = "${local.name}-${random_id.s3_suffix.hex}"
# Default false → `terraform destroy` refuses on a non-empty bucket so
# cached responses, archived request logs, and /v1/files storage stay put.
# Flip to true only for ephemeral / CI stacks (`var.s3_force_destroy`).
force_destroy = var.s3_force_destroy
tags = local.tags
}
resource "aws_s3_bucket_versioning" "this" {
bucket = aws_s3_bucket.this.id
versioning_configuration {
status = "Enabled"
}
}
resource "aws_s3_bucket_server_side_encryption_configuration" "this" {
bucket = aws_s3_bucket.this.id
rule {
apply_server_side_encryption_by_default {
sse_algorithm = "AES256"
}
}
}
resource "aws_s3_bucket_public_access_block" "this" {
bucket = aws_s3_bucket.this.id
block_public_acls = true
block_public_policy = true
ignore_public_acls = true
restrict_public_buckets = true
}
# Task role gains object-level read/write on this bucket. Bucket-level perms
# (list/location) are also scoped to this bucket only.
data "aws_iam_policy_document" "s3_access" {
statement {
actions = [
"s3:ListBucket",
"s3:GetBucketLocation",
]
resources = [aws_s3_bucket.this.arn]
}
statement {
actions = [
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject",
"s3:AbortMultipartUpload",
"s3:ListMultipartUploadParts",
]
resources = ["${aws_s3_bucket.this.arn}/*"]
}
}
resource "aws_iam_policy" "s3_access" {
name = "${local.name}-s3-access"
policy = data.aws_iam_policy_document.s3_access.json
tags = local.tags
}
resource "aws_iam_role_policy_attachment" "task_s3_access" {
role = aws_iam_role.task.name
policy_arn = aws_iam_policy.s3_access.arn
}
# proxy_config is uploaded as an S3 object so the gateway and backend
# containers can fetch it at startup instead of carrying the YAML inline
# as a base64 env var. ECS Fargate has no native S3 volume type, so
# "mount" here is: container entrypoint runs a boto3 download_file into
# /tmp/litellm-config.yaml before exec'ing uvicorn. The task role already
# has s3:GetObject on this bucket via aws_iam_policy.s3_access.
#
# etag flows into the task definition (see locals.proxy_config_env in
# ecs.tf) so a config edit produces a new task-def revision and ECS rolls
# both services automatically.
resource "aws_s3_object" "proxy_config" {
count = length(keys(var.proxy_config)) > 0 ? 1 : 0
bucket = aws_s3_bucket.this.id
key = "config/litellm-config.yaml"
content = yamlencode(var.proxy_config)
content_type = "application/yaml"
}