feat: add mpc-backup-vault module

Author: fegmorte

modules/mpc-backup-vault/README.md

@@ -0,0 +1,6 @@
+# MPC Key backup modules\
+
+This module is aim to create :
+- bucket for backup vault
+
+The kms keys is handled by kms-stack terraform module in infra repo.

modules/mpc-backup-vault/main.tf

@@ -0,0 +1,99 @@
+# ***************************************
+#  Local variables
+# ***************************************
+resource "random_id" "mpc_party_suffix" {
+  byte_length = 4
+}
+locals {
+  backup_bucket_name = "${var.bucket_prefix}-${var.party_name}-${random_id.mpc_party_suffix.hex}"
+}
+
+# ***************************************
+#  S3 Buckets for Vault Private Storage
+# ***************************************
+resource "aws_s3_bucket" "backup_bucket" {
+  force_destroy = true
+  bucket        = local.backup_bucket_name
+  tags = merge(var.tags, {
+    "Name"    = local.backup_bucket_name
+    "Type"    = "backup-vault"
+    "Party"   = var.party_name
+    "Purpose" = "mpc-backup-storage"
+  })
+}
+
+resource "aws_s3_bucket_ownership_controls" "backup_bucket" {
+  bucket = aws_s3_bucket.backup_bucket.id
+  rule {
+    object_ownership = "BucketOwnerEnforced"
+  }
+}
+
+resource "aws_s3_bucket_versioning" "backup_bucket" {
+  bucket = aws_s3_bucket.backup_bucket.id
+  versioning_configuration {
+    status = "Enabled"
+  }
+}
+
+resource "aws_s3_bucket_public_access_block" "backup_bucket" {
+  bucket                  = aws_s3_bucket.backup_bucket.id
+  block_public_acls       = true
+  block_public_policy     = true
+  ignore_public_acls      = true
+  restrict_public_buckets = true
+}
+
+# ***************************************
+#  IAM Role & Policy for MPC Backup Vault
+# ***************************************
+
+# Trust policy: Allow trusted principals to assume this role
+data "aws_iam_policy_document" "assume_role" {
+  statement {
+    actions = ["sts:AssumeRole"]
+    effect  = "Allow"
+    principals {
+      type        = "AWS"
+      identifiers = var.trusted_principal_arns
+    }
+  }
+}
+
+resource "aws_iam_role" "mpc_backup_role" {
+  name               = "mpc-backup-${var.party_name}"
+  assume_role_policy = data.aws_iam_policy_document.assume_role.json
+  tags               = var.tags
+}
+
+# Policy allowing access to the bucket
+resource "aws_iam_policy" "mpc_aws" {
+  name = "mpc-backup-${var.party_name}"
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Sid    = "AllowObjectActions"
+        Effect = "Allow"
+        Action = "s3:*Object"
+        Resource = [
+          "arn:aws:s3:::${aws_s3_bucket.backup_bucket.id}/*"
+        ]
+      },
+      {
+        Sid    = "AllowListBucket"
+        Effect = "Allow"
+        Action = "s3:ListBucket"
+        Resource = [
+          "arn:aws:s3:::${aws_s3_bucket.backup_bucket.id}"
+        ]
+      }
+    ]
+  })
+}
+
+# Attach policy to the role
+resource "aws_iam_role_policy_attachment" "mpc_backup_attach" {
+  role       = aws_iam_role.mpc_backup_role.name
+  policy_arn = aws_iam_policy.mpc_aws.arn
+}

modules/mpc-backup-vault/outputs.tf

@@ -0,0 +1,19 @@
+output "bucket_name" {
+  description = "The name of the created S3 bucket"
+  value       = aws_s3_bucket.backup_bucket.id
+}
+
+output "bucket_arn" {
+  description = "The ARN of the created S3 bucket"
+  value       = aws_s3_bucket.backup_bucket.arn
+}
+
+output "role_name" {
+  description = "The name of the IAM role created for accessing the bucket"
+  value       = aws_iam_role.mpc_backup_role.name
+}
+
+output "role_arn" {
+  description = "The ARN of the IAM role created for accessing the bucket"
+  value       = aws_iam_role.mpc_backup_role.arn
+}

modules/mpc-backup-vault/variables.tf

@@ -0,0 +1,32 @@
+# Tagging
+variable "tags" {
+  type        = map(string)
+  description = "A map of tags to assign to the resource"
+  default = {
+    "terraform" = "true"
+    "module"    = "mpc-party"
+  }
+}
+
+variable "bucket_prefix" {
+  type        = string
+  description = "The prefix for the S3 bucket names"
+  default     = "mpc-backup-vault"
+}
+
+# MPC Party Configuration
+variable "party_name" {
+  type        = string
+  description = "The name of the MPC party (used for resource naming and tagging)"
+
+  validation {
+    condition     = can(regex("^[a-z0-9-]+$", var.party_name))
+    error_message = "Party name must contain only lowercase letters, numbers, and hyphens."
+  }
+}
+
+variable "trusted_principal_arns" {
+  type        = list(string)
+  description = "List of ARNs (users, roles, or root accounts) that can assume the backup role."
+  default     = []
+}

modules/mpc-backup-vault/versions.tf

@@ -0,0 +1,18 @@
+terraform {
+  required_version = ">= 1.10"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 6.0"
+    }
+    random = {
+      source  = "hashicorp/random"
+      version = ">= 3.1"
+    }
+    null = {
+      source  = "hashicorp/null"
+      version = ">= 3.0"
+    }
+  }
+}