AWS: Define policy access for S3 buckets.

Related to: - kubernetes/registry.k8s.io#172 Define and attach a policy that make a S3 bucket world-readable. Signed-off-by: Arnaud Meukam <[email protected]>
ameukam · Oct 13, 2023 · d747853 · d747853
1 parent bfb96e0
commit d747853
Showing 1 changed file with 32 additions and 0 deletions.
diff --git a/infra/aws/terraform/modules/registry-k8s-io-s3-bucket/main.tf b/infra/aws/terraform/modules/registry-k8s-io-s3-bucket/main.tf
@@ -23,6 +23,35 @@ locals {
   bucket_name = format("%v-registry-k8s-io-%s", local.prefix, data.aws_region.current.name)
 }
 
+data "aws_iam_policy_document" "public_bucket_policy" {
+  statement {
+    actions = [
+        "s3:ListBucket"
+    ]
+    effect = "Allow"
+    resources = [
+        module.s3_bucket.s3_bucket_arn
+    ]
+    principals {
+      type        = "AWS"
+      identifiers = ["*"]
+    }
+  }
+  statement {
+    actions = [
+        "s3:GetObject"
+    ]
+    effect = "Allow"
+    principals {
+      type        = "AWS"
+      identifiers = ["*"]
+    }
+    resources = [
+        "${module.s3_bucket.s3_bucket_arn}/*"
+    ]
+  }
+}
+
 module "s3_bucket" {
   source  = "terraform-aws-modules/s3-bucket/aws"
   version = "3.15.1"
@@ -39,6 +68,9 @@ module "s3_bucket" {
   object_ownership         = "BucketOwnerEnforced"
   expected_bucket_owner    = data.aws_caller_identity.current.account_id
 
+  attach_policy = true
+  policy = data.aws_iam_policy_document.public_bucket_policy.json
+
   cors_rule = [{
 
     allowed_methods = ["GET","HEAD"]