forked from oasys/terraform-aws-cloudfront-auth
-
Notifications
You must be signed in to change notification settings - Fork 0
/
s3.tf
54 lines (50 loc) · 1.57 KB
/
s3.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
resource "aws_s3_bucket" "site" {
bucket = local.s3_bucket_name
acl = "private"
# checkov:skip=CKV_AWS_21:versioning not needed
# checkov:skip=CKV_AWS_18:access logging disabled for cost savings
# checkov:skip=CKV_AWS_19:encryption disabled, public website
# checkov:skip=CKV_AWS_52:no MFA delete, not canonical source
tags = var.tags
}
resource "aws_s3_bucket_public_access_block" "private" {
bucket = aws_s3_bucket.site.id
block_public_acls = true
ignore_public_acls = true
block_public_policy = true
restrict_public_buckets = true
}
data "aws_iam_policy_document" "s3_bucket_policy" {
statement {
actions = ["s3:GetObject", ]
resources = ["${aws_s3_bucket.site.arn}/*"]
principals {
type = "AWS"
identifiers = [aws_cloudfront_origin_access_identity.oai.iam_arn]
}
}
statement {
actions = ["s3:ListBucket"]
resources = [aws_s3_bucket.site.arn]
principals {
type = "AWS"
identifiers = [aws_cloudfront_origin_access_identity.oai.iam_arn]
}
}
override_json = var.deploy_arn == null ? "{}" : data.aws_iam_policy_document.deploy.json
}
data "aws_iam_policy_document" "deploy" {
statement {
sid = "UpdateSite"
actions = ["s3:PutObject", "s3:PutObjectAcl"]
resources = ["${aws_s3_bucket.site.arn}/*"]
principals {
type = "AWS"
identifiers = [var.deploy_arn]
}
}
}
resource "aws_s3_bucket_policy" "bucket_policy" {
bucket = aws_s3_bucket.site.id
policy = data.aws_iam_policy_document.s3_bucket_policy.json
}