Merge pull request #1 from timothyclarke/policy-as-data

src/s3.tf

@@ -2,7 +2,7 @@
 resource "aws_s3_bucket" "www_bucket" {
   bucket = "www.${var.bucket_name}"
   acl    = "public-read"
-  policy = templatefile("templates/s3-policy.json", { bucket = "www.${var.bucket_name}" })
+  policy = data.aws_iam_policy_document.allow_public_s3_read.json
 
   cors_rule {
     allowed_headers = ["Authorization", "Content-Length"]
@@ -23,7 +23,7 @@ resource "aws_s3_bucket" "www_bucket" {
 resource "aws_s3_bucket" "root_bucket" {
   bucket = var.bucket_name
   acl    = "public-read"
-  policy = templatefile("templates/s3-policy.json", { bucket = var.bucket_name })
+  policy = data.aws_iam_policy_document.allow_public_s3_read.json
 
   website {
     redirect_all_requests_to = "https://www.${var.domain_name}"
@@ -31,3 +31,25 @@ resource "aws_s3_bucket" "root_bucket" {
 
   tags = var.common_tags
 }
+
+# S3 Allow Public read access as data object
+data "aws_iam_policy_document" "allow_public_s3_read" {
+  statement {
+    sid    = "PublicReadGetObject"
+    effect = "Allow"
+
+    actions = [
+      "s3:GetObject",
+    ]
+
+    principals {
+      type        = "AWS"
+      identifiers = "*"
+    }
+
+    resources = [
+      "arn:aws:s3:::${var.bucket_name}/*"
+      "arn:aws:s3:::www-${var.bucket_name}/*"
+    ]
+  }
+}

src/templates/s3-policy.json

@@ -1,12 +0,0 @@
-{
-    "Version": "2012-10-17",
-    "Statement": [
-        {
-            "Sid": "PublicReadGetObject",
-            "Effect": "Allow",
-            "Principal": "*",
-            "Action": "s3:GetObject",
-            "Resource": "arn:aws:s3:::${bucket}/*"
-        }
-    ]
-}