Write the s3 policy as a policy statement that terraform can validate rather than an external template file

This commit is contained in:
Timothy Clarke 2022-11-02 10:37:57 +00:00
parent b9ceacf1f9
commit a142a3b18a
No known key found for this signature in database
GPG key ID: 37C2AD434EA09A49
2 changed files with 24 additions and 14 deletions

View file

@ -2,7 +2,7 @@
resource "aws_s3_bucket" "www_bucket" { resource "aws_s3_bucket" "www_bucket" {
bucket = "www.${var.bucket_name}" bucket = "www.${var.bucket_name}"
acl = "public-read" acl = "public-read"
policy = templatefile("templates/s3-policy.json", { bucket = "www.${var.bucket_name}" }) policy = data.aws_iam_policy_document.allow_public_s3_read.json
cors_rule { cors_rule {
allowed_headers = ["Authorization", "Content-Length"] allowed_headers = ["Authorization", "Content-Length"]
@ -23,7 +23,7 @@ resource "aws_s3_bucket" "www_bucket" {
resource "aws_s3_bucket" "root_bucket" { resource "aws_s3_bucket" "root_bucket" {
bucket = var.bucket_name bucket = var.bucket_name
acl = "public-read" acl = "public-read"
policy = templatefile("templates/s3-policy.json", { bucket = var.bucket_name }) policy = data.aws_iam_policy_document.allow_public_s3_read.json
website { website {
redirect_all_requests_to = "https://www.${var.domain_name}" redirect_all_requests_to = "https://www.${var.domain_name}"
@ -31,3 +31,25 @@ resource "aws_s3_bucket" "root_bucket" {
tags = var.common_tags tags = var.common_tags
} }
# S3 Allow Public read access as data object
data "aws_iam_policy_document" "allow_public_s3_read" {
statement {
sid = "PublicReadGetObject"
effect = "Allow"
actions = [
"s3:GetObject",
]
principals {
type = "AWS"
identifiers = "*"
}
resources = [
"arn:aws:s3:::${var.bucket_name}/*"
"arn:aws:s3:::www-${var.bucket_name}/*"
]
}
}

View file

@ -1,12 +0,0 @@
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "PublicReadGetObject",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::${bucket}/*"
}
]
}