-
Notifications
You must be signed in to change notification settings - Fork 0
/
s3.tf
66 lines (57 loc) · 1.72 KB
/
s3.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
#################################################
# S3 - Website Bucket
#################################################
resource "aws_s3_bucket" "app" {
bucket = local.app_domain
}
resource "aws_s3_bucket_acl" "app" {
bucket = aws_s3_bucket.app.id
acl = "private"
}
resource "aws_s3_bucket_public_access_block" "app" {
bucket = aws_s3_bucket.app.id
block_public_acls = true
block_public_policy = true
ignore_public_acls = true
restrict_public_buckets = true
}
resource "aws_s3_object" "app_files" {
for_each = local.web_apps_files
key = "sites/${each.key}"
source = each.value
etag = filemd5(each.value)
bucket = aws_s3_bucket.app.bucket
content_type = lookup(local.mime_map, reverse(split(".", each.value))[0], "application/octet-stream")
server_side_encryption = "AES256"
}
resource "aws_s3_bucket_server_side_encryption_configuration" "app" {
bucket = aws_s3_bucket.app.bucket
rule {
apply_server_side_encryption_by_default {
sse_algorithm = "AES256"
}
}
}
resource "aws_s3_bucket_policy" "app" {
bucket = aws_s3_bucket.app.id
policy = data.aws_iam_policy_document.s3_app_policy_doc.json
}
data "aws_iam_policy_document" "s3_app_policy_doc" {
version = "2008-10-17"
policy_id = "PolicyForCloudFrontPrivateContent"
statement {
sid = "AllowCloudFrontServicePrincipal"
effect = "Allow"
actions = ["s3:GetObject"]
resources = ["${aws_s3_bucket.app.arn}/*"]
principals {
type = "Service"
identifiers = ["cloudfront.amazonaws.com"]
}
condition {
test = "StringEquals"
variable = "AWS:SourceArn"
values = [aws_cloudfront_distribution.app.arn]
}
}
}