diff options
Diffstat (limited to 'jinwei.me/infra/s3.tf')
-rw-r--r-- | jinwei.me/infra/s3.tf | 62 |
1 files changed, 28 insertions, 34 deletions
diff --git a/jinwei.me/infra/s3.tf b/jinwei.me/infra/s3.tf index 5626390..58e0502 100644 --- a/jinwei.me/infra/s3.tf +++ b/jinwei.me/infra/s3.tf | |||
@@ -3,7 +3,7 @@ resource "random_id" "s3_bucket_suffix" { | |||
3 | } | 3 | } |
4 | 4 | ||
5 | resource "aws_s3_bucket" "main" { | 5 | resource "aws_s3_bucket" "main" { |
6 | bucket = "${var.name}-${random_id.s3_bucket_suffix.hex}" | 6 | bucket = "static.jinwei.me" |
7 | } | 7 | } |
8 | 8 | ||
9 | resource "aws_s3_bucket_public_access_block" "main" { | 9 | resource "aws_s3_bucket_public_access_block" "main" { |
@@ -12,43 +12,37 @@ resource "aws_s3_bucket_public_access_block" "main" { | |||
12 | # https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html | 12 | # https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html |
13 | block_public_acls = false | 13 | block_public_acls = false |
14 | ignore_public_acls = true | 14 | ignore_public_acls = true |
15 | block_public_policy = true | 15 | block_public_policy = false |
16 | restrict_public_buckets = true | 16 | restrict_public_buckets = true |
17 | } | 17 | } |
18 | 18 | ||
19 | #resource "aws_s3_bucket_policy" "main" { | 19 | resource "aws_s3_bucket_policy" "main" { |
20 | # bucket = aws_s3_bucket.main.id | 20 | bucket = aws_s3_bucket.main.id |
21 | # policy = data.aws_iam_policy_document.bucket_policy.json | 21 | policy = data.aws_iam_policy_document.bucket_policy.json |
22 | #} | 22 | } |
23 | |||
24 | #data "aws_iam_policy_document" "bucket_policy" { | ||
25 | # # Allow CloudFront to read from the bucket | ||
26 | # statement { | ||
27 | # principals { | ||
28 | # type = "Service" | ||
29 | # identifiers = [ | ||
30 | # "cloudfront.amazonaws.com" | ||
31 | # ] | ||
32 | # } | ||
33 | # actions = [ | ||
34 | # "s3:GetObject" | ||
35 | # ] | ||
36 | # resources = [ | ||
37 | # "${aws_s3_bucket.main.arn}/*", | ||
38 | # ] | ||
39 | # condition { | ||
40 | # test = "StringEquals" | ||
41 | # variable = "AWS:SourceArn" | ||
42 | # values = [aws_cloudfront_distribution.main.arn] | ||
43 | # } | ||
44 | # } | ||
45 | #} | ||
46 | 23 | ||
47 | #resource "aws_ssm_parameter" "s3_bucket" { | 24 | data "aws_iam_policy_document" "bucket_policy" { |
48 | # name = "/${local.name}/s3_bucket" | 25 | # Allow Cloudflare to read from the bucket |
49 | # type = "String" | 26 | statement { |
50 | # value = aws_s3_bucket.main.bucket | 27 | principals { |
51 | #} | 28 | type = "AWS" |
29 | identifiers = [ | ||
30 | "*" | ||
31 | ] | ||
32 | } | ||
33 | actions = [ | ||
34 | "s3:GetObject" | ||
35 | ] | ||
36 | resources = [ | ||
37 | "${aws_s3_bucket.main.arn}/*", | ||
38 | ] | ||
39 | condition { | ||
40 | test = "IpAddress" | ||
41 | variable = "AWS:SourceIp" | ||
42 | values = data.cloudflare_ip_ranges.cloudflare.cidr_blocks | ||
43 | } | ||
44 | } | ||
45 | } | ||
52 | 46 | ||
53 | resource "aws_s3_object" "healthcheck" { | 47 | resource "aws_s3_object" "healthcheck" { |
54 | bucket = aws_s3_bucket.main.id | 48 | bucket = aws_s3_bucket.main.id |