1 files changed, 4 insertions, 4 deletions
diff --git a/jinwei.me/infra/s3.tf b/jinwei.me/infra/s3.tf
index 58e0502..49f8e10 100644
--- a/jinwei.me/infra/s3.tf
+++ b/jinwei.me/infra/s3.tf
@@ -22,7 +22,7 @@ resource "aws_s3_bucket_policy" "main" {
 }
 data "aws_iam_policy_document" "bucket_policy" {
-  # Allow Cloudflare to read from the bucket
+  # Allow Cloudfront to read from the bucket
  statement {
    principals {
      type = "AWS"
@@ -37,9 +37,9 @@ data "aws_iam_policy_document" "bucket_policy" {
      "${aws_s3_bucket.main.arn}/*",
    ]
    condition {
-      test     = "IpAddress"
+      test     = "StringEquals"
-      variable = "AWS:SourceIp"
+      variable = "AWS:SourceArn"
-      values   = data.cloudflare_ip_ranges.cloudflare.cidr_blocks
+      values   = [aws_cloudfront_distribution.main.arn]
    }
  }
 }

diff --git a/jinwei.me/infra/s3.tf b/jinwei.me/infra/s3.tf index 58e0502..49f8e10 100644 --- a/jinwei.me/infra/s3.tf +++ b/jinwei.me/infra/s3.tf
@@ -22,7 +22,7 @@ resource "aws_s3_bucket_policy" "main" {
22	}	22	}
23		23
24	data "aws_iam_policy_document" "bucket_policy" {	24	data "aws_iam_policy_document" "bucket_policy" {
25	# Allow Cloudflare to read from the bucket	25	# Allow Cloudfront to read from the bucket
26	statement {	26	statement {
27	principals {	27	principals {
28	type = "AWS"	28	type = "AWS"
@@ -37,9 +37,9 @@ data "aws_iam_policy_document" "bucket_policy" {
37	"${aws_s3_bucket.main.arn}/*",	37	"${aws_s3_bucket.main.arn}/*",
38	]	38	]
39	condition {	39	condition {
40	test = "IpAddress"	40	test = "StringEquals"
41	variable = "AWS:SourceIp"	41	variable = "AWS:SourceArn"
42	values = data.cloudflare_ip_ranges.cloudflare.cidr_blocks	42	values = [aws_cloudfront_distribution.main.arn]
43	}	43	}
44	}	44	}
45	}	45	}