aboutsummaryrefslogtreecommitdiff
path: root/jinwei.me/infra/s3.tf
diff options
context:
space:
mode:
Diffstat (limited to 'jinwei.me/infra/s3.tf')
-rw-r--r--jinwei.me/infra/s3.tf62
1 files changed, 28 insertions, 34 deletions
diff --git a/jinwei.me/infra/s3.tf b/jinwei.me/infra/s3.tf
index 5626390..58e0502 100644
--- a/jinwei.me/infra/s3.tf
+++ b/jinwei.me/infra/s3.tf
@@ -3,7 +3,7 @@ resource "random_id" "s3_bucket_suffix" {
3} 3}
4 4
5resource "aws_s3_bucket" "main" { 5resource "aws_s3_bucket" "main" {
6 bucket = "${var.name}-${random_id.s3_bucket_suffix.hex}" 6 bucket = "static.jinwei.me"
7} 7}
8 8
9resource "aws_s3_bucket_public_access_block" "main" { 9resource "aws_s3_bucket_public_access_block" "main" {
@@ -12,43 +12,37 @@ resource "aws_s3_bucket_public_access_block" "main" {
12 # https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html 12 # https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html
13 block_public_acls = false 13 block_public_acls = false
14 ignore_public_acls = true 14 ignore_public_acls = true
15 block_public_policy = true 15 block_public_policy = false
16 restrict_public_buckets = true 16 restrict_public_buckets = true
17} 17}
18 18
19#resource "aws_s3_bucket_policy" "main" { 19resource "aws_s3_bucket_policy" "main" {
20# bucket = aws_s3_bucket.main.id 20 bucket = aws_s3_bucket.main.id
21# policy = data.aws_iam_policy_document.bucket_policy.json 21 policy = data.aws_iam_policy_document.bucket_policy.json
22#} 22}
23
24#data "aws_iam_policy_document" "bucket_policy" {
25# # Allow CloudFront to read from the bucket
26# statement {
27# principals {
28# type = "Service"
29# identifiers = [
30# "cloudfront.amazonaws.com"
31# ]
32# }
33# actions = [
34# "s3:GetObject"
35# ]
36# resources = [
37# "${aws_s3_bucket.main.arn}/*",
38# ]
39# condition {
40# test = "StringEquals"
41# variable = "AWS:SourceArn"
42# values = [aws_cloudfront_distribution.main.arn]
43# }
44# }
45#}
46 23
47#resource "aws_ssm_parameter" "s3_bucket" { 24data "aws_iam_policy_document" "bucket_policy" {
48# name = "/${local.name}/s3_bucket" 25 # Allow Cloudflare to read from the bucket
49# type = "String" 26 statement {
50# value = aws_s3_bucket.main.bucket 27 principals {
51#} 28 type = "AWS"
29 identifiers = [
30 "*"
31 ]
32 }
33 actions = [
34 "s3:GetObject"
35 ]
36 resources = [
37 "${aws_s3_bucket.main.arn}/*",
38 ]
39 condition {
40 test = "IpAddress"
41 variable = "AWS:SourceIp"
42 values = data.cloudflare_ip_ranges.cloudflare.cidr_blocks
43 }
44 }
45}
52 46
53resource "aws_s3_object" "healthcheck" { 47resource "aws_s3_object" "healthcheck" {
54 bucket = aws_s3_bucket.main.id 48 bucket = aws_s3_bucket.main.id
Powered by cgit v1.2.3 (git 2.41.0)