Skip to content

Commit ceb8fce

Browse files
egarbiegarbi
authored
Merge pull request #1 from egarbi/feature/origin_access_identity
Allows s3 access only to cloudfront
2 parents 8edd0d6 + bd9fe0e commit ceb8fce

File tree

2 files changed

+33
-18
lines changed

2 files changed

+33
-18
lines changed

cloudfront.tf

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,16 @@
1+
resource "aws_cloudfront_origin_access_identity" "origin_access_identity" {
2+
comment = "${var.site_name}${var.domain} Created by Terraform"
3+
}
4+
15
resource "aws_cloudfront_distribution" "s3_distribution" {
26
origin {
37
domain_name = "${aws_s3_bucket.main.id}.s3.amazonaws.com"
48
origin_id = "S3-${aws_s3_bucket.main.id}"
9+
10+
s3_origin_config {
11+
origin_access_identity = "${aws_cloudfront_origin_access_identity.origin_access_identity.cloudfront_access_identity_path}"
12+
}
13+
514
}
615

716
enabled = true

main.tf

Lines changed: 24 additions & 18 deletions
Original file line numberDiff line numberDiff line change
@@ -1,27 +1,33 @@
11
// Global Content Delivery Network
22
// S3 + Cloudfront
3-
// Content of those bucket has been populated manually
3+
// Content of this bucket will be populated manually
4+
data "aws_iam_policy_document" "s3_policy" {
5+
statement {
6+
actions = ["s3:GetObject"]
7+
resources = ["arn:aws:s3:::${var.site_name}${replace(var.domain, ".", "-")}/*"]
8+
9+
principals {
10+
type = "AWS"
11+
identifiers = ["${aws_cloudfront_origin_access_identity.origin_access_identity.iam_arn}"]
12+
}
13+
}
14+
15+
statement {
16+
actions = ["s3:ListBucket"]
17+
resources = ["arn:aws:s3:::${var.site_name}${replace(var.domain, ".", "-")}"]
18+
19+
principals {
20+
type = "AWS"
21+
identifiers = ["${aws_cloudfront_origin_access_identity.origin_access_identity.iam_arn}"]
22+
}
23+
}
24+
}
25+
426
resource "aws_s3_bucket" "main" {
527
bucket = "${var.site_name}${replace(var.domain, ".", "-")}"
628
acl = "public-read"
729

8-
policy = <<EOF
9-
{
10-
"Version": "2008-10-17",
11-
"Id": "Policy1412590466126",
12-
"Statement": [
13-
{
14-
"Sid": "Stmt1412590461560",
15-
"Effect": "Allow",
16-
"Principal": {
17-
"AWS": "*"
18-
},
19-
"Action": "s3:GetObject",
20-
"Resource": "arn:aws:s3:::${var.site_name}${replace(var.domain, ".", "-")}/*"
21-
}
22-
]
23-
}
24-
EOF
30+
policy = "${data.aws_iam_policy_document.s3_policy.json}"
2531

2632
website {
2733
index_document = "index.html"

0 commit comments

Comments
 (0)