-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathsecondary-website-bucket.tf
102 lines (88 loc) · 2.92 KB
/
secondary-website-bucket.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
resource "aws_s3_bucket" "secondary_website" {
count = var.create_secondary ? 1 : 0
bucket = var.dns_entry_secondary
tags = merge(
local.common_tags,
{
"Name" = var.dns_entry_secondary
},
)
lifecycle {
ignore_changes = [
logging
]
}
}
resource "aws_s3_bucket_versioning" "secondary_website_versioning" {
count = var.create_secondary ? 1 : 0
bucket = aws_s3_bucket.secondary_website[count.index].id
versioning_configuration {
status = "Suspended"
}
}
# Encrypt the data at rest. We use the default Service Side Encryption
# in order to minimize issues between CloudFront and KMS
resource "aws_s3_bucket_server_side_encryption_configuration" "secondary_website_server_side_encryption" {
count = var.create_secondary ? 1 : 0
bucket = aws_s3_bucket.secondary_website[count.index].id
rule {
apply_server_side_encryption_by_default {
sse_algorithm = "AES256"
}
}
}
resource "aws_s3_bucket_acl" "secondary_website_acl" {
count = var.create_secondary ? 1 : 0
bucket = aws_s3_bucket.secondary_website[count.index].id
acl = "private"
}
resource "aws_s3_bucket_policy" "cdn_access_policy_secondary" {
count = var.create_secondary ? 1 : 0
bucket = aws_s3_bucket.secondary_website[count.index].id
policy = data.aws_iam_policy_document.s3_policy_secondary[count.index].json
}
# Policy to allow the created Access Identity to access the bucket
data "aws_iam_policy_document" "s3_policy_secondary" {
count = var.create_secondary ? 1 : 0
statement {
actions = ["s3:GetObject"]
resources = ["${aws_s3_bucket.secondary_website[count.index].arn}/*"]
principals {
type = "AWS"
identifiers = [aws_cloudfront_origin_access_identity.origin_access_identity_secondary[count.index].iam_arn]
}
}
statement {
actions = ["s3:ListBucket"]
resources = [aws_s3_bucket.secondary_website[count.index].arn]
principals {
type = "AWS"
identifiers = [aws_cloudfront_origin_access_identity.origin_access_identity_secondary[count.index].iam_arn]
}
}
# This ensures all S3 actions are over HTTPS
statement {
actions = ["s3:GetObject", "s3:PutObject"]
resources = ["${aws_s3_bucket.secondary_website[count.index].arn}/*"]
effect = "Deny"
sid = "BlockNonSSL"
principals {
type = "AWS"
identifiers = ["*"]
}
condition {
test = "Bool"
variable = "aws:SecureTransport"
values = ["false"]
}
}
}
# This will shore up access so only CloudFront can access S3
resource "aws_cloudfront_origin_access_identity" "origin_access_identity_secondary" {
count = var.create_secondary ? 1 : 0
comment = "CloudFront Access identity to S3 for ${var.dns_entry_secondary}"
}
output "aws_s3_bucket_name_secondary_website" {
value = try(aws_s3_bucket.secondary_website[0].bucket, "")
description = "The secondary (preview) website S3 bucket name."
}