Ensuring public read access to all required public buckets
* Required to allow task containers to read from here without crazy auth on nginx's part
This commit is contained in:
parent
d9e0e8c70b
commit
9ca3969a53
@ -1 +1,7 @@
|
||||
This folder contains docker images that live in ECR
|
||||
|
||||
beta
|
||||
====
|
||||
|
||||
Reverse proxy for all things *.shockrah.xyz
|
||||
Site content is all static content and is thus pushed to S3.
|
||||
|
||||
55
infra/s3.tf
55
infra/s3.tf
@ -22,19 +22,54 @@ resource "aws_s3_bucket" "static-content" {
|
||||
##################################################################
|
||||
# Below are the acl components for each bucket to make them public
|
||||
##################################################################
|
||||
#resource "aws_s3_bucket_ownership_controls" "static-content" {
|
||||
# for_each = toset(local.buckets)
|
||||
# bucket = each.value
|
||||
# rule {
|
||||
# object_ownership = "BucketOwnerPreferred"
|
||||
# }
|
||||
#}
|
||||
|
||||
# TODO: ensure proper dependency chaining to the buckets that these
|
||||
# blocks require to be in place _before_ they come up
|
||||
|
||||
resource "aws_s3_bucket_acl" "static-content" {
|
||||
# Enables website configuration
|
||||
resource "aws_s3_bucket_website_configuration" "site" {
|
||||
for_each = toset(local.buckets)
|
||||
|
||||
bucket = each.value
|
||||
acl = "public-read"
|
||||
index_document {
|
||||
suffix = "index.html"
|
||||
}
|
||||
|
||||
error_document {
|
||||
key = "404.html"
|
||||
}
|
||||
}
|
||||
|
||||
# Set block public access to false
|
||||
resource "aws_s3_bucket_public_access_block" "site" {
|
||||
for_each = toset(local.buckets)
|
||||
bucket = each.value
|
||||
|
||||
block_public_acls = false
|
||||
block_public_policy = false
|
||||
ignore_public_acls = false
|
||||
restrict_public_buckets = false
|
||||
}
|
||||
|
||||
|
||||
# Set a policy on the bucket to allow reads from anywhere
|
||||
resource "aws_s3_bucket_policy" "site" {
|
||||
for_each = toset(local.buckets)
|
||||
bucket = each.value
|
||||
policy = jsonencode({
|
||||
Version = "2012-10-17"
|
||||
Statement = [
|
||||
{
|
||||
Sid = "PublicReadGetObject"
|
||||
Effect = "Allow"
|
||||
Principal = "*"
|
||||
Action = "s3:GetObject"
|
||||
Resource = [
|
||||
"arn:aws:s3:::${each.value}",
|
||||
"arn:aws:s3:::${each.value}/*",
|
||||
]
|
||||
}
|
||||
]
|
||||
})
|
||||
}
|
||||
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user