From 9ca3969a53d8868bcfa16ca68800410cc7470c34 Mon Sep 17 00:00:00 2001 From: shockrah Date: Sun, 10 Sep 2023 15:10:22 -0700 Subject: [PATCH] Ensuring public read access to all required public buckets * Required to allow task containers to read from here without crazy auth on nginx's part --- docker/readme | 6 ++++++ infra/s3.tf | 55 +++++++++++++++++++++++++++++++++++++++++---------- 2 files changed, 51 insertions(+), 10 deletions(-) diff --git a/docker/readme b/docker/readme index b795211..8d2bd84 100644 --- a/docker/readme +++ b/docker/readme @@ -1 +1,7 @@ This folder contains docker images that live in ECR + +beta +==== + +Reverse proxy for all things *.shockrah.xyz +Site content is all static content and is thus pushed to S3. diff --git a/infra/s3.tf b/infra/s3.tf index fea86d8..2850575 100644 --- a/infra/s3.tf +++ b/infra/s3.tf @@ -22,19 +22,54 @@ resource "aws_s3_bucket" "static-content" { ################################################################## # Below are the acl components for each bucket to make them public ################################################################## -#resource "aws_s3_bucket_ownership_controls" "static-content" { -# for_each = toset(local.buckets) -# bucket = each.value -# rule { -# object_ownership = "BucketOwnerPreferred" -# } -#} +# TODO: ensure proper dependency chaining to the buckets that these +# blocks require to be in place _before_ they come up -resource "aws_s3_bucket_acl" "static-content" { +# Enables website configuration +resource "aws_s3_bucket_website_configuration" "site" { for_each = toset(local.buckets) - bucket = each.value - acl = "public-read" + index_document { + suffix = "index.html" + } + + error_document { + key = "404.html" + } } +# Set block public access to false +resource "aws_s3_bucket_public_access_block" "site" { + for_each = toset(local.buckets) + bucket = each.value + + block_public_acls = false + block_public_policy = false + ignore_public_acls = false + restrict_public_buckets = false +} + + +# Set a policy on the bucket to allow reads from anywhere +resource "aws_s3_bucket_policy" "site" { + for_each = toset(local.buckets) + bucket = each.value + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Sid = "PublicReadGetObject" + Effect = "Allow" + Principal = "*" + Action = "s3:GetObject" + Resource = [ + "arn:aws:s3:::${each.value}", + "arn:aws:s3:::${each.value}/*", + ] + } + ] + }) +} + +