Ensuring public read access to all required public buckets

* Required to allow task containers to read from here without crazy auth on
  nginx's part
This commit is contained in:
shockrah 2023-09-10 15:10:22 -07:00
parent d9e0e8c70b
commit 9ca3969a53
2 changed files with 51 additions and 10 deletions

View File

@ -1 +1,7 @@
This folder contains docker images that live in ECR This folder contains docker images that live in ECR
beta
====
Reverse proxy for all things *.shockrah.xyz
Site content is all static content and is thus pushed to S3.

View File

@ -22,19 +22,54 @@ resource "aws_s3_bucket" "static-content" {
################################################################## ##################################################################
# Below are the acl components for each bucket to make them public # Below are the acl components for each bucket to make them public
################################################################## ##################################################################
#resource "aws_s3_bucket_ownership_controls" "static-content" {
# for_each = toset(local.buckets)
# bucket = each.value
# rule {
# object_ownership = "BucketOwnerPreferred"
# }
#}
# TODO: ensure proper dependency chaining to the buckets that these
# blocks require to be in place _before_ they come up
resource "aws_s3_bucket_acl" "static-content" { # Enables website configuration
resource "aws_s3_bucket_website_configuration" "site" {
for_each = toset(local.buckets) for_each = toset(local.buckets)
bucket = each.value bucket = each.value
acl = "public-read" index_document {
suffix = "index.html"
} }
error_document {
key = "404.html"
}
}
# Set block public access to false
resource "aws_s3_bucket_public_access_block" "site" {
for_each = toset(local.buckets)
bucket = each.value
block_public_acls = false
block_public_policy = false
ignore_public_acls = false
restrict_public_buckets = false
}
# Set a policy on the bucket to allow reads from anywhere
resource "aws_s3_bucket_policy" "site" {
for_each = toset(local.buckets)
bucket = each.value
policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Sid = "PublicReadGetObject"
Effect = "Allow"
Principal = "*"
Action = "s3:GetObject"
Resource = [
"arn:aws:s3:::${each.value}",
"arn:aws:s3:::${each.value}/*",
]
}
]
})
}