Ensuring public read access to all required public buckets
* Required to allow task containers to read from here without crazy auth on nginx's part
This commit is contained in:
parent
d9e0e8c70b
commit
9ca3969a53
@ -1 +1,7 @@
|
|||||||
This folder contains docker images that live in ECR
|
This folder contains docker images that live in ECR
|
||||||
|
|
||||||
|
beta
|
||||||
|
====
|
||||||
|
|
||||||
|
Reverse proxy for all things *.shockrah.xyz
|
||||||
|
Site content is all static content and is thus pushed to S3.
|
||||||
|
|||||||
55
infra/s3.tf
55
infra/s3.tf
@ -22,19 +22,54 @@ resource "aws_s3_bucket" "static-content" {
|
|||||||
##################################################################
|
##################################################################
|
||||||
# Below are the acl components for each bucket to make them public
|
# Below are the acl components for each bucket to make them public
|
||||||
##################################################################
|
##################################################################
|
||||||
#resource "aws_s3_bucket_ownership_controls" "static-content" {
|
|
||||||
# for_each = toset(local.buckets)
|
|
||||||
# bucket = each.value
|
|
||||||
# rule {
|
|
||||||
# object_ownership = "BucketOwnerPreferred"
|
|
||||||
# }
|
|
||||||
#}
|
|
||||||
|
|
||||||
|
# TODO: ensure proper dependency chaining to the buckets that these
|
||||||
|
# blocks require to be in place _before_ they come up
|
||||||
|
|
||||||
resource "aws_s3_bucket_acl" "static-content" {
|
# Enables website configuration
|
||||||
|
resource "aws_s3_bucket_website_configuration" "site" {
|
||||||
for_each = toset(local.buckets)
|
for_each = toset(local.buckets)
|
||||||
|
|
||||||
bucket = each.value
|
bucket = each.value
|
||||||
acl = "public-read"
|
index_document {
|
||||||
|
suffix = "index.html"
|
||||||
|
}
|
||||||
|
|
||||||
|
error_document {
|
||||||
|
key = "404.html"
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
# Set block public access to false
|
||||||
|
resource "aws_s3_bucket_public_access_block" "site" {
|
||||||
|
for_each = toset(local.buckets)
|
||||||
|
bucket = each.value
|
||||||
|
|
||||||
|
block_public_acls = false
|
||||||
|
block_public_policy = false
|
||||||
|
ignore_public_acls = false
|
||||||
|
restrict_public_buckets = false
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
# Set a policy on the bucket to allow reads from anywhere
|
||||||
|
resource "aws_s3_bucket_policy" "site" {
|
||||||
|
for_each = toset(local.buckets)
|
||||||
|
bucket = each.value
|
||||||
|
policy = jsonencode({
|
||||||
|
Version = "2012-10-17"
|
||||||
|
Statement = [
|
||||||
|
{
|
||||||
|
Sid = "PublicReadGetObject"
|
||||||
|
Effect = "Allow"
|
||||||
|
Principal = "*"
|
||||||
|
Action = "s3:GetObject"
|
||||||
|
Resource = [
|
||||||
|
"arn:aws:s3:::${each.value}",
|
||||||
|
"arn:aws:s3:::${each.value}/*",
|
||||||
|
]
|
||||||
|
}
|
||||||
|
]
|
||||||
|
})
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user