-
Notifications
You must be signed in to change notification settings - Fork 1
/
s3.tf
87 lines (71 loc) · 1.94 KB
/
s3.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
# Site S3 Bucket
## Bucket
resource "aws_s3_bucket" "site-bucket" {
bucket = var.domain_name
acl = "public-read"
website {
index_document = "index.html"
error_document = "404.html"
}
logging {
target_bucket = aws_s3_bucket.site-logs.bucket
target_prefix = "${var.domain_name}/s3/root"
}
}
## Bucket public access
resource "aws_s3_bucket_public_access_block" "site-bucket" {
bucket = aws_s3_bucket.site-bucket.id
}
## Bucket policy
data "template_file" "site-bucket-policy" {
template = "${file("public_bucket_policy.json")}"
vars = {
bucket = aws_s3_bucket.site-bucket.id
}
}
resource "aws_s3_bucket_policy" "site-bucket" {
bucket = aws_s3_bucket.site-bucket.id
policy = data.template_file.site-bucket-policy.rendered
}
# Redirect www. S3 bucket
## Bucket
resource "aws_s3_bucket" "www-site-bucket" {
bucket = "www.${var.domain_name}"
acl = "public-read"
website {
redirect_all_requests_to = var.domain_name
}
logging {
target_bucket = aws_s3_bucket.site-logs.bucket
target_prefix = "${var.domain_name}/s3/www"
}
}
## Bucket public access
resource "aws_s3_bucket_public_access_block" "www-site-bucket" {
bucket = aws_s3_bucket.www-site-bucket.id
}
## Bucket policy
data "template_file" "www-site-bucket-policy" {
template = "${file("public_bucket_policy.json")}"
vars = {
bucket = aws_s3_bucket.www-site-bucket.id
}
}
resource "aws_s3_bucket_policy" "www-site-bucket" {
bucket = aws_s3_bucket.www-site-bucket.id
policy = data.template_file.www-site-bucket-policy.rendered
}
# Logs S3 bucket
## Bucket
resource "aws_s3_bucket" "site-logs" {
bucket = var.logs_bucket
acl = "log-delivery-write"
}
## Disable bucket public access
resource "aws_s3_bucket_public_access_block" "site-logs" {
bucket = aws_s3_bucket.site-logs.id
block_public_acls = true
block_public_policy = true
ignore_public_acls = true
restrict_public_buckets = true
}