Restrict access to S3 origin (with OAI)

2022-12-12 14:00:41 -03:00 · 2022-12-12 14:00:41 -03:00 · 383844ba51
parent 1e4a328e98
commit 383844ba51
8 changed files with 55 additions and 23 deletions
--- a/terraform/modules/cloudfront/main.tf
+++ b/terraform/modules/cloudfront/main.tf
@ -18,6 +18,14 @@ resource "aws_cloudfront_distribution" "this" {
      origin_id   = lookup(origin.value, "origin_id", origin.key)
      origin_path = lookup(origin.value, "origin_path", "")

+      dynamic "s3_origin_config" {
+        for_each = length(keys(lookup(origin.value, "s3_origin_config", {}))) == 0 ? [] : [lookup(origin.value, "s3_origin_config", {})]
+
+        content {
+          origin_access_identity = s3_origin_config.value.origin_access_identity
+        }
+      }
+
      dynamic "custom_origin_config" {
        for_each = length(lookup(origin.value, "custom_origin_config", "")) == 0 ? [] : [lookup(origin.value, "custom_origin_config", "")]

--- a/terraform/modules/route53/main.tf
+++ b/terraform/modules/route53/main.tf
@ -13,6 +13,8 @@ resource "aws_route53_record" "this" {
  zone_id = data.aws_route53_zone.this.zone_id
  name    = each.value.name
  type    = each.value.type
+  ttl     = lookup(each.value, "ttl", null)
+  records = try(each.value.records, null)

  dynamic "alias" {
    for_each = length(keys(lookup(each.value, "alias", {}))) == 0 ? [] : [true]
--- a/terraform/modules/s3/datasources.tf
+++ b/terraform/modules/s3/datasources.tf
@ -9,7 +9,7 @@ data "aws_iam_policy_document" "this" {
    actions = ["s3:GetObject"]
    principals {
      type        = "AWS"
-      identifiers = ["*"]
+      identifiers = [aws_cloudfront_origin_access_identity.this.iam_arn]
    }
    resources = ["${aws_s3_bucket.this.arn}/*"]
  }
--- a/terraform/modules/s3/main.tf
+++ b/terraform/modules/s3/main.tf
@ -75,3 +75,22 @@ resource "aws_s3_object" "index" {
  content_type  = "text/html"
  storage_class = "STANDARD"
 }
+
+resource "aws_s3_bucket_public_access_block" "this" {
+  count = var.type == 1 ? 1 : 0
+
+  bucket = aws_s3_bucket_policy.this[0].id
+
+  block_public_acls       = true
+  block_public_policy     = true
+  ignore_public_acls      = true
+  restrict_public_buckets = true
+}
+
+resource "aws_cloudfront_origin_access_identity" "this" {
+  comment = "bsmsapp_s3"
+
+  lifecycle {
+    create_before_destroy = true
+  }
+}
--- a/terraform/modules/s3/outputs.tf
+++ b/terraform/modules/s3/outputs.tf
@ -16,3 +16,13 @@ output "website_endpoint" {
  description = "The website endpoint, if the bucket is configured with a website. If not, this will be an empty string."
  value       = var.type == 1 ? aws_s3_bucket_website_configuration.this[0].website_endpoint : ""
 }
+
+output "domain_name" {
+  description = "The bucket region-specific domain name."
+  value = aws_s3_bucket.this.bucket_regional_domain_name
+}
+
+output "cloudfront_access_identity" {
+  description = "The cloudfront OAI access identity path."
+  value = aws_cloudfront_origin_access_identity.this.cloudfront_access_identity_path
+}
--- a/terraform/organization/cloudfront.tf
+++ b/terraform/organization/cloudfront.tf
@ -14,10 +14,12 @@ module "cloudfront" {
  enabled    = true
  web_acl_id = module.waf.web_acl_arn
  aliases = [
-    local.domain
+    local.domain,
+    "www.${local.domain}"
  ]

  acm_certificate_arn = module.acm.certificate_arn
+  default_root_object = "index.html"

  origin = {
    api-gateway = {
@ -32,13 +34,10 @@ module "cloudfront" {
      }
    }
    s3 = {
-      domain_name = module.s3["website"].website_endpoint
+      domain_name = module.s3["website"].domain_name

-      custom_origin_config = {
-        http_port              = 80
-        https_port             = 443
-        origin_protocol_policy = "http-only"
-        origin_ssl_protocols   = ["TLSv1", "TLSv1.1", "TLSv1.2"]
+      s3_origin_config = {
+        origin_access_identity = module.s3["website"].cloudfront_access_identity
      }
    }
  }
--- a/terraform/organization/locals.tf
+++ b/terraform/organization/locals.tf
@ -6,7 +6,7 @@ locals {
    website = {
      type        = 1
      bucket_name = local.bucket_name
-      bucket_acl  = "public-read"
+      bucket_acl  = "private"
      path        = "../resources"

      website = {
@ -26,19 +26,6 @@ locals {
      }
    }

-    www-website = {
-      type = 1
-      website = {
-        redirect_all_requests_to = {
-          host_name = "${local.bucket_name}.s3-website-${data.aws_region.current.name}.amazonaws.com"
-          protocol  = "http"
-        }
-      }
-
-      bucket_name = "www.${local.bucket_name}"
-      bucket_acl  = "public-read"
-    }
-
    logs = {
      type        = 2
      bucket_name = "${local.bucket_name}-logs"
--- a/terraform/organization/route53.tf
+++ b/terraform/organization/route53.tf
@ -12,13 +12,20 @@ module "route53" {
  zone_name = local.domain

  records = {
-    record = {
+    root = {
      name = local.domain
      type = "A"
      alias = {
        name    = module.cloudfront.distribution_domain_name
        zone_id = module.cloudfront.distribution_hosted_zone_id
      }
+    },
+    www = {
+      name = "www.${local.domain}"
+      type = "A"
+      alias = {
+        name    = local.domain
+      }
    }
  }
 }