slococo-uni
/
bsmsapp
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Restrict access to S3 origin (with OAI)

This commit is contained in:
Santiago Lo Coco 2022-12-12 14:00:41 -03:00
parent 1e4a328e98
commit 383844ba51
8 changed files with 55 additions and 23 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
terraform/modules/cloudfront/main.tf
View File

@ -18,6 +18,14 @@ resource "aws_cloudfront_distribution" "this" {
origin_id = lookup(origin.value, "origin_id", origin.key) origin_id = lookup(origin.value, "origin_id", origin.key)
origin_path = lookup(origin.value, "origin_path", "") origin_path = lookup(origin.value, "origin_path", "")
dynamic "s3_origin_config" {
for_each = length(keys(lookup(origin.value, "s3_origin_config", {}))) == 0 ? [] : [lookup(origin.value, "s3_origin_config", {})]
content {
origin_access_identity = s3_origin_config.value.origin_access_identity
}
}
dynamic "custom_origin_config" { dynamic "custom_origin_config" {
for_each = length(lookup(origin.value, "custom_origin_config", "")) == 0 ? [] : [lookup(origin.value, "custom_origin_config", "")] for_each = length(lookup(origin.value, "custom_origin_config", "")) == 0 ? [] : [lookup(origin.value, "custom_origin_config", "")]

2
terraform/modules/route53/main.tf
View File

@ -13,6 +13,8 @@ resource "aws_route53_record" "this" {
zone_id = data.aws_route53_zone.this.zone_id zone_id = data.aws_route53_zone.this.zone_id
name = each.value.name name = each.value.name
type = each.value.type type = each.value.type
ttl = lookup(each.value, "ttl", null)
records = try(each.value.records, null)
dynamic "alias" { dynamic "alias" {
for_each = length(keys(lookup(each.value, "alias", {}))) == 0 ? [] : [true] for_each = length(keys(lookup(each.value, "alias", {}))) == 0 ? [] : [true]

2
terraform/modules/s3/datasources.tf
View File

@ -9,7 +9,7 @@ data "aws_iam_policy_document" "this" {
actions = ["s3:GetObject"] actions = ["s3:GetObject"]
principals { principals {
type = "AWS" type = "AWS"
identifiers = ["*"] identifiers = [aws_cloudfront_origin_access_identity.this.iam_arn]
} }
resources = ["${aws_s3_bucket.this.arn}/*"] resources = ["${aws_s3_bucket.this.arn}/*"]
} }

19
terraform/modules/s3/main.tf
View File

@ -75,3 +75,22 @@ resource "aws_s3_object" "index" {
content_type = "text/html" content_type = "text/html"
storage_class = "STANDARD" storage_class = "STANDARD"
} }
resource "aws_s3_bucket_public_access_block" "this" {
count = var.type == 1 ? 1 : 0
bucket = aws_s3_bucket_policy.this[0].id
block_public_acls = true
block_public_policy = true
ignore_public_acls = true
restrict_public_buckets = true
}
resource "aws_cloudfront_origin_access_identity" "this" {
comment = "bsmsapp_s3"
lifecycle {
create_before_destroy = true
}
}

10
terraform/modules/s3/outputs.tf
View File

@ -16,3 +16,13 @@ output "website_endpoint" {
description = "The website endpoint, if the bucket is configured with a website. If not, this will be an empty string." description = "The website endpoint, if the bucket is configured with a website. If not, this will be an empty string."
value = var.type == 1 ? aws_s3_bucket_website_configuration.this[0].website_endpoint : "" value = var.type == 1 ? aws_s3_bucket_website_configuration.this[0].website_endpoint : ""
} }
output "domain_name" {
description = "The bucket region-specific domain name."
value = aws_s3_bucket.this.bucket_regional_domain_name
}
output "cloudfront_access_identity" {
description = "The cloudfront OAI access identity path."
value = aws_cloudfront_origin_access_identity.this.cloudfront_access_identity_path
}

13
terraform/organization/cloudfront.tf
View File

@ -14,10 +14,12 @@ module "cloudfront" {
enabled = true enabled = true
web_acl_id = module.waf.web_acl_arn web_acl_id = module.waf.web_acl_arn
aliases = [ aliases = [
local.domain local.domain,
"www.${local.domain}"
] ]
acm_certificate_arn = module.acm.certificate_arn acm_certificate_arn = module.acm.certificate_arn
default_root_object = "index.html"
origin = { origin = {
api-gateway = { api-gateway = {
@ -32,13 +34,10 @@ module "cloudfront" {
} }
} }
s3 = { s3 = {
domain_name = module.s3["website"].website_endpoint domain_name = module.s3["website"].domain_name
custom_origin_config = { s3_origin_config = {
http_port = 80 origin_access_identity = module.s3["website"].cloudfront_access_identity
https_port = 443
origin_protocol_policy = "http-only"
origin_ssl_protocols = ["TLSv1", "TLSv1.1", "TLSv1.2"]
} }
} }
} }

15
terraform/organization/locals.tf
View File

@ -6,7 +6,7 @@ locals {
website = { website = {
type = 1 type = 1
bucket_name = local.bucket_name bucket_name = local.bucket_name
bucket_acl = "public-read" bucket_acl = "private"
path = "../resources" path = "../resources"
website = { website = {
@ -26,19 +26,6 @@ locals {
} }
} }
www-website = {
type = 1
website = {
redirect_all_requests_to = {
host_name = "${local.bucket_name}.s3-website-${data.aws_region.current.name}.amazonaws.com"
protocol = "http"
}
}
bucket_name = "www.${local.bucket_name}"
bucket_acl = "public-read"
}
logs = { logs = {
type = 2 type = 2
bucket_name = "${local.bucket_name}-logs" bucket_name = "${local.bucket_name}-logs"

9
terraform/organization/route53.tf
View File

@ -12,13 +12,20 @@ module "route53" {
zone_name = local.domain zone_name = local.domain
records = { records = {
record = { root = {
name = local.domain name = local.domain
type = "A" type = "A"
alias = { alias = {
name = module.cloudfront.distribution_domain_name name = module.cloudfront.distribution_domain_name
zone_id = module.cloudfront.distribution_hosted_zone_id zone_id = module.cloudfront.distribution_hosted_zone_id
} }
},
www = {
name = "www.${local.domain}"
type = "A"
alias = {
name = local.domain
}
} }
} }
} }