-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathstaging-s3.tf
51 lines (42 loc) · 1.4 KB
/
staging-s3.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
# S3 configuration required to host the CID staging environment
# Create a policy for the S3 bucket that allows CloudFront to read objects.
data "aws_iam_policy_document" "read_cid_bucket_staging" {
statement {
actions = ["s3:GetObject"]
resources = ["${aws_s3_bucket.cid_bucket_staging.arn}/*"]
principals {
type = "AWS"
identifiers = [aws_cloudfront_origin_access_identity.retriever_poc.iam_arn]
}
}
statement {
actions = ["s3:ListBucket"]
resources = [aws_s3_bucket.cid_bucket_staging.arn]
principals {
type = "AWS"
identifiers = [aws_cloudfront_origin_access_identity.retriever_poc.iam_arn]
}
}
}
# Create a bucket for the JSON files.
resource "aws_s3_bucket" "cid_bucket_staging" {
bucket = "cid-bucket-staging"
}
# Add CORS to the bucket.
resource "aws_s3_bucket_cors_configuration" "cid_bucket_staging" {
bucket = aws_s3_bucket.cid_bucket_staging.id
cors_rule {
allowed_methods = ["GET"]
allowed_origins = ["*"]
}
}
# Add our CloudFront bucket policy.
resource "aws_s3_bucket_policy" "cid_bucket_staging" {
bucket = aws_s3_bucket.cid_bucket_staging.id
policy = data.aws_iam_policy_document.read_cid_bucket_staging.json
}
# Set the bucket to private. We expose this bucket later via CloudFront.
resource "aws_s3_bucket_acl" "cid_bucket_staging" {
bucket = aws_s3_bucket.cid_bucket_staging.id
acl = "private"
}