-
Notifications
You must be signed in to change notification settings - Fork 6
/
Copy pathdata.tf
96 lines (84 loc) · 2.39 KB
/
data.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
# Data tier - S3
resource "aws_cloudfront_origin_access_identity" "identity" {
count = var.cloudfront_origin_access_identity_path == "" ? 1 : 0
comment = "CloudFront access to S3 bucket ${var.bucket_name}"
}
data "aws_iam_policy_document" "bucket_policy_document" {
statement {
sid = "1"
actions = ["s3:GetObject"]
resources = ["arn:aws:s3:::${var.bucket_name}${var.iam_policy_resources_path}"]
principals {
type = "AWS"
identifiers = [var.cloudfront_origin_access_identity_path == "" ? element(
concat(
aws_cloudfront_origin_access_identity.identity.*.iam_arn,
[""],
),
0,
) : var.cloudfront_origin_access_identity_iam_arn]
}
}
statement {
sid = "2"
actions = ["s3:ListBucket"]
resources = ["arn:aws:s3:::${var.bucket_name}"]
principals {
type = "AWS"
identifiers = [var.cloudfront_origin_access_identity_path == "" ? element(
concat(
aws_cloudfront_origin_access_identity.identity.*.iam_arn,
[""],
),
0,
) : var.cloudfront_origin_access_identity_iam_arn]
}
}
}
resource "aws_s3_bucket" "bucket" {
count = var.create_bucket ? 1 : 0
provider = aws.s3
bucket = var.bucket_name
acl = var.bucket_acl
region = data.aws_region.s3_region.name
force_destroy = var.bucket_force_destroy
policy = data.aws_iam_policy_document.bucket_policy_document.json
cors_rule {
allowed_headers = var.bucket_cors_allowed_headers
allowed_methods = var.bucket_cors_allowed_methods
allowed_origins = compact(
distinct(
concat(
[var.cloudfront_fqdn],
var.cloudfront_aliases,
var.bucket_cors_extra_allowed_origins,
),
),
)
expose_headers = var.bucket_cors_expose_headers
max_age_seconds = var.bucket_cors_max_age_seconds
}
tags = var.standard_tags
}
# outputs from data tier
output "cloudfront_origin_access_identity_iam_arn" {
value = element(
concat(
aws_cloudfront_origin_access_identity.identity.*.iam_arn,
[""],
),
0,
)
}
output "cloudfront_origin_access_identity_path" {
value = element(
concat(
aws_cloudfront_origin_access_identity.identity.*.cloudfront_access_identity_path,
[""],
),
0,
)
}
output "s3_bucket_name" {
value = aws_s3_bucket.bucket.0.id
}