Updating terraform with s3 policy

2020-07-17 00:32:27 +01:00
parent 9785d6648c
commit 79ebc1dc2b
5 changed files with 6 additions and 12 deletions
--- a/infrastructure/main.tf
+++ b/infrastructure/main.tf
@@ -35,7 +35,7 @@ module "cloudfront_s3_cdn" {
        "Effect":"Allow",
        "Principal": "*",
        "Action":["s3:GetObject"],
-        "Resource": "arn:aws:s3:::${var.bucket_name}/*"
+        "Resource": "arn:aws:s3:::${module.cloudfront_s3_cdn.s3_bucket}/*"
      }
    ]
  }
--- a/infrastructure/terraform.tfstate.d/prod-eu-west-1/terraform.tfstate
+++ b/infrastructure/terraform.tfstate.d/prod-eu-west-1/terraform.tfstate
@@ -1,7 +1,7 @@
 {
  "version": 4,
  "terraform_version": "0.12.26",
-  "serial": 90,
+  "serial": 97,
  "lineage": "cda52006-90fc-4aec-a630-42e69057b365",
  "outputs": {
    "cf_arn": {
--- a/infrastructure/terraform.tfstate.d/prod-eu-west-1/terraform.tfstate.backup
+++ b/infrastructure/terraform.tfstate.d/prod-eu-west-1/terraform.tfstate.backup
@@ -1,7 +1,7 @@
 {
  "version": 4,
  "terraform_version": "0.12.26",
-  "serial": 88,
+  "serial": 95,
  "lineage": "cda52006-90fc-4aec-a630-42e69057b365",
  "outputs": {
    "cf_arn": {
@@ -50,7 +50,7 @@
          "attributes": {
            "id": "1149999058",
            "json": "{\n  \"Version\": \"2012-10-17\",\n  \"Statement\": [\n    {\n      \"Sid\": \"S3GetObjectForCloudFront\",\n      \"Effect\": \"Allow\",\n      \"Action\": \"s3:GetObject\",\n      \"Resource\": \"arn:aws:s3:::${bucket_name}${origin_path}*\",\n      \"Principal\": {\n        \"AWS\": \"${cloudfront_origin_access_identity_iam_arn}\"\n      }\n    },\n    {\n      \"Sid\": \"S3ListBucketForCloudFront\",\n      \"Effect\": \"Allow\",\n      \"Action\": \"s3:ListBucket\",\n      \"Resource\": \"arn:aws:s3:::${bucket_name}\",\n      \"Principal\": {\n        \"AWS\": \"${cloudfront_origin_access_identity_iam_arn}\"\n      }\n    }\n  ]\n}",
-            "override_json": "{\n  \"Sid\":\"PublicRead\",\n  \"Effect\":\"Allow\",\n  \"Principal\": \"*\",\n  \"Action\":[\"s3:GetObject\"],\n  \"Resource\": \"arn:aws:s3:::prod-panaetius-blog-origin/*\"\n}\n",
+            "override_json": "{}",
            "policy_id": null,
            "source_json": null,
            "statement": [
@@ -116,7 +116,7 @@
          "attributes": {
            "id": "239689126",
            "json": "{\n  \"Version\": \"2012-10-17\",\n  \"Statement\": [\n    {\n      \"Sid\": \"S3GetObjectForCloudFront\",\n      \"Effect\": \"Allow\",\n      \"Action\": \"s3:GetObject\",\n      \"Resource\": \"arn:aws:s3:::${bucket_name}${origin_path}*\",\n      \"Principal\": {\n        \"AWS\": \"*\"\n      }\n    }\n  ]\n}",
-            "override_json": "{\n  \"Sid\":\"PublicRead\",\n  \"Effect\":\"Allow\",\n  \"Principal\": \"*\",\n  \"Action\":[\"s3:GetObject\"],\n  \"Resource\": \"arn:aws:s3:::prod-panaetius-blog-origin/*\"\n}\n",
+            "override_json": "{}",
            "policy_id": null,
            "source_json": null,
            "statement": [
@@ -729,11 +729,10 @@
          "attributes": {
            "bucket": "prod-panaetius-blog-origin",
            "id": "prod-panaetius-blog-origin",
-            "policy": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Sid\":\"S3GetObjectForCloudFront\",\"Effect\":\"Allow\",\"Principal\":{\"AWS\":\"arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity E21A7YWJ1RT3K5\"},\"Action\":\"s3:GetObject\",\"Resource\":\"arn:aws:s3:::prod-panaetius-blog-origin/*\"},{\"Sid\":\"S3ListBucketForCloudFront\",\"Effect\":\"Allow\",\"Principal\":{\"AWS\":\"arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity E21A7YWJ1RT3K5\"},\"Action\":\"s3:ListBucket\",\"Resource\":\"arn:aws:s3:::prod-panaetius-blog-origin\"}]}"
+            "policy": "{\n  \"Version\": \"2012-10-17\",\n  \"Statement\": [\n    {\n      \"Sid\": \"S3GetObjectForCloudFront\",\n      \"Effect\": \"Allow\",\n      \"Action\": \"s3:GetObject\",\n      \"Resource\": \"arn:aws:s3:::prod-panaetius-blog-origin/*\",\n      \"Principal\": {\n        \"AWS\": \"arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity E21A7YWJ1RT3K5\"\n      }\n    },\n    {\n      \"Sid\": \"S3ListBucketForCloudFront\",\n      \"Effect\": \"Allow\",\n      \"Action\": \"s3:ListBucket\",\n      \"Resource\": \"arn:aws:s3:::prod-panaetius-blog-origin\",\n      \"Principal\": {\n        \"AWS\": \"arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity E21A7YWJ1RT3K5\"\n      }\n    }\n  ]\n}"
          },
          "private": "bnVsbA==",
          "dependencies": [
-            "module.cloudfront_s3_cdn.aws_cloudfront_origin_access_identity.default",
            "module.cloudfront_s3_cdn.aws_s3_bucket.origin"
          ]
        }
--- a/infrastructure/variables.tf
+++ b/infrastructure/variables.tf
@@ -14,10 +14,6 @@ variable "profile" {

 }

-variable "bucket_name" {
-
-}
-
 variable "acm_certificate_arn" {

 }
--- a/infrastructure/variables/prod-eu-west-1.tfvars
+++ b/infrastructure/variables/prod-eu-west-1.tfvars
@@ -2,7 +2,6 @@ name                = "panaetius-blog"
 region              = "eu-west-1"
 stage               = "prod"
 profile             = "admin"
-bucket_name         = "prod-panaetius-blog-origin"
 acm_certificate_arn = "arn:aws:acm:us-east-1:745437999005:certificate/60af49f0-07bb-4680-8f5b-3c9a33f756e5"
 parent_zone_id      = "Z05316671VABVSMAAF1RC"
 aliases             = ["panaetius.io"]