-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathstorage.tf
133 lines (106 loc) · 4.14 KB
/
storage.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
# this string is used as part of the S3 Bucket Name, so we're omitting
# uppercase and special characters, resulting in an all-lowercase string
# see https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/string
resource "random_string" "suffix" {
length = 8
lower = true
number = true
special = false
upper = false
}
# see https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/pet
resource "random_pet" "bucket_name" {
length = 3
prefix = random_string.suffix.result
separator = "-"
}
# see https://www.terraform.io/language/values/locals
locals {
# use randomly generated string for Bucket, if `var.bucket_name` was left empty
bucket_name = length(var.bucket_name) != 0 ? var.bucket_name : "${random_pet.bucket_name.id}"
}
# see https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket
resource "aws_s3_bucket" "main" {
bucket = local.bucket_name
}
# see https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_acl
resource "aws_s3_bucket_acl" "main" {
bucket = aws_s3_bucket.main.id
acl = "private"
}
# see https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block
resource "aws_s3_bucket_public_access_block" "main" {
bucket = aws_s3_bucket.main.id
# public ACLs are required to allow sharing Bucket Objects via Dropshare
block_public_acls = false
block_public_policy = true
ignore_public_acls = true
restrict_public_buckets = true
}
# see https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
data "aws_iam_policy_document" "bucket" {
statement {
sid = "AllowCloudFrontOperationsOnBucketAndBucketObjects"
effect = "Allow"
actions = [
"s3:ListBucket",
"s3:GetObject"
]
resources = [
aws_s3_bucket.main.arn,
"${aws_s3_bucket.main.arn}/*"
]
principals {
type = "AWS"
identifiers = [
"arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity ${awscc_cloudfront_cloudfront_origin_access_identity.main.id}"
]
}
}
}
# see https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy
resource "aws_s3_bucket_policy" "main" {
bucket = aws_s3_bucket.main.id
policy = data.aws_iam_policy_document.bucket.json
}
## see https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_lifecycle_configuration
resource "aws_s3_bucket_lifecycle_configuration" "main" {
bucket = aws_s3_bucket.main.id
rule {
id = "default"
status = "Enabled"
# see https://registry.terraform.io/providers/hashicorp/awscc/latest/docs/resources/s3_bucket#nested-schema-for-lifecycle_configurationrulestransitions
transition {
days = 30
storage_class = var.bucket_storage_class
}
}
}
# see https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_object
resource "aws_s3_object" "index" {
# Boolean Toggle to define if Object should be created
count = var.create_index_file ? 1 : 0
bucket = aws_s3_bucket.main.id
# make object publicly readable
acl = "public-read"
# separate file name (and extension) from full path of the file
key = basename("${path.module}/${var.bucket_index_file}")
# generate an acceptable ETag for the file
etag = filemd5("${path.module}/${var.bucket_index_file}")
content_type = "text/html"
source = "${path.module}/${var.bucket_index_file}"
}
# see https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_object
resource "aws_s3_object" "robotstxt" {
# Boolean Toggle to define if Object should be created
count = var.create_robotstxt_file ? 1 : 0
bucket = aws_s3_bucket.main.id
# make object publicly readable
acl = "public-read"
# separate file name (and extension) from full path of the file
key = basename("${path.module}/${var.bucket_robotstxt_file}")
# generate an acceptable ETag for the file
etag = filemd5("${path.module}/${var.bucket_robotstxt_file}")
content_type = "text/plain"
source = "${path.module}/${var.bucket_robotstxt_file}"
}