-
Notifications
You must be signed in to change notification settings - Fork 3
Expand file tree
/
Copy pathmodule_s3_bucket_static_assets.tf
More file actions
120 lines (98 loc) · 2.55 KB
/
module_s3_bucket_static_assets.tf
File metadata and controls
120 lines (98 loc) · 2.55 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
module "s3bucket_static_assets" {
source = "https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/v2.0.20/terraform-s3bucket.zip"
name = "static-assets"
aws_account_id = var.aws_account_id
region = "eu-west-2"
project = var.project
environment = var.environment
component = var.component
acl = "private"
force_destroy = var.force_destroy
versioning = true
lifecycle_rules = [
{
enabled = true
noncurrent_version_transition = [
{
noncurrent_days = "30"
storage_class = "STANDARD_IA"
}
]
noncurrent_version_expiration = {
noncurrent_days = "90"
}
abort_incomplete_multipart_upload = {
days = "1"
}
}
]
bucket_logging_target = {
bucket = local.acct.s3_buckets["access_logs"]["id"]
}
policy_documents = [
data.aws_iam_policy_document.static_assets_bucket_policy.json
]
public_access = {
block_public_acls = true
block_public_policy = true
ignore_public_acls = true
restrict_public_buckets = true
}
default_tags = {
Name = "Digital Letters static assets bucket"
}
}
data "aws_iam_policy_document" "static_assets_bucket_policy" {
statement {
actions = ["s3:GetObject"]
resources = [
"${module.s3bucket_static_assets.arn}/*"
]
principals {
type = "AWS"
identifiers = [aws_cloudfront_origin_access_identity.static_assets.iam_arn]
}
}
statement {
actions = ["s3:ListBucket"]
resources = [
module.s3bucket_static_assets.arn
]
principals {
type = "AWS"
identifiers = [aws_cloudfront_origin_access_identity.static_assets.iam_arn]
}
}
statement {
effect = "Deny"
actions = ["s3:*"]
resources = [
module.s3bucket_static_assets.arn,
"${module.s3bucket_static_assets.arn}/*",
]
principals {
type = "AWS"
identifiers = ["*"]
}
condition {
test = "Bool"
variable = "aws:SecureTransport"
values = [
false
]
}
}
}
resource "aws_s3_bucket_cors_configuration" "static_assets" {
bucket = module.s3bucket_static_assets.bucket
cors_rule {
allowed_headers = ["Authorization"]
allowed_methods = ["GET"]
allowed_origins = ["*"]
expose_headers = ["ETag"]
max_age_seconds = 300
}
}
resource "aws_cloudfront_origin_access_identity" "static_assets" {
comment = "Used to access the s3 content for the ${module.s3bucket_static_assets.bucket} bucket"
}