Skip to content

Commit 55f6e16

Browse files
chgasparotochgasparoto
committed
restrict direct access to the website S3 bucket
1 parent 87bf8ad commit 55f6e16

File tree

3 files changed

+7
-4
lines changed

3 files changed

+7
-4
lines changed

03-site-estatico/terraform/cloudfront.tf

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,4 @@
1-
resource "aws_cloudfront_origin_access_identity" "origin_access_identity" {
1+
resource "aws_cloudfront_origin_access_identity" "this" {
22
comment = local.domain
33
}
44

@@ -38,7 +38,7 @@ resource "aws_cloudfront_distribution" "this" {
3838
origin_id = local.regional_domain
3939

4040
s3_origin_config {
41-
origin_access_identity = aws_cloudfront_origin_access_identity.origin_access_identity.cloudfront_access_identity_path
41+
origin_access_identity = aws_cloudfront_origin_access_identity.this.cloudfront_access_identity_path
4242
}
4343
}
4444

03-site-estatico/terraform/policy.json

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -5,7 +5,7 @@
55
"Sid": "PublicReadForGetBucketObjects",
66
"Effect": "Allow",
77
"Principal": {
8-
"AWS": "*"
8+
"AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity ${cdn_oai}"
99
},
1010
"Action": "s3:GetObject",
1111
"Resource": "arn:aws:s3:::${bucket_name}/*"

03-site-estatico/terraform/s3.tf

Lines changed: 4 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,9 @@
11
data "template_file" "s3-public-policy" {
22
template = file("policy.json")
3-
vars = { bucket_name = local.domain }
3+
vars = {
4+
bucket_name = local.domain
5+
cdn_oai = aws_cloudfront_origin_access_identity.this.id
6+
}
47
}
58

69
module "logs" {

0 commit comments

Comments
 (0)