-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy paths3_bucket.tf
90 lines (69 loc) · 2.54 KB
/
s3_bucket.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
# private bucket
# https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket
resource "aws_s3_bucket" "private" {
bucket = "startups-note-private-bucket" # 一意
# https://docs.aws.amazon.com/AmazonS3/latest/userguide/acl-overview.html#canned-acl
acl = "private" # 作成したAWSアカウントのみアクセス可能
# https://docs.aws.amazon.com/AmazonS3/latest/userguide/Versioning.html
versioning {
enabled = true
}
# https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-encryption.html
server_side_encryption_configuration {
rule {
apply_server_side_encryption_by_default {
sse_algorithm = "AES256" # SSE-S3
}
}
}
force_destroy = true # TODO: 本格運用時はfalse
}
resource "aws_s3_bucket_public_access_block" "private" {
# https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block
bucket = aws_s3_bucket.private.id
block_public_acls = true
block_public_policy = true
ignore_public_acls = true
restrict_public_buckets = true
}
# public bucket
resource "aws_s3_bucket" "public" {
bucket = "startups-note-public-bucket"
acl = "public-read" # 作成したAWSアカウントアクセス可能 & インターネットから読み込み可能
cors_rule {
allowed_origins = ["https://${var.domain}"]
allowed_methods = ["GET"]
allowed_headers = ["*"]
max_age_seconds = 3000
}
force_destroy = true # TODO: 本格運用時はfalse
}
# log bucket
resource "aws_s3_bucket" "alb_log" {
bucket = "startups-note-alb-lob-bucket"
lifecycle_rule {
enabled = true # Enable versioning
expiration {
days = "7" # TODO: 本格運用時は、法にのっとる
}
}
force_destroy = true # TODO: 本格運用時はfalse
}
# https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy
resource "aws_s3_bucket_policy" "alb_log" {
bucket = aws_s3_bucket.alb_log.id
policy = data.aws_iam_policy_document.alb_log.json
}
data "aws_iam_policy_document" "alb_log" {
statement {
effect = "Allow"
actions = ["s3:PutObject"]
resources = ["arn:aws:s3:::${aws_s3_bucket.alb_log.id}/*"]
principals {
type = "AWS" # AWSリソース対象
# NOTE: 記述方法変えたら一旦applyできた(https://qiita.com/stakakey/items/ca54f8c7bba6723c7eed)
identifiers = [data.aws_elb_service_account.main.arn] # 東京リージョン(ap-northeast-1)のELBアカウントID(582318560864)
}
}
}
data "aws_elb_service_account" "main" {}