-
Notifications
You must be signed in to change notification settings - Fork 1
/
s3.tf
127 lines (105 loc) · 3.22 KB
/
s3.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
resource "aws_s3_bucket" "bucket" {
bucket = "${data.aws_caller_identity.current.account_id}-site-${local.site_name_dashes}-${var.deployment}"
force_destroy = var.allow_bucket_force_destroy
}
resource "aws_s3_bucket_server_side_encryption_configuration" "bucket" {
bucket = aws_s3_bucket.bucket.id
rule {
apply_server_side_encryption_by_default {
sse_algorithm = "AES256"
}
}
}
resource "aws_s3_bucket_ownership_controls" "bucket" {
bucket = aws_s3_bucket.bucket.id
rule {
object_ownership = "BucketOwnerEnforced"
}
}
resource "aws_s3_bucket_public_access_block" "bucket" {
bucket = aws_s3_bucket.bucket.id
block_public_acls = true
block_public_policy = true
ignore_public_acls = true
restrict_public_buckets = true
}
resource "aws_s3_bucket" "bucket_logging" {
bucket = "${data.aws_caller_identity.current.account_id}-site-${local.site_name_dashes}-${var.deployment}-logs"
force_destroy = var.allow_bucket_force_destroy
}
resource "aws_s3_bucket_lifecycle_configuration" "bucket_logging" {
bucket = aws_s3_bucket.bucket_logging.id
rule {
id = "RetentionPolicyinDays"
status = "Enabled"
expiration {
days = var.log_expiration
}
}
}
resource "aws_s3_bucket_public_access_block" "bucket_logging" {
bucket = aws_s3_bucket.bucket_logging.id
block_public_acls = true
block_public_policy = true
ignore_public_acls = true
restrict_public_buckets = true
}
resource "aws_s3_bucket_server_side_encryption_configuration" "bucket_logging" {
bucket = aws_s3_bucket.bucket_logging.id
rule {
apply_server_side_encryption_by_default {
sse_algorithm = "AES256"
}
}
}
resource "aws_s3_bucket_ownership_controls" "bucket_logging" {
bucket = aws_s3_bucket.bucket_logging.id
rule {
object_ownership = "BucketOwnerPreferred"
}
}
resource "aws_s3_bucket_policy" "site_bucket_policy" {
bucket = aws_s3_bucket.bucket.bucket
policy = jsonencode(
{
Version = "2012-10-17"
Id = "BUCKETPOLICY"
Statement = [
{
Sid = "AllowCloudFrontServicePrincipal"
Effect = "Allow"
Principal = {
Service = "cloudfront.amazonaws.com"
}
Action = [
"s3:GetObject",
"s3:GetObjectVersion",
"s3:GetBucketLocation",
"s3:ListBucket"
]
Resource = [
"arn:aws:s3:::${aws_s3_bucket.bucket.bucket}",
"arn:aws:s3:::${aws_s3_bucket.bucket.bucket}/*"
]
Condition = {
StringEquals = {
"AWS:SourceArn" = aws_cloudfront_distribution.site.arn
}
}
}
]
})
depends_on = [
aws_s3_bucket_public_access_block.bucket
]
}
# Enable cache invalidation on the S3 object creation of the invalidate_cache.txt file
resource "aws_s3_bucket_notification" "cache_invalidation_notification" {
bucket = aws_s3_bucket.bucket.bucket
lambda_function {
lambda_function_arn = aws_lambda_function.cloudfront_cache_invalidation.arn
events = ["s3:ObjectCreated:*"]
filter_prefix = "invalidate_cache.txt"
}
depends_on = [ aws_lambda_permission.allow_s3_to_invoke_lambda ]
}