Skip to content

Commit a05cffd

Browse files
balihbaknysh
balihb
authored and
aknysh
committed
additional bucket policy (#52)
* additional bucket policy * fixed readme. added ability to override default bucket policy * also make it possible to include aws_cloudfront_origin_access_identity.default.iam_arn in the policy override
1 parent 6f16cec commit a05cffd

File tree

4 files changed

+34
-19
lines changed

4 files changed

+34
-19
lines changed

README.md

Lines changed: 5 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -105,6 +105,7 @@ Available targets:
105105
| Name | Description | Type | Default | Required |
106106
|------|-------------|:----:|:-----:|:-----:|
107107
| acm_certificate_arn | Existing ACM Certificate ARN | string | `` | no |
108+
| additional_bucket_policy | Additional policies for the bucket. If included in the policies, the variables `$${bucket_name}`, `$${origin_path}` and `$${cloudfront_origin_access_identity_iam_arn}` will be substituted. It is also possible to override the default policy statements by providing statements with `S3GetObjectForCloudFront` and `S3ListBucketForCloudFront` sid. | string | `{}` | no |
108109
| aliases | List of FQDN's - Used to set the Alternate Domain Names (CNAMEs) setting on Cloudfront | list(string) | `<list>` | no |
109110
| allowed_methods | List of allowed methods (e.g. GET, PUT, POST, DELETE, HEAD) for AWS CloudFront | list(string) | `<list>` | no |
110111
| attributes | Additional attributes (e.g. `1`) | list(string) | `<list>` | no |
@@ -308,13 +309,13 @@ Check out [our other projects][github], [follow us on twitter][twitter], [apply
308309
|---|---|---|---|
309310

310311
[osterman_homepage]: https://github.com/osterman
311-
[osterman_avatar]: https://github.com/osterman.png?size=150
312+
[osterman_avatar]: https://img.cloudposse.com/150x150/https://github.com/osterman.png
312313
[aknysh_homepage]: https://github.com/aknysh
313-
[aknysh_avatar]: https://github.com/aknysh.png?size=150
314+
[aknysh_avatar]: https://img.cloudposse.com/150x150/https://github.com/aknysh.png
314315
[Jamie-BitFlight_homepage]: https://github.com/Jamie-BitFlight
315-
[Jamie-BitFlight_avatar]: https://github.com/Jamie-BitFlight.png?size=150
316+
[Jamie-BitFlight_avatar]: https://img.cloudposse.com/150x150/https://github.com/Jamie-BitFlight.png
316317
[cliveza_homepage]: https://github.com/cliveza
317-
[cliveza_avatar]: https://github.com/cliveza.png?size=150
318+
[cliveza_avatar]: https://img.cloudposse.com/150x150/https://github.com/cliveza.png
318319

319320

320321

docs/terraform.md

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -3,6 +3,7 @@
33
| Name | Description | Type | Default | Required |
44
|------|-------------|:----:|:-----:|:-----:|
55
| acm_certificate_arn | Existing ACM Certificate ARN | string | `` | no |
6+
| additional_bucket_policy | Additional policies for the bucket. If included in the policies, the variables `$${bucket_name}`, `$${origin_path}` and `$${cloudfront_origin_access_identity_iam_arn}` will be substituted. It is also possible to override the default policy statements by providing statements with `S3GetObjectForCloudFront` and `S3ListBucketForCloudFront` sid. | string | `{}` | no |
67
| aliases | List of FQDN's - Used to set the Alternate Domain Names (CNAMEs) setting on Cloudfront | list(string) | `<list>` | no |
78
| allowed_methods | List of allowed methods (e.g. GET, PUT, POST, DELETE, HEAD) for AWS CloudFront | list(string) | `<list>` | no |
89
| attributes | Additional attributes (e.g. `1`) | list(string) | `<list>` | no |

main.tf

Lines changed: 11 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -13,23 +13,29 @@ resource "aws_cloudfront_origin_access_identity" "default" {
1313
}
1414

1515
data "aws_iam_policy_document" "origin" {
16+
override_json = var.additional_bucket_policy
17+
1618
statement {
19+
sid = "S3GetObjectForCloudFront"
20+
1721
actions = ["s3:GetObject"]
1822
resources = ["arn:aws:s3:::$${bucket_name}$${origin_path}*"]
1923

2024
principals {
2125
type = "AWS"
22-
identifiers = [aws_cloudfront_origin_access_identity.default.iam_arn]
26+
identifiers = ["$${cloudfront_origin_access_identity_iam_arn}"]
2327
}
2428
}
2529

2630
statement {
31+
sid = "S3ListBucketForCloudFront"
32+
2733
actions = ["s3:ListBucket"]
2834
resources = ["arn:aws:s3:::$${bucket_name}"]
2935

3036
principals {
3137
type = "AWS"
32-
identifiers = [aws_cloudfront_origin_access_identity.default.iam_arn]
38+
identifiers = ["$${cloudfront_origin_access_identity_iam_arn}"]
3339
}
3440
}
3541
}
@@ -38,8 +44,9 @@ data "template_file" "default" {
3844
template = data.aws_iam_policy_document.origin.json
3945

4046
vars = {
41-
origin_path = coalesce(var.origin_path, "/")
42-
bucket_name = local.bucket
47+
origin_path = coalesce(var.origin_path, "/")
48+
bucket_name = local.bucket
49+
cloudfront_origin_access_identity_iam_arn = aws_cloudfront_origin_access_identity.default.iam_arn
4350
}
4451
}
4552

variables.tf

Lines changed: 17 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -63,6 +63,12 @@ variable "use_regional_s3_endpoint" {
6363
default = false
6464
}
6565

66+
variable "additional_bucket_policy" {
67+
type = string
68+
default = "{}"
69+
description = "Additional policies for the bucket. If included in the policies, the variables `$${bucket_name}`, `$${origin_path}` and `$${cloudfront_origin_access_identity_iam_arn}` will be substituted. It is also possible to override the default policy statements by providing statements with `S3GetObjectForCloudFront` and `S3ListBucketForCloudFront` sid."
70+
}
71+
6672
variable "origin_bucket" {
6773
type = string
6874
default = ""
@@ -283,34 +289,34 @@ variable "custom_error_response" {
283289
# https://www.terraform.io/docs/providers/aws/r/cloudfront_distribution.html#custom-error-response-arguments
284290
type = list(object({
285291
error_caching_min_ttl = string
286-
error_code = string
287-
response_code = string
288-
response_page_path = string
292+
error_code = string
293+
response_code = string
294+
response_page_path = string
289295
}))
290296

291297
description = "List of one or more custom error response element maps"
292-
default = []
298+
default = []
293299
}
294300

295301
variable "lambda_function_association" {
296302
type = list(object({
297-
event_type = string
303+
event_type = string
298304
include_body = bool
299-
lambda_arn = string
305+
lambda_arn = string
300306
}))
301307

302308
description = "A config block that triggers a lambda function with specific actions"
303-
default = []
309+
default = []
304310
}
305311

306312
variable "web_acl_id" {
307-
type = string
308-
default = ""
313+
type = string
314+
default = ""
309315
description = "ID of the AWS WAF web ACL that is associated with the distribution"
310316
}
311317

312318
variable "wait_for_deployment" {
313-
type = bool
314-
default = true
319+
type = bool
320+
default = true
315321
description = "When set to 'true' the resource will wait for the distribution status to change from InProgress to Deployed"
316322
}

0 commit comments

Comments
 (0)