refactor: s3 Stack lifecycle

ayuki-joto · ayuki-joto · commit 21f65e051b62 · 2025-09-12T15:57:34.000+08:00
diff --git a/bin/decidim-cfj-cdk.ts b/bin/decidim-cfj-cdk.ts
@@ -9,7 +9,6 @@ import {ElasticacheStack} from "../lib/elasticache-stack";
 import {DecidimStack} from "../lib/decidim-stack";
 import {CloudFrontStack} from "../lib/cloudfront";
 import {Tags} from 'aws-cdk-lib';
-import {S3PolicyStack} from "../lib/s3-policy";
 
 const app = new cdk.App();
 
@@ -99,13 +98,6 @@ const distribution = new CloudFrontStack(app, `${stage}${serviceName}CloudFrontS
 distribution.addDependency(service)
 distribution.addDependency(s3Stack)
 
-new S3PolicyStack(app, `${stage}${serviceName}S3PolicyStack`, {
-    stage,
-    serviceName,
-    env,
-    bucket: s3Stack.bucket
-})
-
 Tags.of(app).add('Project', 'Decidim')
 Tags.of(app).add('Repository', 'decidim-cfj-cdk')
 Tags.of(app).add('GovernmentName', 'code4japan')
diff --git a/lib/s3-policy.ts b/lib/s3-policy.ts
diff --git a/lib/s3-stack.ts b/lib/s3-stack.ts
@@ -1,4 +1,4 @@
-import {aws_s3, RemovalPolicy, Stack} from "aws-cdk-lib";
+import {aws_iam as iam, aws_s3, aws_ssm as ssm, RemovalPolicy, Stack} from "aws-cdk-lib";
 import {Construct} from "constructs";
 import {BaseStackProps} from "./props";
 import {HttpMethods} from "aws-cdk-lib/aws-s3";
@@ -34,5 +34,18 @@ export class S3Stack extends Stack {
                 }
             ]
         });
+
+        const distArn = ssm.StringParameter.valueForStringParameter(
+            this, `/decidim-cfj/${props.stage}/CLOUDFRONT_DISTRIBUTION_ARN`
+        );
+
+        this.bucket.addToResourcePolicy(new iam.PolicyStatement({
+            sid: "AllowCloudFrontOACRead",
+            effect: iam.Effect.ALLOW,
+            principals: [ new iam.ServicePrincipal("cloudfront.amazonaws.com") ],
+            actions: ["s3:GetObject"],
+            resources: [ `${this.bucket.bucketArn}/*` ],
+            conditions: { StringEquals: { "AWS:SourceArn": distArn } },
+        }));
     }
 }

Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,4 @@`
`1`		`-import {aws_s3, RemovalPolicy, Stack} from "aws-cdk-lib";`
	`1`	`+import {aws_iam as iam, aws_s3, aws_ssm as ssm, RemovalPolicy, Stack} from "aws-cdk-lib";`
`2`	`2`	`import {Construct} from "constructs";`
`3`	`3`	`import {BaseStackProps} from "./props";`
`4`	`4`	`import {HttpMethods} from "aws-cdk-lib/aws-s3";`
`@@ -34,5 +34,18 @@ export class S3Stack extends Stack {`
`34`	`34`	`}`
`35`	`35`	`]`
`36`	`36`	`});`
	`37`	`+`
	`38`	`+ const distArn = ssm.StringParameter.valueForStringParameter(`
	`39`	+ this, `/decidim-cfj/${props.stage}/CLOUDFRONT_DISTRIBUTION_ARN`
	`40`	`+ );`
	`41`	`+`
	`42`	`+ this.bucket.addToResourcePolicy(new iam.PolicyStatement({`
	`43`	`+ sid: "AllowCloudFrontOACRead",`
	`44`	`+ effect: iam.Effect.ALLOW,`
	`45`	`+ principals: [ new iam.ServicePrincipal("cloudfront.amazonaws.com") ],`
	`46`	`+ actions: ["s3:GetObject"],`
	`47`	+ resources: [ `${this.bucket.bucketArn}/*` ],
	`48`	`+ conditions: { StringEquals: { "AWS:SourceArn": distArn } },`
	`49`	`+ }));`
`37`	`50`	`}`
`38`	`51`	`}`