-
Notifications
You must be signed in to change notification settings - Fork 4
/
s3.tf
86 lines (77 loc) · 2.06 KB
/
s3.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
resource "aws_s3_bucket" "test_results_bucket" {
bucket = var.s3_bucket_name
}
resource "aws_s3_bucket_acl" "test_results_acl" {
bucket = aws_s3_bucket.test_results_bucket.id
access_control_policy {
grant {
grantee {
id = data.aws_canonical_user_id.current.id
type = "CanonicalUser"
}
permission = "FULL_CONTROL"
}
owner {
id = data.aws_canonical_user_id.current.id
}
}
}
resource "aws_s3_bucket_cors_configuration" "test_results_bucket_cors" {
bucket = aws_s3_bucket.test_results_bucket.bucket
cors_rule {
allowed_headers = ["*"]
allowed_methods = [
"POST", "GET", "PUT", "DELETE", "HEAD"
]
allowed_origins = ["*"]
}
}
resource "aws_s3_bucket_public_access_block" "sorry_cypress" {
bucket = aws_s3_bucket.test_results_bucket.id
block_public_acls = false
block_public_policy = true
ignore_public_acls = true
restrict_public_buckets = true
}
resource "aws_s3_bucket_lifecycle_configuration" "tests_retention_policy" {
bucket = aws_s3_bucket.test_results_bucket.bucket
rule {
id = "retention_policy"
status = "Enabled"
expiration {
days = var.test_results_retention
}
}
}
resource "aws_s3_bucket_policy" "allow_access_from_prefix_list" {
bucket = aws_s3_bucket.test_results_bucket.id
policy = data.aws_iam_policy_document.allow_access_from_prefix_list.json
}
data "aws_ec2_managed_prefix_list" "prefix_list" {
id = var.prefix_list
}
data "aws_iam_policy_document" "allow_access_from_prefix_list" {
statement {
sid = "AllowAccessFromPrefixList"
principals {
type = "*"
identifiers = ["*"]
}
actions = [
"s3:PutObject",
"s3:PutObjectAcl",
"s3:GetObjectAcl",
"s3:GetObject",
"s3:ListBucket"
]
resources = [
aws_s3_bucket.test_results_bucket.arn,
"${aws_s3_bucket.test_results_bucket.arn}/*"
]
condition {
test = "IpAddress"
variable = "aws:SourceIp"
values = data.aws_ec2_managed_prefix_list.prefix_list.entries[*].cidr
}
}
}