# ----------------------------------------------------------------------------------------------------------- # IAM User for Uploading resource "aws_iam_user" "s3" { name = "${var.site}-s3" path = "/${var.site}/" tags = { Site = var.site Category = "S3" } } resource "aws_iam_user_policy" "s3" { name = "test" user = aws_iam_user.s3.name policy = <<EOF { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "cloudfront:CreateInvalidation", "cloudfront:GetInvalidation", "s3:PutAccountPublicAccessBlock", "s3:GetAccountPublicAccessBlock", "s3:ListAllMyBuckets", "s3:HeadBucket" ], "Resource": [ "${aws_cloudfront_distribution.site.arn}" ] } ] } EOF } # This writes the s3 access key and secret to the terraform state file resource "aws_iam_access_key" "s3" { user = aws_iam_user.s3.name } # output s3_access { # description = "S3 Upload User AccessKey" # value = "${aws_iam_access_key.s3.id}" # } # output s3_secret { # description = "S3 Upload User Secret" # value = "${aws_iam_access_key.s3.secret}" # } # ----------------------------------------------------------------------------------------------------------- # Site Source Code resource "aws_s3_bucket" "src" { bucket = var.domain tags = { Name = "Site Source" Site = var.site } } resource "aws_s3_bucket_acl" "src" { bucket = aws_s3_bucket.src.id acl = "public-read" } resource "aws_s3_bucket_website_configuration" "src" { bucket = aws_s3_bucket.src.bucket index_document { suffix = "index.html" } error_document { key = "404.html" } } resource "aws_s3_bucket_policy" "src" { bucket = aws_s3_bucket.src.bucket policy = <<POLICY { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "${aws_iam_user.s3.arn}" }, "Action": "s3:ListBucket", "Resource": "${aws_s3_bucket.src.arn}" }, { "Effect": "Allow", "Principal": { "AWS": "${aws_iam_user.s3.arn}" }, "Action": [ "s3:PutObject", "s3:PutObjectAcl", "s3:GetObject", "s3:GetObjectAcl", "s3:DeleteObject", "s3:ListMultipartUploadParts", "s3:AbortMultipartUpload" ], "Resource": "${aws_s3_bucket.src.arn}/*" }, { "Sid": "PublicReadGetObject", "Effect": "Allow", "Principal": "*", "Action": "s3:GetObject", "Resource": "${aws_s3_bucket.src.arn}/*" } ] } POLICY }