fixes for website bucket deployment

cloudposse · Apr 21, 2021 · 390cb9e · 390cb9e
1 parent f70f215
commit 390cb9e
Show file tree

Hide file tree

Showing 2 changed files with 17 additions and 3 deletions.
diff --git a/main.tf b/main.tf
@@ -125,6 +125,11 @@ resource "aws_iam_policy" "s3" {
   policy = join("", data.aws_iam_policy_document.s3.*.json)
 }
 
+data "aws_s3_bucket" "website" {
+  count  = local.enabled ? 1 : 0
+  bucket = var.website_bucket_name
+}
+
 data "aws_iam_policy_document" "s3" {
   count = local.enabled ? 1 : 0
 
@@ -136,12 +141,15 @@ data "aws_iam_policy_document" "s3" {
       "s3:GetObjectVersion",
       "s3:GetBucketVersioning",
       "s3:PutObject",
+      "s3:PutObjectAcl",
     ]
 
     resources = [
-      join("", aws_s3_bucket.default.*.arn),
+      "arn:aws:s3:::elasticbeanstalk*",
       "${join("", aws_s3_bucket.default.*.arn)}/*",
-      "arn:aws:s3:::elasticbeanstalk*"
+      join("", aws_s3_bucket.default.*.arn),
+      "${join("", data.aws_s3_bucket.website.*.arn)}/*",
+      join("", data.aws_s3_bucket.website.*.arn)
     ]
 
     effect = "Allow"
@@ -306,7 +314,7 @@ resource "aws_codepipeline" "default" {
         configuration = {
           BucketName = var.website_bucket_name
           Extract    = "true"
-          CannedACL  = "public-read"
+          CannedACL  = var.website_bucket_acl
         }
       }
     }

diff --git a/variables.tf b/variables.tf
@@ -183,3 +183,9 @@ variable "website_bucket_name" {
   default     = ""
   description = "Name of the S3 bucket where the website will be deployed"
 }
+
+variable "website_bucket_acl" {
+  type        = string
+  default     = "public-read"
+  description = "Canned ACL of the S3 bucket objects that get served as a website, can be private if using CloudFront with OAI"
+}