From 390cb9ede4fd203e1f1010e19771ca8dccbc7836 Mon Sep 17 00:00:00 2001 From: Mihai PLESA Date: Wed, 21 Apr 2021 17:54:08 -0500 Subject: [PATCH] fixes for website bucket deployment --- main.tf | 14 +++++++++++--- variables.tf | 6 ++++++ 2 files changed, 17 insertions(+), 3 deletions(-) diff --git a/main.tf b/main.tf index 50fd665..254a11b 100644 --- a/main.tf +++ b/main.tf @@ -125,6 +125,11 @@ resource "aws_iam_policy" "s3" { policy = join("", data.aws_iam_policy_document.s3.*.json) } +data "aws_s3_bucket" "website" { + count = local.enabled ? 1 : 0 + bucket = var.website_bucket_name +} + data "aws_iam_policy_document" "s3" { count = local.enabled ? 1 : 0 @@ -136,12 +141,15 @@ data "aws_iam_policy_document" "s3" { "s3:GetObjectVersion", "s3:GetBucketVersioning", "s3:PutObject", + "s3:PutObjectAcl", ] resources = [ - join("", aws_s3_bucket.default.*.arn), + "arn:aws:s3:::elasticbeanstalk*", "${join("", aws_s3_bucket.default.*.arn)}/*", - "arn:aws:s3:::elasticbeanstalk*" + join("", aws_s3_bucket.default.*.arn), + "${join("", data.aws_s3_bucket.website.*.arn)}/*", + join("", data.aws_s3_bucket.website.*.arn) ] effect = "Allow" @@ -306,7 +314,7 @@ resource "aws_codepipeline" "default" { configuration = { BucketName = var.website_bucket_name Extract = "true" - CannedACL = "public-read" + CannedACL = var.website_bucket_acl } } } diff --git a/variables.tf b/variables.tf index 2819a55..f9c5654 100644 --- a/variables.tf +++ b/variables.tf @@ -183,3 +183,9 @@ variable "website_bucket_name" { default = "" description = "Name of the S3 bucket where the website will be deployed" } + +variable "website_bucket_acl" { + type = string + default = "public-read" + description = "Canned ACL of the S3 bucket objects that get served as a website, can be private if using CloudFront with OAI" +}