Merge pull request #15 from chris-qa-org/fix-add-cloudfront-read-policy-to-static-site-s3

Stretch96 · web-flow · commit f9d1e08887ad · 2023-04-22T00:59:27.000+01:00
Fix: Add CloudFront read policy to Static Site S3
diff --git a/locals.tf b/locals.tf
@@ -6,6 +6,7 @@ locals {
 
   s3_bucket_policy_statement_enforce_tls_path    = "${path.module}/policies/s3-bucket-policy-statements/enforce-tls.json.tpl"
   s3_bucket_policy_statement_log_delivery_access = "${path.module}/policies/s3-bucket-policy-statements/log-delivery-access.json.tpl"
+  s3_bucket_policy_statement_cloudfront_read     = "${path.module}/policies/s3-bucket-policy-statements/cloudfront-read.json.tpl"
   s3_bucket_policy_path                          = "${path.module}/policies/s3-bucket-policy.json.tpl"
 
   static_site_s3_acl               = var.static_site_s3_acl
@@ -16,12 +17,20 @@ locals {
       bucket_arn = aws_s3_bucket.static_site.arn
     }
   )
+  static_site_bucket_cloudfront_read_statement = templatefile(
+    local.s3_bucket_policy_statement_cloudfront_read,
+    {
+      bucket_arn     = aws_s3_bucket.static_site.arn,
+      cloudfront_arn = aws_cloudfront_distribution.static_site[0].arn
+    }
+  )
   static_site_bucket_policy = templatefile(
     local.s3_bucket_policy_path,
     {
       statement = <<EOT
       [
-      ${local.static_site_bucket_enforce_tls_statement}
+      ${local.static_site_bucket_enforce_tls_statement},
+      ${local.static_site_bucket_cloudfront_read_statement}
       ]
       EOT
     }
@@ -43,7 +52,6 @@ locals {
   cloudfront_static_site_http_version                = var.cloudfront_static_site_http_version
   cloudfront_static_site_default_cache_behaviour     = var.cloudfront_static_site_default_cache_behaviour
 
-
   enable_s3_access_logs              = var.enable_s3_access_logs
   enable_cloudfront_static_site_logs = var.enable_cloudfront_static_site_logs
   create_logs_bucket                 = local.enable_s3_access_logs || local.enable_cloudfront_static_site_logs
diff --git a/policies/s3-bucket-policy-statements/cloudfront-read.json.tpl b/policies/s3-bucket-policy-statements/cloudfront-read.json.tpl
@@ -2,7 +2,7 @@
   "Principal": {
     "Service": "cloudfront.amazonaws.com"
   },
-  "Action": "s3:GetObject"
+  "Action": "s3:GetObject",
   "Effect": "Allow",
   "Resource": "${bucket_arn}/*",
   "Condition": {

Original file line number	Diff line number	Diff line change
`@@ -6,6 +6,7 @@ locals {`
`6`	`6`
`7`	`7`	`s3_bucket_policy_statement_enforce_tls_path = "${path.module}/policies/s3-bucket-policy-statements/enforce-tls.json.tpl"`
`8`	`8`	`s3_bucket_policy_statement_log_delivery_access = "${path.module}/policies/s3-bucket-policy-statements/log-delivery-access.json.tpl"`
	`9`	`+ s3_bucket_policy_statement_cloudfront_read = "${path.module}/policies/s3-bucket-policy-statements/cloudfront-read.json.tpl"`
`9`	`10`	`s3_bucket_policy_path = "${path.module}/policies/s3-bucket-policy.json.tpl"`
`10`	`11`
`11`	`12`	`static_site_s3_acl = var.static_site_s3_acl`
`@@ -16,12 +17,20 @@ locals {`
`16`	`17`	`bucket_arn = aws_s3_bucket.static_site.arn`
`17`	`18`	`}`
`18`	`19`	`)`
	`20`	`+ static_site_bucket_cloudfront_read_statement = templatefile(`
	`21`	`+ local.s3_bucket_policy_statement_cloudfront_read,`
	`22`	`+ {`
	`23`	`+ bucket_arn = aws_s3_bucket.static_site.arn,`
	`24`	`+ cloudfront_arn = aws_cloudfront_distribution.static_site[0].arn`
	`25`	`+ }`
	`26`	`+ )`
`19`	`27`	`static_site_bucket_policy = templatefile(`
`20`	`28`	`local.s3_bucket_policy_path,`
`21`	`29`	`{`
`22`	`30`	`statement = <<EOT`
`23`	`31`	`[`
`24`		`- ${local.static_site_bucket_enforce_tls_statement}`
	`32`	`+ ${local.static_site_bucket_enforce_tls_statement},`
	`33`	`+ ${local.static_site_bucket_cloudfront_read_statement}`
`25`	`34`	`]`
`26`	`35`	`EOT`
`27`	`36`	`}`
`@@ -43,7 +52,6 @@ locals {`
`43`	`52`	`cloudfront_static_site_http_version = var.cloudfront_static_site_http_version`
`44`	`53`	`cloudfront_static_site_default_cache_behaviour = var.cloudfront_static_site_default_cache_behaviour`
`45`	`54`
`46`		`-`
`47`	`55`	`enable_s3_access_logs = var.enable_s3_access_logs`
`48`	`56`	`enable_cloudfront_static_site_logs = var.enable_cloudfront_static_site_logs`
`49`	`57`	`create_logs_bucket = local.enable_s3_access_logs \|\| local.enable_cloudfront_static_site_logs`