UPD: added AllowSSLRequestsOnly bucket policy statement

This commit is contained in:
xpk 2023-03-25 12:36:54 +08:00
parent d2ddc8dcf1
commit 9ecb677dde
Signed by: xpk
GPG Key ID: CD4FF6793F09AB86

View File

@ -86,13 +86,25 @@ resource "aws_s3_bucket_policy" "bucket-policy" {
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::${var.bucket-name}/*",
"arn:aws:s3:::${var.bucket-name}-tfstate"
"arn:aws:s3:::${var.bucket-name}"
],
"Principal": {
"AWS": [
"arn:aws:iam::${data.aws_caller_identity.this.account_id}:root"
]
}
},
{
"Sid": "AllowSSLRequestsOnly",
"Action": "s3:*",
"Effect": "Deny",
"Resource": "arn:aws:s3:::${var.bucket-name}/*",
"Condition": {
"Bool": {
"aws:SecureTransport": "false"
}
},
"Principal": "*"
}
]
}
@ -116,4 +128,4 @@ resource "aws_dynamodb_table" "tfstate-lock-table" {
}
}
data aws_caller_identity this {}
data "aws_caller_identity" "this" {}