Fixed first version of redirect and S3 policies

2024-04-23 20:17:51 +02:00
parent fc03ef8ecd
commit 2cdc051191
2 changed files with 80 additions and 21 deletions
--- a/master.tf
+++ b/master.tf
@@ -17,6 +17,12 @@ resource "aws_vpc" "vpc_standout" {
  cidr_block = "10.0.0.0/16"
 }

+# create an s3 bucket for config
+resource "aws_s3_bucket" "s3_standout_config" {
+  bucket = "standout-config"
+  force_destroy = false
+}
+
 # create an s3 bucket for data
 resource "aws_s3_bucket" "s3_standout" {
  bucket = "standout-data"
@@ -30,11 +36,27 @@ resource "aws_s3_bucket_ownership_controls" "s3_standout_ownership" {
  }
 }

+resource "aws_s3_bucket_ownership_controls" "s3_standout_config_ownership" {
+  bucket = aws_s3_bucket.s3_standout_config.id
+  rule {
+    object_ownership = "BucketOwnerPreferred"
+  }
+}
+
 resource "aws_s3_bucket_public_access_block" "s3_standout_public_access" {
  bucket = aws_s3_bucket.s3_standout.id

-  block_public_acls       = true
-  block_public_policy     = true
+  block_public_acls       = false
+  block_public_policy     = false
+  ignore_public_acls      = true
+  restrict_public_buckets = true
+}
+
+resource "aws_s3_bucket_public_access_block" "s3_standout_config_public_access" {
+  bucket = aws_s3_bucket.s3_standout_config.id
+
+  block_public_acls       = false
+  block_public_policy     = false
  ignore_public_acls      = true
  restrict_public_buckets = true
 }
@@ -54,6 +76,30 @@ resource "aws_s3_bucket_policy" "s3_standout_policy" {
  policy = data.aws_iam_policy_document.s3_standout_allow_lambda.json
 }

+resource "aws_s3_bucket_policy" "s3_standout_config_policy" {
+  bucket = aws_s3_bucket.s3_standout_config.id
+  policy = data.aws_iam_policy_document.s3_standout_config_allow_lambda.json
+}
+
+data "aws_iam_policy_document" "s3_standout_config_allow_lambda" {
+  statement {
+    principals {
+      type        = "AWS"
+      identifiers = ["*"]
+    }
+
+    actions = [
+      "s3:Get*",
+      "s3:List*",
+      "s3:Put*",
+    ]
+
+    resources = [
+      "${aws_s3_bucket.s3_standout_config.arn}/*",
+    ]
+  }
+}
+
 data "aws_iam_policy_document" "s3_standout_allow_lambda" {
  statement {
    principals {
@@ -64,7 +110,7 @@ data "aws_iam_policy_document" "s3_standout_allow_lambda" {
    actions = [
      "s3:Get*",
      "s3:List*",
-      "s3:Put*"
+      "s3:Put*",
    ]

    resources = [
@@ -108,13 +154,16 @@ resource "aws_lambda_function" "lambda_standout_redirect" {

  source_code_hash = data.archive_file.lambda_standout_code.output_base64sha256

-  runtime = "python3.10"
+  runtime = "python3.12"

-  #environment {
-  #  variables = {
-  #    foo = "bar"
-  #  }
-  #}
+  timeout = 10
+
+  environment {
+    variables = {
+      BUCKET_CONFIG = aws_s3_bucket.s3_standout_config.bucket,
+      BUCKET_DATA = aws_s3_bucket.s3_standout.bucket
+    }
+  }
 }

 # create API gateway for lambda triger and connect