Skip to content

Commit

Permalink
Merge pull request asfadmin#87 from asfadmin/rew/add-distribution-buc…
Browse files Browse the repository at this point in the history 
…ket-policy

Add distribution bucket policy resources
  • Loading branch information
@lindsleycj
lindsleycj authored Aug 23, 2023
2 parents a409787 + 9eefee3 commit b149bd6
Show file tree
Hide file tree
Showing 3 changed files with 48 additions and 1 deletion.
3 changes: 2 additions & 1 deletion CHANGELOG.md
View file
Original file line number Diff line number Diff line change
@@ -1,11 +1,12 @@

# CHANGELOG


## v17.0.0.0
* Upgrade to [Cumulus v17.0.0](https://github.com/nasa/cumulus/releases/tag/v17.0.0)
* Upgrade terraform modules to use AWS provider version 5.0
* Remove data-migration1 from repo
* Add terraform resources to create bucket policies allowing CloudFront OAI's
read access to distribution buckets.

## v16.0.0.0

Expand Down
41 changes: 41 additions & 0 deletions daac/distribution_bucket_policy.tf
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,41 @@
data "aws_cloudfront_origin_access_identity" "distribution_cloudfront_oai" {
for_each = toset(values(var.distribution_bucket_oais))

id = each.key
}

data "aws_iam_policy_document" "distribution_bucket_policy_document" {
for_each = var.distribution_bucket_oais

statement {
actions = ["s3:GetObject"]
resources = ["arn:aws:s3:::${local.prefix}-${each.key}/*"]

principals {
type = "AWS"
identifiers = [
data.aws_cloudfront_origin_access_identity.distribution_cloudfront_oai[each.value].iam_arn
]
}
}

# Need ListBucket permissions so that missing keys will return 404 errors instead of 403
statement {
actions = ["s3:ListBucket"]
resources = ["arn:aws:s3:::${local.prefix}-${each.key}"]

principals {
type = "AWS"
identifiers = [
data.aws_cloudfront_origin_access_identity.distribution_cloudfront_oai[each.value].iam_arn
]
}
}
}

resource "aws_s3_bucket_policy" "distribution_bucket_policy" {
for_each = var.distribution_bucket_oais

bucket = "${local.prefix}-${each.key}"
policy = try(data.aws_iam_policy_document.distribution_bucket_policy_document[each.key].json, null)
}
5 changes: 5 additions & 0 deletions daac/variables.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -36,6 +36,11 @@ variable "partner_bucket_names" {
default = []
}

variable "distribution_bucket_oais" {
type = map(any)
default = {}
}

variable "s3_replicator_target_bucket" {
type = string
default = null
Expand Down

0 comments on commit b149bd6

Please sign in to comment.