From f728769c96096cf69c0ca7e52400ebf95a0cdff6 Mon Sep 17 00:00:00 2001 From: dsk-minchulahn Date: Mon, 5 Feb 2024 11:43:41 +0900 Subject: [PATCH] =?UTF-8?q?Terraform=20-=20Buckets=20-=20dsk-alert-images?= =?UTF-8?q?=20private=20=EC=9C=BC=EB=A1=9C=20=EB=B3=80=EA=B2=BD?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- terraform/buckets/permissions.tf | 25 ++++++++++++++++++++++++- terraform/buckets/variables.tf | 4 ++-- 2 files changed, 26 insertions(+), 3 deletions(-) diff --git a/terraform/buckets/permissions.tf b/terraform/buckets/permissions.tf index 5908e21..6b1d3c4 100644 --- a/terraform/buckets/permissions.tf +++ b/terraform/buckets/permissions.tf @@ -19,7 +19,18 @@ resource "aws_s3_bucket_public_access_block" "public_access_block" { restrict_public_buckets = false } -resource "aws_s3_bucket_acl" "acl" { +resource "aws_s3_bucket_public_access_block" "private_access_block" { + for_each = {for bucket, value in var.buckets : bucket => value if value.public_access == false} + + bucket = aws_s3_bucket.bucket[each.key].id + + block_public_acls = true + block_public_policy = true + ignore_public_acls = true + restrict_public_buckets = true +} + +resource "aws_s3_bucket_acl" "public_acl" { for_each = {for bucket, value in var.buckets : bucket => value if value.public_access == true} depends_on = [ @@ -31,6 +42,18 @@ resource "aws_s3_bucket_acl" "acl" { acl = "public-read" } +resource "aws_s3_bucket_acl" "private_acl" { + for_each = {for bucket, value in var.buckets : bucket => value if value.public_access == false} + + depends_on = [ + aws_s3_bucket_ownership_controls.ownership, + aws_s3_bucket_public_access_block.private_access_block + ] + + bucket = aws_s3_bucket.bucket[each.key].id + acl = "private" +} + resource "aws_s3_bucket_policy" "policy" { for_each = {for bucket, value in var.buckets : bucket => value if value.public_access == true} diff --git a/terraform/buckets/variables.tf b/terraform/buckets/variables.tf index 4b72d89..a75c753 100644 --- a/terraform/buckets/variables.tf +++ b/terraform/buckets/variables.tf @@ -15,8 +15,8 @@ variable "buckets" { })) default = { dsk-alert-images = { - object_ownership = "BucketOwnerPreferred" - public_access = true + object_ownership = "BucketOwnerEnforced" + public_access = false versioning = "Enabled" lifecycle = { status = "Disabled"