💡

【Terraform】S3の作成

2025/01/14に公開

静的コンテンツ配信用バケット作成

aws_s3_bucket

  1. bucket : string : バケット名
  2. force_destroy : bool : 中身があったとしても削除するかどうか

aws_s3_bucket_versioning

  1. bucket : string : バケット名
  2. versioning_configuration : object : status(Enabled,Disabled)

aws_s3_bucket_public_access_block

  1. bucket : string : バケット名
  2. block_public_acls : bool : 新しいACL設定のブロック
  3. block_public_policy : bool : 新しいバケットポリシーをブロック
  4. ignore_public_acls : bool : 公開ACL設定を無視するかどうか
  5. restrict_public_buckets : bool : 所有者とAWSサービスのみにアクセス制限

aws_iam_policy_document

  1. version : string : バージョン
  2. policy_id : string : ポリシーID
  3. statement : block :
    • sid : string : ポリシーID
    • effect : enum : Allow,Deny
    • actions : string[] : アクションリスト
    • resources : string[] : 処理対象のリソース
    • principals : block : 関連づけるエンティティ
      • type : enum : AWS,Serviceなど
      • identifiers : string[] : ARN,サービスURLなど

aws_s3_bucket_policy

  1. bucket : string : バケット名
  2. policy : string : バケットポリシーを表現するJSON
s3.tf
#ランダム名を定義
resource "random_string" "s3_unique_key" {
  length  = 6
  upper   = false
  lower   = true
  numeric = true
  special = false
}
#------------------
#S3
#------------------
resource "aws_s3_bucket" "s3_static_bucket" {
  bucket = "${var.project}-${var.environment}-static-bucket-${random_string.s3_unique_key.result}"
}

resource "aws_s3_bucket_versioning" "s3_static_bucket_versioning" {
  bucket = aws_s3_bucket.s3_static_bucket.id
  versioning_configuration {
    status = "Disabled"
  }
}


resource "aws_s3_bucket_public_access_block" "s3_static_bucket" {
  bucket                  = aws_s3_bucket.s3_static_bucket.id
  block_public_acls       = true
  block_public_policy     = false
  ignore_public_acls      = true
  restrict_public_buckets = false
}

resource "aws_s3_bucket_policy" "s3_static_bucket" {
  bucket = aws_s3_bucket.s3_static_bucket.id
  policy = data.aws_iam_policy_document.s3_static_bucket.json
  depends_on = [
    aws_s3_bucket_public_access_block.s3_static_bucket,
    aws_s3_bucket_versioning.s3_static_bucket_versioning
  ]
}

data "aws_iam_policy_document" "s3_static_bucket" {
  statement {
    effect    = "Allow"
    actions   = ["s3:GetObject"]
    resources = ["${aws_s3_bucket.s3_static_bucket.arn}/*"]
    principals {
      type        = "*"
      identifiers = ["*"]
    }
  }
}

プライベート用バケット作成

EC2から参照できるようにしていきます。

s3.tf

#------------------
#S3 deploy
#------------------
resource "aws_s3_bucket" "s3_deploy_bucket" {
  bucket = "${var.project}-${var.environment}-deploy-bucket-${random_string.s3_unique_key.result}"
}

resource "aws_s3_bucket_versioning" "s3_deploy_bucket_versioning" {
  bucket = aws_s3_bucket.s3_deploy_bucket.id
  versioning_configuration {
    status = "Disabled"
  }
}


resource "aws_s3_bucket_public_access_block" "s3_deploy_bucket" {
  bucket                  = aws_s3_bucket.s3_deploy_bucket.id
  block_public_acls       = true
  block_public_policy     = true
  ignore_public_acls      = true
-  restrict_public_buckets = false
+  restrict_public_buckets = true
}

resource "aws_s3_bucket_policy" "s3_deploy_bucket" {
  bucket = aws_s3_bucket.s3_deploy_bucket.id
  policy = data.aws_iam_policy_document.s3_deploy_bucket.json
  depends_on = [
    aws_s3_bucket_public_access_block.s3_deploy_bucket,
    aws_s3_bucket_versioning.s3_deploy_bucket_versioning
  ]
}

data "aws_iam_policy_document" "s3_deploy_bucket" {
  statement {
    effect    = "Allow"
    actions   = ["s3:GetObject"]
    resources = ["${aws_s3_bucket.s3_deploy_bucket.arn}/*"]
    principals {
-      type        = "*"
+      type        = "AWS"
-      identifiers = [*]
+      identifiers = [aws_iam_role.app_iam_role.arn]
    }
  }
}

Discussion