💡
【Terraform】S3の作成
静的コンテンツ配信用バケット作成
aws_s3_bucket
- bucket : string : バケット名
- force_destroy : bool : 中身があったとしても削除するかどうか
aws_s3_bucket_versioning
- bucket : string : バケット名
- versioning_configuration : object : status(Enabled,Disabled)
aws_s3_bucket_public_access_block
- bucket : string : バケット名
- block_public_acls : bool : 新しいACL設定のブロック
- block_public_policy : bool : 新しいバケットポリシーをブロック
- ignore_public_acls : bool : 公開ACL設定を無視するかどうか
- restrict_public_buckets : bool : 所有者とAWSサービスのみにアクセス制限
aws_iam_policy_document
- version : string : バージョン
- policy_id : string : ポリシーID
- statement : block :
- sid : string : ポリシーID
- effect : enum : Allow,Deny
- actions : string[] : アクションリスト
- resources : string[] : 処理対象のリソース
- principals : block : 関連づけるエンティティ
- type : enum : AWS,Serviceなど
- identifiers : string[] : ARN,サービスURLなど
aws_s3_bucket_policy
- bucket : string : バケット名
- policy : string : バケットポリシーを表現するJSON
s3.tf
#ランダム名を定義
resource "random_string" "s3_unique_key" {
length = 6
upper = false
lower = true
numeric = true
special = false
}
#------------------
#S3
#------------------
resource "aws_s3_bucket" "s3_static_bucket" {
bucket = "${var.project}-${var.environment}-static-bucket-${random_string.s3_unique_key.result}"
}
resource "aws_s3_bucket_versioning" "s3_static_bucket_versioning" {
bucket = aws_s3_bucket.s3_static_bucket.id
versioning_configuration {
status = "Disabled"
}
}
resource "aws_s3_bucket_public_access_block" "s3_static_bucket" {
bucket = aws_s3_bucket.s3_static_bucket.id
block_public_acls = true
block_public_policy = false
ignore_public_acls = true
restrict_public_buckets = false
}
resource "aws_s3_bucket_policy" "s3_static_bucket" {
bucket = aws_s3_bucket.s3_static_bucket.id
policy = data.aws_iam_policy_document.s3_static_bucket.json
depends_on = [
aws_s3_bucket_public_access_block.s3_static_bucket,
aws_s3_bucket_versioning.s3_static_bucket_versioning
]
}
data "aws_iam_policy_document" "s3_static_bucket" {
statement {
effect = "Allow"
actions = ["s3:GetObject"]
resources = ["${aws_s3_bucket.s3_static_bucket.arn}/*"]
principals {
type = "*"
identifiers = ["*"]
}
}
}
プライベート用バケット作成
EC2から参照できるようにしていきます。
s3.tf
#------------------
#S3 deploy
#------------------
resource "aws_s3_bucket" "s3_deploy_bucket" {
bucket = "${var.project}-${var.environment}-deploy-bucket-${random_string.s3_unique_key.result}"
}
resource "aws_s3_bucket_versioning" "s3_deploy_bucket_versioning" {
bucket = aws_s3_bucket.s3_deploy_bucket.id
versioning_configuration {
status = "Disabled"
}
}
resource "aws_s3_bucket_public_access_block" "s3_deploy_bucket" {
bucket = aws_s3_bucket.s3_deploy_bucket.id
block_public_acls = true
block_public_policy = true
ignore_public_acls = true
- restrict_public_buckets = false
+ restrict_public_buckets = true
}
resource "aws_s3_bucket_policy" "s3_deploy_bucket" {
bucket = aws_s3_bucket.s3_deploy_bucket.id
policy = data.aws_iam_policy_document.s3_deploy_bucket.json
depends_on = [
aws_s3_bucket_public_access_block.s3_deploy_bucket,
aws_s3_bucket_versioning.s3_deploy_bucket_versioning
]
}
data "aws_iam_policy_document" "s3_deploy_bucket" {
statement {
effect = "Allow"
actions = ["s3:GetObject"]
resources = ["${aws_s3_bucket.s3_deploy_bucket.arn}/*"]
principals {
- type = "*"
+ type = "AWS"
- identifiers = [*]
+ identifiers = [aws_iam_role.app_iam_role.arn]
}
}
}
Discussion