-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy paths3.tf
72 lines (61 loc) · 2.26 KB
/
s3.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
resource "aws_s3_bucket" "vrs_cdn_source_bucket" {
bucket = local.primary_domain
tags = { "Name" : local.primary_domain }
}
resource "aws_cloudfront_origin_access_identity" "vrs_cdn_source_bucket" {
comment = local.primary_domain
}
data "aws_iam_policy_document" "vrs_cdn_source_bucket_policy" {
statement {
actions = ["s3:GetObject", "s3:ListBucket"]
resources = [
"${aws_s3_bucket.vrs_cdn_source_bucket.arn}/*",
aws_s3_bucket.vrs_cdn_source_bucket.arn
]
principals {
type = "AWS"
identifiers = [
aws_cloudfront_origin_access_identity.vrs_cdn_source_bucket.iam_arn
]
}
}
}
resource "aws_s3_bucket_policy" "vrs_cdn_source_bucket" {
bucket = aws_s3_bucket.vrs_cdn_source_bucket.id
policy = data.aws_iam_policy_document.vrs_cdn_source_bucket_policy.json
}
locals {
current_time = timestamp()
three_months = timeadd(local.current_time, "2160h")
}
module "template_files" {
source = "hashicorp/dir/template"
base_dir = "./s3_bucket"
template_vars = {
# Pass in any values that you wish to use in your templates.
workspace = terraform.workspace
securitytxt_url = "https://vulnerability-reporting.service.security.gov.uk/.well-known/security.txt"
hackerone_form_id = "2e6793b1-d580-4172-9ba3-04c98cdfb478"
policy_url = "https://${local.primary_domain}"
contact_url = "https://${local.primary_domain}/submit"
ack_url = "https://${local.primary_domain}/acknowledgements"
last_updated = local.current_time
expiry_date = local.three_months
acknowledgements = local.acknowledgements
footerlinks = local.footerlinks
}
}
resource "aws_s3_object" "s3_files" {
for_each = module.template_files.files
bucket = aws_s3_bucket.vrs_cdn_source_bucket.id
key = each.key
content_type = each.value.content_type
# The template_files module guarantees that only one of these two attributes
# will be set for each file, depending on whether it is an in-memory template
# rendering result or a static file on disk.
source = each.value.source_path
content = each.value.content
# Unless the bucket has encryption enabled, the ETag of each object is an
# MD5 hash of that object.
etag = each.value.digests.md5
}