feat(terraform): move aws_s3_bucket_policy to account level (#237)

* feat(terraform): move `aws_s3_bucket_policy` to account level * fix(terraform): restore data resource * fix(terraform): pass bucket id instead of ARN
dvsa · Aug 12, 2024 · 213d4c4 · 213d4c4
1 parent b250b37
commit 213d4c4
Show file tree

Hide file tree

Showing 4 changed files with 19 additions and 19 deletions.
diff --git a/infra/terraform/modules/account/README.md b/infra/terraform/modules/account/README.md
@@ -24,7 +24,9 @@
 
 | Name | Type |
 |------|------|
+| [aws_s3_bucket_policy.bucket_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy) | resource |
 | [aws_signer_signing_profile.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/signer_signing_profile) | resource |
+| [aws_iam_policy_document.s3_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 
 ## Inputs
 

diff --git a/infra/terraform/modules/account/main.tf b/infra/terraform/modules/account/main.tf
@@ -6,3 +6,20 @@ module "assets" {
 
   bucket = "vol-app-assets"
 }
+
+data "aws_iam_policy_document" "s3_policy" {
+  statement {
+    actions   = ["s3:GetObject"]
+    resources = ["${module.assets[0].s3_bucket_arn}/*"]
+
+    principals {
+      type        = "Service"
+      identifiers = ["cloudfront.amazonaws.com"]
+    }
+  }
+}
+
+resource "aws_s3_bucket_policy" "bucket_policy" {
+  bucket = module.assets[0].s3_bucket_id
+  policy = data.aws_iam_policy_document.s3_policy.json
+}
diff --git a/infra/terraform/modules/service/README.md b/infra/terraform/modules/service/README.md
@@ -34,10 +34,8 @@
 | [aws_cloudwatch_log_group.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource |
 | [aws_lb_listener_rule.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb_listener_rule) | resource |
 | [aws_lb_target_group.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb_target_group) | resource |
-| [aws_s3_bucket_policy.bucket_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy) | resource |
 | [aws_canonical_user_id.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/canonical_user_id) | data source |
 | [aws_cloudfront_log_delivery_canonical_user_id.cloudfront](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/cloudfront_log_delivery_canonical_user_id) | data source |
-| [aws_iam_policy_document.s3_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_route53_zone.private](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/route53_zone) | data source |
 | [aws_route53_zone.public](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/route53_zone) | data source |
 | [aws_s3_bucket.assets](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/s3_bucket) | data source |

diff --git a/infra/terraform/modules/service/cdn.tf b/infra/terraform/modules/service/cdn.tf
@@ -213,20 +213,3 @@ module "records" {
     },
   ]
 }
-
-data "aws_iam_policy_document" "s3_policy" {
-  statement {
-    actions   = ["s3:GetObject"]
-    resources = ["${data.aws_s3_bucket.assets.arn}/*"]
-
-    principals {
-      type        = "Service"
-      identifiers = ["cloudfront.amazonaws.com"]
-    }
-  }
-}
-
-resource "aws_s3_bucket_policy" "bucket_policy" {
-  bucket = data.aws_s3_bucket.assets.id
-  policy = data.aws_iam_policy_document.s3_policy.json
-}