Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit b41a49a

Browse files
rccyxrccyx
committed
feat(#220): use an S3 bucket instead of /public for images
1 parent b58399a commit b41a49a

File tree

12 files changed

+439
-22
lines changed

12 files changed

+439
-22
lines changed

.gitignore

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -51,3 +51,4 @@ next-env.d.ts
5151
.env
5252

5353
*playground
54+
*.terraform

infra/public-content/images/.terraform.lock.hcl

Lines changed: 24 additions & 0 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

infra/public-content/images/README.md

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,3 @@
1+
```shell
2+
tf init && tf apply -auto-approve
3+
```

infra/public-content/images/output.tf

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,3 @@
1+
output "bucket_url" {
2+
value = "https://${var.bucket_name}.s3.${var.aws_region}.amazonaws.com"
3+
}

infra/public-content/images/s3.tf

Lines changed: 81 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,81 @@
1+
2+
provider "aws" {
3+
region = var.aws_region
4+
}
5+
6+
resource "aws_s3_bucket" "public_bucket" {
7+
bucket = var.bucket_name
8+
}
9+
10+
resource "aws_s3_bucket_cors_configuration" "public_bucket" {
11+
bucket = aws_s3_bucket.public_bucket.id
12+
13+
cors_rule {
14+
allowed_headers = ["*"]
15+
allowed_methods = ["GET", "HEAD"]
16+
allowed_origins = ["*"]
17+
expose_headers = ["ETag"]
18+
max_age_seconds = 3000
19+
}
20+
}
21+
22+
resource "aws_s3_bucket_acl" "public_bucket" {
23+
bucket = aws_s3_bucket.public_bucket.id
24+
acl = "public-read"
25+
depends_on = [aws_s3_bucket_ownership_controls.s3_bucket_acl_ownership]
26+
}
27+
28+
resource "aws_s3_bucket_ownership_controls" "s3_bucket_acl_ownership" {
29+
bucket = aws_s3_bucket.public_bucket.id
30+
rule {
31+
object_ownership = "BucketOwnerPreferred"
32+
}
33+
depends_on = [aws_s3_bucket_public_access_block.example]
34+
}
35+
36+
resource "aws_iam_user" "bucket_owner" {
37+
name = var.bucket_owner
38+
}
39+
40+
resource "aws_s3_bucket_public_access_block" "example" {
41+
bucket = aws_s3_bucket.public_bucket.id
42+
43+
block_public_acls = false
44+
block_public_policy = false
45+
ignore_public_acls = false
46+
restrict_public_buckets = false
47+
}
48+
49+
resource "aws_s3_bucket_policy" "prod" {
50+
bucket = aws_s3_bucket.public_bucket.id
51+
policy = jsonencode({
52+
Version = "2012-10-17"
53+
Statement = [
54+
{
55+
Principal = "*"
56+
Action = [
57+
"s3:*",
58+
]
59+
Effect = "Allow"
60+
Resource = [
61+
"arn:aws:s3:::${var.bucket_name}",
62+
"arn:aws:s3:::${var.bucket_name}/*"
63+
]
64+
},
65+
{
66+
Sid = "PublicReadGetObject"
67+
Principal = "*"
68+
Action = [
69+
"s3:GetObject",
70+
]
71+
Effect = "Allow"
72+
Resource = [
73+
"arn:aws:s3:::${var.bucket_name}",
74+
"arn:aws:s3:::${var.bucket_name}/*"
75+
]
76+
},
77+
]
78+
})
79+
80+
depends_on = [aws_s3_bucket_public_access_block.example]
81+
}

infra/public-content/images/terraform.tfstate

Lines changed: 267 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,267 @@
1+
{
2+
"version": 4,
3+
"terraform_version": "1.8.0",
4+
"serial": 8,
5+
"lineage": "f4094671-b1f4-8a31-8f71-9ae75120ff1d",
6+
"outputs": {
7+
"bucket_url": {
8+
"value": "https://ashgw-blog-public-images.s3.us-east-2.amazonaws.com",
9+
"type": "string"
10+
}
11+
},
12+
"resources": [
13+
{
14+
"mode": "managed",
15+
"type": "aws_iam_user",
16+
"name": "bucket_owner",
17+
"provider": "provider[\"registry.terraform.io/hashicorp/aws\"]",
18+
"instances": [
19+
{
20+
"schema_version": 0,
21+
"attributes": {
22+
"arn": "arn:aws:iam::032507467607:user/i-own-ashgw-blog-public-images",
23+
"force_destroy": false,
24+
"id": "i-own-ashgw-blog-public-images",
25+
"name": "i-own-ashgw-blog-public-images",
26+
"path": "/",
27+
"permissions_boundary": "",
28+
"tags": null,
29+
"tags_all": {},
30+
"unique_id": "AIDAQPEMYS5L6ENY7WTTK"
31+
},
32+
"sensitive_attributes": [],
33+
"private": "bnVsbA=="
34+
}
35+
]
36+
},
37+
{
38+
"mode": "managed",
39+
"type": "aws_s3_bucket",
40+
"name": "public_bucket",
41+
"provider": "provider[\"registry.terraform.io/hashicorp/aws\"]",
42+
"instances": [
43+
{
44+
"schema_version": 0,
45+
"attributes": {
46+
"acceleration_status": "",
47+
"acl": null,
48+
"arn": "arn:aws:s3:::ashgw-blog-public-images",
49+
"bucket": "ashgw-blog-public-images",
50+
"bucket_domain_name": "ashgw-blog-public-images.s3.amazonaws.com",
51+
"bucket_prefix": "",
52+
"bucket_regional_domain_name": "ashgw-blog-public-images.s3.us-east-2.amazonaws.com",
53+
"cors_rule": [],
54+
"force_destroy": false,
55+
"grant": [
56+
{
57+
"id": "e420affff348dc73cd2e823658c3fbe2bcfda717547ca27db9df24c350f45e75",
58+
"permissions": ["FULL_CONTROL"],
59+
"type": "CanonicalUser",
60+
"uri": ""
61+
}
62+
],
63+
"hosted_zone_id": "Z2O1EMRO9K5GLX",
64+
"id": "ashgw-blog-public-images",
65+
"lifecycle_rule": [],
66+
"logging": [],
67+
"object_lock_configuration": [],
68+
"object_lock_enabled": false,
69+
"policy": "",
70+
"region": "us-east-2",
71+
"replication_configuration": [],
72+
"request_payer": "BucketOwner",
73+
"server_side_encryption_configuration": [
74+
{
75+
"rule": [
76+
{
77+
"apply_server_side_encryption_by_default": [
78+
{
79+
"kms_master_key_id": "",
80+
"sse_algorithm": "AES256"
81+
}
82+
],
83+
"bucket_key_enabled": false
84+
}
85+
]
86+
}
87+
],
88+
"tags": null,
89+
"tags_all": {},
90+
"timeouts": null,
91+
"versioning": [
92+
{
93+
"enabled": false,
94+
"mfa_delete": false
95+
}
96+
],
97+
"website": [],
98+
"website_domain": null,
99+
"website_endpoint": null
100+
},
101+
"sensitive_attributes": [],
102+
"private": "eyJlMmJmYjczMC1lY2FhLTExZTYtOGY4OC0zNDM2M2JjN2M0YzAiOnsiY3JlYXRlIjoxMjAwMDAwMDAwMDAwLCJkZWxldGUiOjM2MDAwMDAwMDAwMDAsInJlYWQiOjEyMDAwMDAwMDAwMDAsInVwZGF0ZSI6MTIwMDAwMDAwMDAwMH19"
103+
}
104+
]
105+
},
106+
{
107+
"mode": "managed",
108+
"type": "aws_s3_bucket_acl",
109+
"name": "public_bucket",
110+
"provider": "provider[\"registry.terraform.io/hashicorp/aws\"]",
111+
"instances": [
112+
{
113+
"schema_version": 0,
114+
"attributes": {
115+
"access_control_policy": [
116+
{
117+
"grant": [
118+
{
119+
"grantee": [
120+
{
121+
"display_name": "",
122+
"email_address": "",
123+
"id": "",
124+
"type": "Group",
125+
"uri": "http://acs.amazonaws.com/groups/global/AllUsers"
126+
}
127+
],
128+
"permission": "READ"
129+
},
130+
{
131+
"grantee": [
132+
{
133+
"display_name": "",
134+
"email_address": "",
135+
"id": "e420affff348dc73cd2e823658c3fbe2bcfda717547ca27db9df24c350f45e75",
136+
"type": "CanonicalUser",
137+
"uri": ""
138+
}
139+
],
140+
"permission": "FULL_CONTROL"
141+
}
142+
],
143+
"owner": [
144+
{
145+
"display_name": "",
146+
"id": "e420affff348dc73cd2e823658c3fbe2bcfda717547ca27db9df24c350f45e75"
147+
}
148+
]
149+
}
150+
],
151+
"acl": "public-read",
152+
"bucket": "ashgw-blog-public-images",
153+
"expected_bucket_owner": "",
154+
"id": "ashgw-blog-public-images,public-read"
155+
},
156+
"sensitive_attributes": [],
157+
"private": "bnVsbA==",
158+
"dependencies": [
159+
"aws_s3_bucket.public_bucket",
160+
"aws_s3_bucket_ownership_controls.s3_bucket_acl_ownership",
161+
"aws_s3_bucket_public_access_block.example"
162+
]
163+
}
164+
]
165+
},
166+
{
167+
"mode": "managed",
168+
"type": "aws_s3_bucket_cors_configuration",
169+
"name": "public_bucket",
170+
"provider": "provider[\"registry.terraform.io/hashicorp/aws\"]",
171+
"instances": [
172+
{
173+
"schema_version": 0,
174+
"attributes": {
175+
"bucket": "ashgw-blog-public-images",
176+
"cors_rule": [
177+
{
178+
"allowed_headers": ["*"],
179+
"allowed_methods": ["GET", "HEAD"],
180+
"allowed_origins": ["*"],
181+
"expose_headers": ["ETag"],
182+
"id": "",
183+
"max_age_seconds": 3000
184+
}
185+
],
186+
"expected_bucket_owner": "",
187+
"id": "ashgw-blog-public-images"
188+
},
189+
"sensitive_attributes": [],
190+
"private": "bnVsbA==",
191+
"dependencies": ["aws_s3_bucket.public_bucket"]
192+
}
193+
]
194+
},
195+
{
196+
"mode": "managed",
197+
"type": "aws_s3_bucket_ownership_controls",
198+
"name": "s3_bucket_acl_ownership",
199+
"provider": "provider[\"registry.terraform.io/hashicorp/aws\"]",
200+
"instances": [
201+
{
202+
"schema_version": 0,
203+
"attributes": {
204+
"bucket": "ashgw-blog-public-images",
205+
"id": "ashgw-blog-public-images",
206+
"rule": [
207+
{
208+
"object_ownership": "BucketOwnerPreferred"
209+
}
210+
]
211+
},
212+
"sensitive_attributes": [],
213+
"private": "bnVsbA==",
214+
"dependencies": [
215+
"aws_s3_bucket.public_bucket",
216+
"aws_s3_bucket_public_access_block.example"
217+
]
218+
}
219+
]
220+
},
221+
{
222+
"mode": "managed",
223+
"type": "aws_s3_bucket_policy",
224+
"name": "prod",
225+
"provider": "provider[\"registry.terraform.io/hashicorp/aws\"]",
226+
"instances": [
227+
{
228+
"schema_version": 0,
229+
"attributes": {
230+
"bucket": "ashgw-blog-public-images",
231+
"id": "ashgw-blog-public-images",
232+
"policy": "{\"Statement\":[{\"Action\":[\"s3:*\"],\"Effect\":\"Allow\",\"Principal\":\"*\",\"Resource\":[\"arn:aws:s3:::ashgw-blog-public-images\",\"arn:aws:s3:::ashgw-blog-public-images/*\"]},{\"Action\":[\"s3:GetObject\"],\"Effect\":\"Allow\",\"Principal\":\"*\",\"Resource\":[\"arn:aws:s3:::ashgw-blog-public-images\",\"arn:aws:s3:::ashgw-blog-public-images/*\"],\"Sid\":\"PublicReadGetObject\"}],\"Version\":\"2012-10-17\"}"
233+
},
234+
"sensitive_attributes": [],
235+
"private": "bnVsbA==",
236+
"dependencies": [
237+
"aws_s3_bucket.public_bucket",
238+
"aws_s3_bucket_public_access_block.example"
239+
]
240+
}
241+
]
242+
},
243+
{
244+
"mode": "managed",
245+
"type": "aws_s3_bucket_public_access_block",
246+
"name": "example",
247+
"provider": "provider[\"registry.terraform.io/hashicorp/aws\"]",
248+
"instances": [
249+
{
250+
"schema_version": 0,
251+
"attributes": {
252+
"block_public_acls": false,
253+
"block_public_policy": false,
254+
"bucket": "ashgw-blog-public-images",
255+
"id": "ashgw-blog-public-images",
256+
"ignore_public_acls": false,
257+
"restrict_public_buckets": false
258+
},
259+
"sensitive_attributes": [],
260+
"private": "bnVsbA==",
261+
"dependencies": ["aws_s3_bucket.public_bucket"]
262+
}
263+
]
264+
}
265+
],
266+
"check_results": null
267+
}

0 commit comments

Comments
 (0)