Terraform設定AWS S3 bucket的bucket policy。
事前要求
參考「Terraform 建立S3 bucket範例」建立S3 bucket terraform-demo-bucket-202205052200。
設定Bucket policy
使用resource aws_s3_bucket_policy來設定bucket的policy。
bucket- 要套用policy的bucket名稱,必填。policy- Bucket policy的JSON文件或參照data sourceaws_iam_policy_document,必填。
例如下面設定所有AWS principle皆禁止取得bucket terraform-demo-bucket-202205052200中的object內容,相當於「AWS 設定S3 bucket policy不可讀取檔案物件」的設定。policy的值為JSON字串(heredoc)。
main.tf
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 4.12"
}
}
required_version = ">= 1.1.9"
}
provider "aws" {
profile = "default"
region = "ap-northeast-1" // Tokyo
}
resource "aws_s3_bucket" "demo_bucket" {
bucket = "terraform-demo-bucket-202205052200"
}
resource "aws_s3_bucket_policy" "deny_all_get_object" {
bucket = aws_s3_bucket.demo_bucket.id
policy = <<POLICY
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DenyAllGetObject",
"Effect": "Deny",
"Principal": {
"AWS": "*"
},
"Action": "s3:GetObject",
"Resource": "${aws_s3_bucket.demo_bucket.arn}/*"
}
]
}
POLICY
}
或policy的值參考data source aws_iam_policy_document,效果同上。
main.tf
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 4.12"
}
}
required_version = ">= 1.1.9"
}
provider "aws" {
profile = "default"
region = "ap-northeast-1" // Tokyo
}
resource "aws_s3_bucket" "demo_bucket" {
bucket = "terraform-demo-bucket-202205052200"
}
resource "aws_s3_bucket_policy" "deny_all_get_object" {
bucket = aws_s3_bucket.demo_bucket.id
policy = data.aws_iam_policy_document.deny_all_get_object_document.json
}
data "aws_iam_policy_document" "deny_all_get_object_document" {
statement {
sid = "DenyAllGetObject"
effect = "Deny"
principals {
type = "AWS"
identifiers = ["*"]
}
actions = ["s3:GetObject"]
resources = ["${aws_s3_bucket.demo_bucket.arn}/*"]
}
}
套用policy
執行terraform apply可在AWS console S3 bucket policy看到設定的policy。
沒有留言:
張貼留言