@@ -49,7 +49,7 @@ Debemos añadir el servicio en si mismo también `delivery.logs.amazonaws.com`
49
49
50
50
Por último el servicio necesita acceso al ACL del Bucket
51
51
52
- 1 . Introducimos como ` Principal ` - ` Service `
52
+ 1 . Introducimos como ` Principal ` - ` elb `
53
53
2 . Seleccionamos la acción de ` PutObject `
54
54
3 . Introducimos como Amazon Resource Name ` arn:aws:s3:::${BucketName}/${KeyName} `
55
55
4 . Click en ` Add Statement `
@@ -58,50 +58,19 @@ Ya estamos listos para generar la `Policy`, hacemos click en `Generate Policy`,
58
58
59
59
``` json
60
60
{
61
- "Id" : " Policy1639995384326 " ,
61
+ "Id" : " Policy1671300749955 " ,
62
62
"Version" : " 2012-10-17" ,
63
63
"Statement" : [
64
64
{
65
- "Sid" : " Stmt1639993445416" ,
66
- "Action" : [
67
- " s3:PutObject"
68
- ],
69
- "Effect" : " Allow" ,
70
- "Resource" : " arn:aws:s3:::${BucketName}/${KeyName}" ,
71
- "Principal" : {
72
- "AWS" : [
73
- " AWS"
74
- ]
75
- }
76
- },
77
- {
78
- "Sid" : " Stmt1639994327284" ,
65
+ "Sid" : " Stmt1671300748312" ,
79
66
"Action" : [
80
67
" s3:PutObject"
81
68
],
82
69
"Effect" : " Allow" ,
83
70
"Resource" : " arn:aws:s3:::${BucketName}/${KeyName}" ,
84
- "Condition" : {
85
- "StringEquals" : {
86
- "s3:x-amz-acl" : " bucket-owner-full-control"
87
- }
88
- },
89
71
"Principal" : {
90
72
"AWS" : [
91
- " Service"
92
- ]
93
- }
94
- },
95
- {
96
- "Sid" : " Stmt1639994660593" ,
97
- "Action" : [
98
- " s3:GetBucketAcl"
99
- ],
100
- "Effect" : " Allow" ,
101
- "Resource" : " arn:aws:s3:::${BucketName}/${KeyName}" ,
102
- "Principal" : {
103
- "AWS" : [
104
- " Service"
73
+ " elb"
105
74
]
106
75
}
107
76
}
@@ -113,64 +82,24 @@ Ahora a partir de este esqueleto vamos a generar, el json que necesitamos
113
82
114
83
``` diff
115
84
{
116
- - "Id": "Policy1639995384326",
85
+ - "Id": "Policy1671300749955",
86
+ + "Id": "Policy",
117
87
"Version": "2012-10-17",
118
88
"Statement": [
119
89
{
120
- - "Sid": "Stmt1639993445416 ",
90
+ - "Sid": "Stmt1671300748312 ",
121
91
"Action": [
122
92
"s3:PutObject"
123
93
],
124
94
"Effect": "Allow",
125
95
- "Resource": "arn:aws:s3:::${BucketName}/${KeyName}",
126
96
+ "Resource": "arn:aws:s3:::${local.s3_bucket_name}/alb-logs/*",
127
- - "Principal": {
128
- - "AWS": [
129
- - "AWS"
130
- - ]
131
- - }
132
- + "Principal": {
133
- + "AWS": "${data.aws_elb_service_account.root.arn}"
134
- + }
135
- },
136
- {
137
- - "Sid": "Stmt1639994327284",
138
- "Action": [
139
- "s3:PutObject"
140
- ],
141
- "Effect": "Allow",
142
- - "Resource": "arn:aws:s3:::${BucketName}/${KeyName}",
143
- + "Resource": "arn:aws:s3:::${local.s3_bucket_name}/alb-logs/*",
144
- "Condition": {
145
- "StringEquals": {
146
- "s3:x-amz-acl": "bucket-owner-full-control"
147
- }
148
- },
149
- - "Principal": {
150
- - "AWS": [
151
- - "Service"
152
- - ]
153
- - }
154
- + "Principal": {
155
- + "Service": "delivery.logs.amazonaws.com"
156
- + }
157
- },
158
- {
159
- - "Sid": "Stmt1639994660593",
160
- "Action": [
161
- "s3:GetBucketAcl"
162
- ],
163
- "Effect": "Allow",
164
- - "Resource": "arn:aws:s3:::${BucketName}/${KeyName}",
165
- + "Resource": "arn:aws:s3:::${local.s3_bucket_name}",
166
- - "Principal": {
167
- - "AWS": [
168
- - "Service"
169
- - ]
170
- - }
171
- + "Principal": {
172
- + "Service": "delivery.logs.amazonaws.com"
173
- + }
97
+ "Principal": {
98
+ "AWS": [
99
+ - "elb"
100
+ + "${data.aws_elb_service_account.root.arn}"
101
+ ]
102
+ }
174
103
}
175
104
]
176
105
}
@@ -180,6 +109,7 @@ The final `json` looks like:
180
109
181
110
``` json
182
111
{
112
+ "Id" : " Policy" ,
183
113
"Version" : " 2012-10-17" ,
184
114
"Statement" : [
185
115
{
@@ -189,32 +119,9 @@ The final `json` looks like:
189
119
"Effect" : " Allow" ,
190
120
"Resource" : " arn:aws:s3:::${local.s3_bucket_name}/alb-logs/*" ,
191
121
"Principal" : {
192
- "AWS" : " ${data.aws_elb_service_account.root.arn}"
193
- }
194
- },
195
- {
196
- "Action" : [
197
- " s3:PutObject"
198
- ],
199
- "Effect" : " Allow" ,
200
- "Resource" : " arn:aws:s3:::${local.s3_bucket_name}/alb-logs/*" ,
201
- "Condition" : {
202
- "StringEquals" : {
203
- "s3:x-amz-acl" : " bucket-owner-full-control"
204
- }
205
- },
206
- "Principal" : {
207
- "Service" : " delivery.logs.amazonaws.com"
208
- }
209
- },
210
- {
211
- "Action" : [
212
- " s3:GetBucketAcl"
213
- ],
214
- "Effect" : " Allow" ,
215
- "Resource" : " arn:aws:s3:::${local.s3_bucket_name}" ,
216
- "Principal" : {
217
- "Service" : " delivery.logs.amazonaws.com"
122
+ "AWS" : [
123
+ " ${data.aws_elb_service_account.root.arn}"
124
+ ]
218
125
}
219
126
}
220
127
]
@@ -229,11 +136,23 @@ Actualizamos `s3.tf`
229
136
# aws_s3_bucket
230
137
resource " aws_s3_bucket" " web_bucket" {
231
138
bucket = local.s3_bucket_name
232
- acl = " private"
233
139
force_destroy = true
234
140
141
+ tags = local.common_tags
142
+ }
143
+
144
+ # aws_s3_bucket_acl
145
+ resource " aws_s3_bucket_acl" " web_bucket_acl" {
146
+ bucket = aws_s3_bucket.web_bucket.id
147
+ acl = " private"
148
+ }
149
+
150
+ # aws_s3_bucket_policy
151
+ resource " aws_s3_bucket_policy" " allow_elb_logging" {
152
+ bucket = aws_s3_bucket.web_bucket.id
235
153
policy = <<POLICY
236
154
{
155
+ " Id" : " Policy" ,
237
156
" Version" : " 2012-10-17" ,
238
157
" Statement" : [
239
158
{
@@ -243,43 +162,16 @@ resource "aws_s3_bucket" "web_bucket" {
243
162
" Effect" : " Allow" ,
244
163
" Resource" : " arn:aws:s3:::${local.s3_bucket_name}/alb-logs/*" ,
245
164
" Principal" : {
246
- " AWS" : " ${data.aws_elb_service_account.root.arn}"
247
- }
248
- },
249
- {
250
- " Action" : [
251
- " s3:PutObject"
252
- ],
253
- " Effect" : " Allow" ,
254
- " Resource" : " arn:aws:s3:::${local.s3_bucket_name}/alb-logs/*" ,
255
- " Condition" : {
256
- " StringEquals" : {
257
- " s3:x-amz-acl" : " bucket-owner-full-control"
258
- }
259
- },
260
- " Principal" : {
261
- " Service" : " delivery.logs.amazonaws.com"
262
- }
263
- },
264
- {
265
- " Action" : [
266
- " s3:GetBucketAcl"
267
- ],
268
- " Effect" : " Allow" ,
269
- " Resource" : " arn:aws:s3:::${local.s3_bucket_name}" ,
270
- " Principal" : {
271
- " Service" : " delivery.logs.amazonaws.com"
165
+ " AWS" : [
166
+ " ${data.aws_elb_service_account.root.arn}"
167
+ ]
272
168
}
273
169
}
274
170
]
275
171
}
276
172
POLICY
277
-
278
- tags = local.common_tags
279
173
}
280
174
281
- # aws_s3_bucket_object
282
-
283
175
# aws_iam_role
284
176
285
177
# aws_iam_role_policy
@@ -291,41 +183,38 @@ resource "aws_s3_bucket" "web_bucket" {
291
183
* Tomamos el nombre del bucket de local
292
184
* Establecemos ` acl ` como privado
293
185
* Establecemos ` force_destroy ` para que Terraform lo elimine en el ` destroy `
294
- * Policy
295
- * En el statement para la ` bucket policy ` , queremos permitir al balenceador de carga y al ` delivery service logs ` acceso al bucket de S3. Esto lo hacemos utilizando ` Allow ` , y vamos a referenciar como principal, nuestra cuenta de servicio ` Elastic Load Balancer ` desde ` data source ` . Recordar que esto lo hemos declarado en ` loadbalancer.tf ` , como la entrada ` data "aws_elb_service_account" "root" {} ` , este es el ` data source ` que necesitará referenciar la ` service account ` usada por el ` Elastic Load Balancer ` en nuestra región.
186
+ * En el ` resource ` para la ` bucket policy ` , queremos permitir al balenceador de carga y al ` delivery service logs ` acceso al bucket de S3. Esto lo hacemos utilizando ` Allow ` , y vamos a referenciar como principal, nuestra cuenta de servicio ` Elastic Load Balancer ` desde ` data source ` . Recordar que esto lo hemos declarado en ` loadbalancer.tf ` , como la entrada ` data "aws_elb_service_account" "root" {} ` , este es el ` data source ` que necesitará referenciar la ` service account ` usada por el ` Elastic Load Balancer ` en nuestra región.
187
+
296
188
297
- ``` json
298
- "Principal" : {
299
- "AWS" : " ${data.aws_elb_service_account.root.arn}"
300
- },
301
- ```
189
+ ``` json
190
+ "Principal" : {
191
+ "AWS" : " ${data.aws_elb_service_account.root.arn}"
192
+ },
193
+ ```
302
194
303
195
* Para la ` action ` , usamos ` s3:PutObject ` , y para el recurso le pasamos el nombre del bucket y el path, ** alb-logs** . Esto da permisos ` Elastic Load Balancer ` para escribir en el path.
304
196
305
- ``` json
306
- "Action" : " s3:PutObject" ,
307
- "Resource" : " arn:aws:s3:::${local.s3_bucket_name}/alb-logs/*"
308
- ```
309
-
310
- * Vamos a darle los mismos permisos al servicio ` delivery.logs.amazonaws.com ` , y además ` s3:GetBucketAcl `
311
-
197
+ ``` json
198
+ "Action" : " s3:PutObject" ,
199
+ "Resource" : " arn:aws:s3:::${local.s3_bucket_name}/alb-logs/*"
200
+ ```
312
201
313
202
### Paso 4. Alimentamos los objectos del Bucket
314
203
315
204
Actualizamos ` s3.tf `
316
205
317
206
``` ini
318
207
# ....
319
- # aws_s3_bucket_object
320
- resource " aws_s3_bucket_object " " website" {
208
+ # aws_s3_object
209
+ resource " aws_s3_object " " website" {
321
210
bucket = aws_s3_bucket.web_bucket.bucket
322
211
key = " /website/index.html"
323
212
source = " ./website/index.html"
324
213
325
214
tags = local.common_tags
326
215
}
327
216
328
- resource " aws_s3_bucket_object " " graphic" {
217
+ resource " aws_s3_object " " graphic" {
329
218
bucket = aws_s3_bucket.web_bucket.bucket
330
219
key = " /website/fruits.png"
331
220
source = " ./website/fruits.png"
@@ -426,7 +315,7 @@ resource "aws_iam_role_policy" "allow_s3_all" {
426
315
}
427
316
```
428
317
429
- Por útimo creamos el [ perfil de instamcia ] ( https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2_instance-profiles.html )
318
+ Por útimo creamos el [ perfil de instancia ] ( https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2_instance-profiles.html )
430
319
431
320
``` ini
432
321
# aws_iam_instance_profile
0 commit comments