Skip to content

Commit d4c0ed7

Browse files
Mark-SimulacrumMark-Simulacrum
committed
Enable List access to the S3 bucket via CloudFront OAI
This also blocks direct public access to the S3 bucket, which avoids exposing the bucket publicly (meaning we can change the bucket structure so long as the public access via CloudFront is preserved).
1 parent 552127d commit d4c0ed7

File tree

2 files changed

+28
-4
lines changed

2 files changed

+28
-4
lines changed

terraform/crates-io/impl/cloudfront-index.tf

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,9 @@
11
// This file configures index.crates.io
22

3+
resource "aws_cloudfront_origin_access_identity" "index" {
4+
comment = "index.crates.io access"
5+
}
6+
37
resource "aws_cloudfront_distribution" "index" {
48
comment = var.index_domain_name
59

@@ -44,6 +48,9 @@ resource "aws_cloudfront_distribution" "index" {
4448
origin {
4549
origin_id = "main"
4650
domain_name = aws_s3_bucket.index.bucket_regional_domain_name
51+
s3_origin_config {
52+
origin_access_identity = aws_cloudfront_origin_access_identity.index.cloudfront_access_identity_path
53+
}
4754
}
4855

4956
restrictions {

terraform/crates-io/impl/s3-index.tf

Lines changed: 21 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -13,18 +13,35 @@ resource "aws_s3_bucket_policy" "index" {
1313
Version = "2012-10-17"
1414
Statement = [
1515
{
16-
Sid = "PublicReadGetObject",
16+
Sid = "CloudFrontAccess",
1717
Effect = "Allow"
1818
Principal = {
19-
AWS = "*"
19+
AWS = "${aws_cloudfront_origin_access_identity.index.iam_arn}"
2020
}
21-
Action = "s3:GetObject"
22-
Resource = "${aws_s3_bucket.index.arn}/*"
21+
Action = [
22+
"s3:GetObject",
23+
"s3:ListBucket"
24+
]
25+
Resource = [
26+
"${aws_s3_bucket.index.arn}",
27+
"${aws_s3_bucket.index.arn}/*"
28+
]
2329
}
2430
]
2531
})
2632
}
2733

34+
// We provide public access only through CloudFront, which is enabled with a
35+
// CloudFront origin access identity.
36+
resource "aws_s3_bucket_public_access_block" "index" {
37+
bucket = aws_s3_bucket.index.id
38+
39+
restrict_public_buckets = true
40+
ignore_public_acls = true
41+
block_public_acls = true
42+
block_public_policy = true
43+
}
44+
2845
resource "aws_s3_bucket_inventory" "index" {
2946
name = "all-objects-csv"
3047
bucket = aws_s3_bucket.index.id

0 commit comments

Comments
 (0)