update bucket policy for a deployment_user

fillup · Jan 2, 2020 · 8df1788 · 8df1788
1 parent dc90619
commit 8df1788
Show file tree

Hide file tree

Showing 3 changed files with 20 additions and 2 deletions.
diff --git a/bucket-policy.json b/bucket-policy.json
@@ -2,11 +2,23 @@
   "Version": "2012-10-17",
   "Statement": [
     {
-      "Sid": "AddPerm",
+      "Sid": "PublicRead",
       "Effect": "Allow",
       "Principal": "*",
       "Action": "s3:GetObject",
       "Resource": "arn:aws:s3:::${bucket_name}/public/*"
+    },
+    {
+      "Sid": "PutWebsite",
+      "Effect": "Allow",
+      "Principal": {
+        "AWS": ["${deployment_user_arn}"]
+      },
+      "Action": [
+        "s3:PutObject",
+        "s3:PutObjectAcl"
+      ],
+      "Resource": "arn:aws:s3:::${bucket_name}/public/*"
     }
   ]
 }
diff --git a/main.tf b/main.tf
@@ -5,7 +5,8 @@ data "template_file" "bucket_policy" {
   template = "${file("${path.module}/bucket-policy.json")}"
 
   vars {
-    bucket_name = "${var.bucket_name}"
+    bucket_name         = "${var.bucket_name}"
+    deployment_user_arn = "${var.deployment_user_arn}"
   }
 }
 

diff --git a/vars.tf b/vars.tf
@@ -106,3 +106,8 @@ variable "viewer_protocol_policy" {
   type        = "string"
   default     = "redirect-to-https"
 }
+
+variable "deployment_user_arn" {
+  description = "ARN for user who is able to put objects into S3 bucket"
+  type        = "string"
+}