jcandan/.lando.yml

## .lando.yml
config:
  webroot: web
proxy:
  s3:
    - console.s3.drupal-tanzu-sandbox.lndo.site:9001
    - s3.drupal-tanzu-sandbox.lndo.site:9000
services:
  appserver:
    overrides:
      environment:
        DRUSH_OPTIONS_URI: https://drupal-tanzu-sandbox.lndo.site
        DRUPAL_S3FS_HOST: https://s3.drupal-tanzu-sandbox.lndo.site
        AWS_ACCESS_KEY: minio
        AWS_SECRET_ACCESS_KEY: miniosecret
        DRUPAL_S3FS_BUCKET: default
  s3:
    type: compose
    ssl: true
    services:
      image: bitnami/minio:latest
      command:
        - /opt/bitnami/scripts/minio/entrypoint.sh
        - /opt/bitnami/scripts/minio/run.sh
      environment:
        # Using MINIO_SERVER_URL with https://s3.drupal-tanzu-sandbox.lndo.site
        # causes a x509 certificate sign by unknown authority error when logging
        # in to console. But http causes admin styles not to load.
        # @todo Resolve MINIO_SERVER_URL x509 cert signed by unknown auth.
        MINIO_BROWSER_REDIRECT_URL: https://console.s3.drupal-tanzu-sandbox.lndo.site
        MINIO_DEFAULT_BUCKETS: "default:public"
      # Volume mount for persistence across Lando rebuilds.
      volumes:
        - storage/minio:/data
    run_as_root:
      - mc config host add --insecure local https://s3.drupal-tanzu-sandbox.lndo.site minio miniosecret
tooling:
  mc:
    service: s3
    user: root
events:
  post-destroy:
    # Ensure persistent content destroyed with Lando destroy.
    - s3: rm -rf /data/default/*

## settings.php
<?php

/**
 * S3FS
 */
$config['s3fs.settings']['bucket'] = getenv('DRUPAL_S3FS_BUCKET');
$settings['s3fs.access_key'] = getenv('AWS_ACCESS_KEY_ID');
$settings['s3fs.secret_key'] = getenv('AWS_SECRET_ACCESS_KEY');
$config['s3fs.settings']['use_https'] = TRUE;
$settings['s3fs.use_s3_for_public'] = TRUE;
$settings['s3fs.use_s3_for_private'] = TRUE;
$settings['php_storage']['twig']['directory'] = '../storage/php';
$settings['file_private_path'] = '../storage/private';
// Needed if AWS S3 bucket is configured with BlockPublicAcls.
$settings['s3fs.upload_as_private'] = TRUE;
// Disable S3 version sync.
// The Amazon-managed AmazonS3FullAccess IAM policy does not include
// s3:ListBucketVersions.
$config['s3fs.settings']['disable_version_sync'] = TRUE;
	config:
	webroot: web
	proxy:
	s3:
	- console.s3.drupal-tanzu-sandbox.lndo.site:9001
	- s3.drupal-tanzu-sandbox.lndo.site:9000
	services:
	appserver:
	overrides:
	environment:
	DRUSH_OPTIONS_URI: https://drupal-tanzu-sandbox.lndo.site
	DRUPAL_S3FS_HOST: https://s3.drupal-tanzu-sandbox.lndo.site
	AWS_ACCESS_KEY: minio
	AWS_SECRET_ACCESS_KEY: miniosecret
	DRUPAL_S3FS_BUCKET: default
	s3:
	type: compose
	ssl: true
	services:
	image: bitnami/minio:latest
	command:
	- /opt/bitnami/scripts/minio/entrypoint.sh
	- /opt/bitnami/scripts/minio/run.sh
	environment:
	# Using MINIO_SERVER_URL with https://s3.drupal-tanzu-sandbox.lndo.site
	# causes a x509 certificate sign by unknown authority error when logging
	# in to console. But http causes admin styles not to load.
	# @todo Resolve MINIO_SERVER_URL x509 cert signed by unknown auth.
	MINIO_BROWSER_REDIRECT_URL: https://console.s3.drupal-tanzu-sandbox.lndo.site
	MINIO_DEFAULT_BUCKETS: "default:public"
	# Volume mount for persistence across Lando rebuilds.
	volumes:
	- storage/minio:/data
	run_as_root:
	- mc config host add --insecure local https://s3.drupal-tanzu-sandbox.lndo.site minio miniosecret
	tooling:
	mc:
	service: s3
	user: root
	events:
	post-destroy:
	# Ensure persistent content destroyed with Lando destroy.
	- s3: rm -rf /data/default/*
	<?php

	/**
	* S3FS
	*/
	$config['s3fs.settings']['bucket'] = getenv('DRUPAL_S3FS_BUCKET');
	$settings['s3fs.access_key'] = getenv('AWS_ACCESS_KEY_ID');
	$settings['s3fs.secret_key'] = getenv('AWS_SECRET_ACCESS_KEY');
	$config['s3fs.settings']['use_https'] = TRUE;
	$settings['s3fs.use_s3_for_public'] = TRUE;
	$settings['s3fs.use_s3_for_private'] = TRUE;
	$settings['php_storage']['twig']['directory'] = '../storage/php';
	$settings['file_private_path'] = '../storage/private';
	// Needed if AWS S3 bucket is configured with BlockPublicAcls.
	$settings['s3fs.upload_as_private'] = TRUE;
	// Disable S3 version sync.
	// The Amazon-managed AmazonS3FullAccess IAM policy does not include
	// s3:ListBucketVersions.
	$config['s3fs.settings']['disable_version_sync'] = TRUE;