Skip to content

Instantly share code, notes, and snippets.

Show Gist options
  • Save kenzo0107/fef3f4127e9ac4a6af3030b1d60689f1 to your computer and use it in GitHub Desktop.
Save kenzo0107/fef3f4127e9ac4a6af3030b1d60689f1 to your computer and use it in GitHub Desktop.
locals {
a_ips = ["93.184.216.34/32"] # dummy A company ip
}
# for log
resource "aws_s3_bucket" "logs" {
bucket = "hoge.logs"
acl = "log-delivery-write"
versioning {
enabled = true
}
server_side_encryption_configuration {
rule {
apply_server_side_encryption_by_default {
sse_algorithm = "AES256"
}
}
}
tags = {
Name = "hoge.logs"
}
lifecycle {
prevent_destroy = true
}
}
resource "aws_iam_user" "a" {
name = "a"
path = "/"
}
resource "aws_s3_bucket" "hoge" {
bucket = "hoge.share"
acl = "private"
logging {
target_bucket = aws_s3_bucket.logs.id
target_prefix = "hoge/"
}
tags = {
Name = "hoge.share"
}
lifecycle {
prevent_destroy = true
}
}
data "aws_iam_policy_document" "hoge" {
statement {
effect = "Allow"
principals {
type = "AWS"
identifiers = [aws_iam_user.a.arn]
}
actions = ["s3:GetObject"]
resources = ["${aws_s3_bucket.hoge.arn}/aaa/bbb/*"]
condition {
test = "IpAddress"
variable = "aws:SourceIp"
values = local.a_ips
}
}
statement {
effect = "Allow"
principals {
type = "AWS"
identifiers = [aws_iam_user.a.arn]
}
actions = ["s3:ListBucket"]
resources = [aws_s3_bucket.hoge.arn]
condition {
test = "IpAddress"
variable = "aws:SourceIp"
values = local.a_ips
}
condition {
test = "StringLike"
variable = "s3:prefix"
values = ["aaa/bbb/*"]
}
}
}
resource "aws_s3_bucket_policy" "hoge" {
bucket = aws_s3_bucket.hoge.id
policy = data.aws_iam_policy_document.hoge.json
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment