kenzo0107/access_bulk_download_objects_in_my_s3_bucket_from_a_company_ip.tf

## access_bulk_download_objects_in_my_s3_bucket_from_a_company_ip.tf
locals {
  a_ips = ["93.184.216.34/32"] # dummy A company ip
}

# for log
resource "aws_s3_bucket" "logs" {
  bucket = "hoge.logs"
  acl    = "log-delivery-write"

  versioning {
    enabled = true
  }

  server_side_encryption_configuration {
    rule {
      apply_server_side_encryption_by_default {
        sse_algorithm = "AES256"
      }
    }
  }

  tags = {
    Name = "hoge.logs"
  }

  lifecycle {
    prevent_destroy = true
  }
}

resource "aws_iam_user" "a" {
  name = "a"
  path = "/"
}

resource "aws_s3_bucket" "hoge" {
  bucket = "hoge.share"
  acl    = "private"

  logging {
    target_bucket = aws_s3_bucket.logs.id
    target_prefix = "hoge/"
  }

  tags = {
    Name = "hoge.share"
  }

  lifecycle {
    prevent_destroy = true
  }
}

data "aws_iam_policy_document" "hoge" {
  statement {
    effect = "Allow"

    principals {
      type        = "AWS"
      identifiers = [aws_iam_user.a.arn]
    }

    actions   = ["s3:GetObject"]
    resources = ["${aws_s3_bucket.hoge.arn}/aaa/bbb/*"]

    condition {
      test     = "IpAddress"
      variable = "aws:SourceIp"
      values   = local.a_ips
    }
  }

  statement {
    effect = "Allow"

    principals {
      type        = "AWS"
      identifiers = [aws_iam_user.a.arn]
    }

    actions   = ["s3:ListBucket"]
    resources = [aws_s3_bucket.hoge.arn]

    condition {
      test     = "IpAddress"
      variable = "aws:SourceIp"
      values   = local.a_ips
    }

    condition {
      test     = "StringLike"
      variable = "s3:prefix"
      values   = ["aaa/bbb/*"]
    }
  }
}

resource "aws_s3_bucket_policy" "hoge" {
  bucket = aws_s3_bucket.hoge.id
  policy = data.aws_iam_policy_document.hoge.json
}
	locals {
	a_ips = ["93.184.216.34/32"] # dummy A company ip
	}

	# for log
	resource "aws_s3_bucket" "logs" {
	bucket = "hoge.logs"
	acl = "log-delivery-write"

	versioning {
	enabled = true
	}

	server_side_encryption_configuration {
	rule {
	apply_server_side_encryption_by_default {
	sse_algorithm = "AES256"
	}
	}
	}

	tags = {
	Name = "hoge.logs"
	}

	lifecycle {
	prevent_destroy = true
	}
	}

	resource "aws_iam_user" "a" {
	name = "a"
	path = "/"
	}

	resource "aws_s3_bucket" "hoge" {
	bucket = "hoge.share"
	acl = "private"

	logging {
	target_bucket = aws_s3_bucket.logs.id
	target_prefix = "hoge/"
	}

	tags = {
	Name = "hoge.share"
	}

	lifecycle {
	prevent_destroy = true
	}
	}

	data "aws_iam_policy_document" "hoge" {
	statement {
	effect = "Allow"

	principals {
	type = "AWS"
	identifiers = [aws_iam_user.a.arn]
	}

	actions = ["s3:GetObject"]
	resources = ["${aws_s3_bucket.hoge.arn}/aaa/bbb/*"]

	condition {
	test = "IpAddress"
	variable = "aws:SourceIp"
	values = local.a_ips
	}
	}

	statement {
	effect = "Allow"

	principals {
	type = "AWS"
	identifiers = [aws_iam_user.a.arn]
	}

	actions = ["s3:ListBucket"]
	resources = [aws_s3_bucket.hoge.arn]

	condition {
	test = "IpAddress"
	variable = "aws:SourceIp"
	values = local.a_ips
	}

	condition {
	test = "StringLike"
	variable = "s3:prefix"
	values = ["aaa/bbb/*"]
	}
	}
	}

	resource "aws_s3_bucket_policy" "hoge" {
	bucket = aws_s3_bucket.hoge.id
	policy = data.aws_iam_policy_document.hoge.json
	}