The problem is We manually need to attach the policy to the S3, AWS console says below
Currently I’ve done this
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "4.45.0"
}
}
}
provider "aws" {
region = "us-east-1"
}
resource "aws_s3_bucket" "b" {
bucket = "Foo"
}
resource "aws_s3_bucket_acl" "a" {
bucket = aws_s3_bucket.b.id
acl = "private"
}
resource "aws_s3_bucket_public_access_block" "pab" {
bucket = aws_s3_bucket.b.id
block_public_acls = true
block_public_policy = true
ignore_public_acls = true
restrict_public_buckets = true
}
resource "aws_s3_bucket_lifecycle_configuration" "l" {
bucket = aws_s3_bucket.b.id
rule {
id = "remove_old_branches" # TODO(umut) make it arg
status = "Enabled"
filter {
prefix = "branch/" # TODO(umut) make it arg
}
expiration {
days = 3
}
}
}
locals {
origin_id = "cloudfront-s3" # TODO(umut) what's this
}
resource "aws_cloudfront_distribution" "s3_distribution" {
enabled = true
origin {
domain_name = aws_s3_bucket.b.bucket_regional_domain_name
origin_access_control_id = aws_cloudfront_origin_access_control.oac.id
origin_id = local.origin_id
}
restrictions {
geo_restriction {
restriction_type = "none"
}
}
default_cache_behavior {
allowed_methods = ["DELETE", "GET", "HEAD", "OPTIONS", "PATCH", "POST", "PUT"]
cached_methods = ["GET", "HEAD"]
target_origin_id = local.origin_id
forwarded_values {
query_string = false
cookies {
forward = "none"
}
}
viewer_protocol_policy = "redirect-to-https"
min_ttl = 0
default_ttl = 3600
max_ttl = 86400
}
viewer_certificate {
cloudfront_default_certificate = true
}
}
resource "aws_cloudfront_origin_access_control" "example" {
name = "example"
description = "Example Policy"
origin_access_control_origin_type = "s3"
signing_behavior = "always"
signing_protocol = "sigv4"
}
resource "aws_cloudfront_origin_access_control" "oac" {
name = local.origin_id # TODO(Umut)
description = "OAC for foo" # TODO(umut)
origin_access_control_origin_type = "s3"
signing_behavior = "always"
signing_protocol = "sigv4"
}