chore: Updated S3 bucket policy for OAC in the complete example (#105)

remiflament · antonbabenko · web-flow · commit 0f9f60c8948c · 2023-02-03T16:47:59.000+01:00
Co-authored-by: Anton Babenko &lt;anton@antonbabenko.com&gt;
diff --git a/examples/complete/main.tf b/examples/complete/main.tf
@@ -290,10 +290,8 @@ module "records" {
   ]
 }
 
-###########################
-# Origin Access Identities
-###########################
 data "aws_iam_policy_document" "s3_policy" {
+  # Origin Access Identities
   statement {
     actions   = ["s3:GetObject"]
     resources = ["${module.s3_one.s3_bucket_arn}/static/*"]
@@ -303,6 +301,23 @@ data "aws_iam_policy_document" "s3_policy" {
       identifiers = module.cloudfront.cloudfront_origin_access_identity_iam_arns
     }
   }
+
+  # Origin Access Controls
+  statement {
+    actions   = ["s3:GetObject"]
+    resources = ["${module.s3_one.s3_bucket_arn}/static/*"]
+
+    principals {
+      type        = "Service"
+      identifiers = ["cloudfront.amazonaws.com"]
+    }
+
+    condition {
+      test     = "StringEquals"
+      variable = "aws:SourceArn"
+      values   = [module.cloudfront.cloudfront_distribution_arn]
+    }
+  }
 }
 
 resource "aws_s3_bucket_policy" "bucket_policy" {
