S3

data "aws_caller_identity" "s3_current" {} resource "aws_kms_key" "s3" { key_usage = "ENCRYPT_DECRYPT" deletion_window_in_days = 7 policy = jsonencode({ Version = "2012-10-17" Id = "key-default-1" Statement = [ { Sid = "Enable IAM User Permissions" Effect = "Allow" Principal = { AWS = "arn:aws:iam::${data.aws_caller_identity.s3_current.account_id}:root" }, Action = "kms:*" Resource = "*" } # { # Sid = "AllowCloudFrontServicePrincipalSSE-KMS for home account" # Effect = "Allow" # Principal = { # AWS = "arn:aws:iam::${data.aws_caller_identity.s3_current.account_id}:root" # Service = "cloudfront.amazonaws.com" # }, # Action = ["kms:Decrypt", "kms:Encrypt", "kms:GenerateDataKey*"] # Resource = "*" # Condition = { # StringEquals = { # "AWS:SourceArn" = "arn:aws:cloudfront::${data.aws_caller_identity.s3_current.account_id}:distribution/${aws_cloudfront_distribution.cf.id}" # } # } # } ] }) tags = { Name = "s3-kms" } } resource "aws_kms_alias" "s3" { target_key_id = aws_kms_key.s3.key_id name = "alias/s3-kms" } resource "aws_s3_bucket" "s3" { bucket = "apne2-wsi-static-117" server_side_encryption_configuration { rule { apply_server_side_encryption_by_default { kms_master_key_id = aws_kms_key.s3.arn sse_algorithm = "aws:kms" } } } tags = { Name = "apne2-wsi-static-117" } } resource "aws_s3_bucket_object" "static_folder" { bucket = aws_s3_bucket.s3.bucket key = "static/" } resource "aws_s3_object" "static" { bucket = aws_s3_bucket.s3.id key = "/static/index.html" source = "./src/index.html" etag = filemd5("./src/index.html") content_type = "text/html" } output "s3" { value = aws_s3_bucket.s3.id }