From 1dc470898cbf7f2302567f21811ddfdd6bac8b14 Mon Sep 17 00:00:00 2001
From: Dan Miller <miller0daniel@gmail.com>
Date: Wed, 26 Jul 2023 18:07:40 -0700
Subject: [PATCH] allow public accessible policy (#288)

Co-authored-by: Andriy Knysh <aknysh@users.noreply.github.com>
---
 main.tf | 15 ++++++++++-----
 1 file changed, 10 insertions(+), 5 deletions(-)

diff --git a/main.tf b/main.tf
index 63850352..7ba9c1e3 100644
--- a/main.tf
+++ b/main.tf
@@ -305,12 +305,17 @@ resource "aws_s3_bucket" "origin" {
 }
 
 resource "aws_s3_bucket_public_access_block" "origin" {
-  count                   = (local.create_s3_origin_bucket || local.override_origin_bucket_policy) ? 1 : 0
-  bucket                  = local.bucket
-  block_public_acls       = true
+  count = (local.create_s3_origin_bucket || local.override_origin_bucket_policy) ? 1 : 0
+
+  bucket = local.bucket
+
+  # Allows the bucket to be publicly accessible by policy
   block_public_policy     = var.block_origin_public_access_enabled
-  ignore_public_acls      = true
-  restrict_public_buckets = true
+  restrict_public_buckets = var.block_origin_public_access_enabled
+
+  # Always block ACL access. We're using policies instead
+  block_public_acls  = true
+  ignore_public_acls = true
 }
 
 resource "aws_s3_bucket_ownership_controls" "origin" {