From 239f4eade835b36209ca53f2e57a06199ed02ae9 Mon Sep 17 00:00:00 2001 From: Jeremy White Date: Mon, 10 Jun 2024 15:20:29 -0400 Subject: [PATCH] fix: private policies cannot use wildcard principal (#311) * fix(s3_website_origin/principals): adjust for private buckets * fix(dns/zone_id): should be null if not specified * chore(README,docs): updated * fix(s3_website_origin): purge empty strings --- README.md | 8 ++++---- docs/terraform.md | 2 +- main.tf | 2 +- variables.tf | 2 +- 4 files changed, 7 insertions(+), 7 deletions(-) diff --git a/README.md b/README.md index 5d372b53..64be5520 100644 --- a/README.md +++ b/README.md @@ -531,7 +531,7 @@ Available targets: | [origin\_shield\_enabled](#input\_origin\_shield\_enabled) | If enabled, origin shield will be enabled for the default origin | `bool` | `false` | no | | [origin\_ssl\_protocols](#input\_origin\_ssl\_protocols) | The SSL/TLS protocols that you want CloudFront to use when communicating with your origin over HTTPS. | `list(string)` | 
[
  "TLSv1",
  "TLSv1.1",
  "TLSv1.2"
]
| no | | [override\_origin\_bucket\_policy](#input\_override\_origin\_bucket\_policy) | When using an existing origin bucket (through var.origin\_bucket), setting this to 'false' will make it so the existing bucket policy will not be overriden | `bool` | `true` | no | -| [parent\_zone\_id](#input\_parent\_zone\_id) | ID of the hosted zone to contain this record (or specify `parent_zone_name`). Requires `dns_alias_enabled` set to true | `string` | `""` | no | +| [parent\_zone\_id](#input\_parent\_zone\_id) | ID of the hosted zone to contain this record (or specify `parent_zone_name`). Requires `dns_alias_enabled` set to true | `string` | `null` | no | | [parent\_zone\_name](#input\_parent\_zone\_name) | Name of the hosted zone to contain this record (or specify `parent_zone_id`). Requires `dns_alias_enabled` set to true | `string` | `""` | no | | [price\_class](#input\_price\_class) | Price class for this distribution: `PriceClass_All`, `PriceClass_200`, `PriceClass_100` | `string` | `"PriceClass_100"` | no | | [query\_string\_cache\_keys](#input\_query\_string\_cache\_keys) | When `forward_query_string` is enabled, only the query string keys listed in this argument are cached (incompatible with `cache_policy_id`) | `list(string)` | `[]` | no | @@ -594,9 +594,9 @@ Check out these related projects. > > Use Cloud Posse's ready-to-go [terraform architecture blueprints](https://cloudposse.com/reference-architecture/) for AWS to get up and running quickly. > -> ✅ We build it with you.
-> ✅ You own everything.
-> ✅ Your team wins.
+> ✅ We build it together with your team.
+> ✅ Your team owns everything.
+> ✅ 100% Open Source and backed by fanatical support.
> > Request Quote >
📚 Learn More diff --git a/docs/terraform.md b/docs/terraform.md index 348617a3..9364f17a 100644 --- a/docs/terraform.md +++ b/docs/terraform.md @@ -137,7 +137,7 @@ | [origin\_shield\_enabled](#input\_origin\_shield\_enabled) | If enabled, origin shield will be enabled for the default origin | `bool` | `false` | no | | [origin\_ssl\_protocols](#input\_origin\_ssl\_protocols) | The SSL/TLS protocols that you want CloudFront to use when communicating with your origin over HTTPS. | `list(string)` | 
[
  "TLSv1",
  "TLSv1.1",
  "TLSv1.2"
]
| no | | [override\_origin\_bucket\_policy](#input\_override\_origin\_bucket\_policy) | When using an existing origin bucket (through var.origin\_bucket), setting this to 'false' will make it so the existing bucket policy will not be overriden | `bool` | `true` | no | -| [parent\_zone\_id](#input\_parent\_zone\_id) | ID of the hosted zone to contain this record (or specify `parent_zone_name`). Requires `dns_alias_enabled` set to true | `string` | `""` | no | +| [parent\_zone\_id](#input\_parent\_zone\_id) | ID of the hosted zone to contain this record (or specify `parent_zone_name`). Requires `dns_alias_enabled` set to true | `string` | `null` | no | | [parent\_zone\_name](#input\_parent\_zone\_name) | Name of the hosted zone to contain this record (or specify `parent_zone_id`). Requires `dns_alias_enabled` set to true | `string` | `""` | no | | [price\_class](#input\_price\_class) | Price class for this distribution: `PriceClass_All`, `PriceClass_200`, `PriceClass_100` | `string` | `"PriceClass_100"` | no | | [query\_string\_cache\_keys](#input\_query\_string\_cache\_keys) | When `forward_query_string` is enabled, only the query string keys listed in this argument are cached (incompatible with `cache_policy_id`) | `list(string)` | `[]` | no | diff --git a/main.tf b/main.tf index 68497c19..6a19d75d 100644 --- a/main.tf +++ b/main.tf @@ -168,7 +168,7 @@ data "aws_iam_policy_document" "s3_website_origin" { principals { type = "AWS" - identifiers = ["*"] + identifiers = var.block_origin_public_access_enabled ? compact(flatten([aws_cloudfront_origin_access_identity.default[*].iam_arn, [var.cloudfront_origin_access_identity_iam_arn]])) : ["*"] } dynamic "condition" { for_each = local.website_password_enabled ? ["password"] : [] diff --git a/variables.tf b/variables.tf index 7b631987..a19d3182 100644 --- a/variables.tf +++ b/variables.tf @@ -271,7 +271,7 @@ variable "geo_restriction_locations" { variable "parent_zone_id" { type = string - default = "" + default = null description = "ID of the hosted zone to contain this record (or specify `parent_zone_name`). Requires `dns_alias_enabled` set to true" }