代码之家  ›  专栏  ›  技术社区  ›  ElmoVanKielmo

使用TerraForm为Django静态文件配置AWS S3 bucket

terraform-provider-aws static-files django-staticfiles terraform amazon-s3
  •  1
  • ElmoVanKielmo  · 技术社区  · 6 年前

    我是土生土长的新手。

    我正在尝试配置s3 bucket来服务django静态文件。
    对于这些静态文件的HTTP GET请求,应该有不受限制的访问权限,但也应该有AWS用户-Django将使用此用户帐户将更新的静态文件上载到S3 bucket。

    我写的是: 

    resource "aws_iam_user" "integrations_lite_staticfiles_s3_bucket_user" {
  name = "Integrations-Lite-staticfiles-user"
}

resource "aws_iam_access_key" "integrations_lite_staticfiles_s3_bucket_user_key" {
  user = "${aws_iam_user.integrations_lite_staticfiles_s3_bucket_user.name}"
}

data "aws_iam_policy_document" "integrations_lite_staticfiles_s3_user_policy" {
  statement {
    effect = "Allow"
    actions = ["s3:*"]
    resources = ["${aws_s3_bucket.integrations_lite_staticfiles_s3_bucket.arn}"]
  }
}

resource "aws_iam_user_policy" "integrations_lite_staticfiles_s3_user_policy" {
  name = "Integrations-Lite-staticfiles-user-policy"
  user = "${aws_iam_user.integrations_lite_staticfiles_s3_bucket_user.name}"
  policy = "${data.aws_iam_policy_document.integrations_lite_staticfiles_s3_user_policy.json}"
}

data "aws_iam_policy_document" "integrations_lite_staticfiles_s3_bucket_policy" {
  "statement" {
    sid = "PublicReadForGetBucketObjects"
    effect = "Allow"
    actions = ["s3:GetObject"]
    resources = ["${aws_s3_bucket.integrations_lite_staticfiles_s3_bucket.arn}"]
    principals {
      identifiers = ["*"]
      type = "AWS"
    }
  }
}

resource "aws_s3_bucket_policy" "integrations_lite_staticfiles_s3_bucket_policy" {
  bucket = "${aws_s3_bucket.integrations_lite_staticfiles_s3_bucket.id}"
  policy = "${data.aws_iam_policy_document.integrations_lite_staticfiles_s3_user_policy.json}"
}

resource "aws_s3_bucket" "integrations_lite_staticfiles_s3_bucket" {
  region = "${var.region}"
  bucket = "integrations-lite-staticfiles"
  acl = "public-read"
  cors_rule {
    allowed_headers = ["*"]
    allowed_methods = ["PUT","POST"]
    allowed_origins = ["*"]
    expose_headers = ["ETag"]
    max_age_seconds = 3000
  }
  website {
    index_document = "index.html"
  }
}

    但是 terraform apply 结果: 

    * aws_s3_bucket_policy.integrations_lite_staticfiles_s3_bucket_policy: 1 error(s) occurred:

* aws_s3_bucket_policy.integrations_lite_staticfiles_s3_bucket_policy: Error putting S3 policy: MalformedPolicy: Missing required field Principal
    status code: 400, request id: 724BC650DFFCE3B7, host id: ####

    但是添加 principals aws_s3_bucket_policy.integrations_lite_staticfiles_s3_bucket_policy 结果: 

    Error: aws_s3_bucket_policy.integrations_lite_staticfiles_s3_bucket_policy: : invalid or unknown key: principals
    1 回复  |  直到 6 年前
        1
  •  1
  •   ElmoVanKielmo    6 年前

    我找到了一个解决方案: 

    resource "aws_iam_group" "manage-integrations-lite-staticfiles-s3-bucket" {
  name = "Manage-Integrations-Lite-static-files"
}

resource "aws_iam_user" "manage-integrations-lite-staticfiles-s3-bucket" {
  name = "Manage-Integrations-Lite-static-files"
}

resource "aws_iam_group_membership" "manage-integrations-lite-staticfiles-s3-bucket" {
  group = "${aws_iam_group.manage-integrations-lite-staticfiles-s3-bucket.name}"
  name = "Manage-Integrations-Lite-static-files"
  users = ["${aws_iam_user.manage-integrations-lite-staticfiles-s3-bucket.name}"]
}

resource "aws_iam_group_policy" "manage-integrations-lite-staticfiles-s3-bucket" {
  group = "${aws_iam_group.manage-integrations-lite-staticfiles-s3-bucket.name}"
  policy =<<POLICY
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "ManageIntegrationsLiteStaticfilesBucket",
      "Effect": "Allow",
      "Action": "s3:*",
      "Resource": [
          "arn:aws:s3:::integrations-lite-staticfiles",
          "arn:aws:s3:::integrations-lite-staticfiles/*"
      ]
    }
  ]
}
POLICY
}

resource "aws_s3_bucket" "integrations-lite-staticfiles-s3-bucket" {
  region = "${var.region}"
  bucket = "integrations-lite-staticfiles"
  acl = "public-read"
  cors_rule {
    allowed_headers = ["*"]
    allowed_methods = ["GET", "HEAD"]
    allowed_origins = ["*"]
    expose_headers = ["ETag"]
    max_age_seconds = 3000
  }
  website {
    index_document = "index.html"
  }
  policy =<<POLICY
{
  "Version":"2012-10-17",
  "Statement":[{
    "Sid":"PublicReadGetObject",
    "Effect":"Allow",
    "Principal": "*",
    "Action":["s3:GetObject"],
    "Resource":[
      "arn:aws:s3:::integrations-lite-staticfiles",
      "arn:aws:s3:::integrations-lite-staticfiles/*"
    ]
  }]
}
POLICY
}

    注意:我故意删除了API关键部分。我更喜欢通过AWS控制台手动生成密钥ID和秘密。

    推荐文章
    Anna Berezko  ·  AWS匹配不支持的TLD域名和S3 bucket静态网站
    1 年前
    renzCNFT  ·  与s3相比,workdocs有什么优势
    2 年前
    Hasham  ·  如何将多个本地文件上载到s3中的一个文件
    2 年前
    sebas flores  ·  S3 URL-使用python下载
    2 年前
    Jawwad Hussain  ·  带s3 amazaon的玛雅edms
    2 年前
    sklal  ·  在Python中从S3存储桶读取xml文件——只存储最后一个文件的内容
    2 年前
    Tobitor  ·  S3:无效的bucket name-bucket name必须与正则表达式匹配
    2 年前
    geo909  ·  AWS Athena:具有非标准文件结构的S3存储桶分区表
    2 年前
    DEB  ·  上传焦油。gz文件到S3 Bucket,使用Bot3和Python
    2 年前
    omid  ·  下一个js-导出站点的目录结构
    2 年前
    关于   移动版
    代码之家 - 一站式码农服务社区
    沪ICP备11025650号