How do I connect Cloudfront to a private s3 bucket with terraform?

Question

So I'm 90 percent there, but it appears that cloudfront is getting 500 errors from s3? I'm sure I'm just doing something wrong. I've read the various amazon documentation, but to me it seems so vague as to perhaps be useless.

resource "aws_s3_bucket" "Artifacts" {
    bucket = "my.domain.tld"
    acl    = "private"
    versioning {
        enabled = true
    }
}

module "BucketPolicy" {
    source = "../modules/S3CloudFrontBucketPolicy"
    bucket_id = "${aws_s3_bucket.Artifacts.id}"
    arn = "${aws_s3_bucket.Artifacts.arn}"
    principal = "${module.ArtifactsCloudfront.oai_principal}"
}

module "ArtifactsCloudfront" {
    source = "../modules/CloudFrontS3"
    zone_id = "${aws_route53_zone.Primary.id}"
    root = "/"
    origin_fqdn = "${aws_s3_bucket.Artifacts.bucket_domain_name}"
    user_fqdn = "${aws_s3_bucket.Artifacts.bucket}"
}

CloudFrontS3

variable "user_fqdn" {}
variable "origin_fqdn" {}
variable "zone_id" {}
variable "root" {}

output "oai_principal" {
    value = "${aws_cloudfront_origin_access_identity.OAI.iam_arn}"
}

resource "aws_acm_certificate" "Cert" {
    domain_name = "${var.user_fqdn}"
    validation_method = "DNS"
    tags {
        env = "${terraform.env}"
    }
}

resource "aws_route53_record" "ValidationDNS" {
    name = "${aws_acm_certificate.Cert.domain_validation_options.0.resource_record_name}"
    type = "${aws_acm_certificate.Cert.domain_validation_options.0.resource_record_type}"
    zone_id = "${var.zone_id}"
    records = ["${aws_acm_certificate.Cert.domain_validation_options.0.resource_record_value}"]
    ttl = 60
}

resource "aws_acm_certificate_validation" "CertValidation" {
    certificate_arn = "${aws_acm_certificate.Cert.arn}"
    validation_record_fqdns = ["${aws_route53_record.ValidationDNS.fqdn}"]
}

resource "aws_route53_record" "DomainName" {
    zone_id = "${var.zone_id}"
    name = "${var.user_fqdn}"
    type = "CNAME"
    ttl = "300"
    records = [
        "${aws_cloudfront_distribution.Distribution.domain_name}"]
}

resource "aws_cloudfront_origin_access_identity" "OAI" {
}

resource "aws_cloudfront_distribution" "Distribution" {
    aliases = ["${var.user_fqdn}"]
    origin {
        domain_name = "${var.origin_fqdn}"
        origin_id = "${var.origin_fqdn}"

        s3_origin_config {
            origin_access_identity = "${aws_cloudfront_origin_access_identity.OAI.cloudfront_access_identity_path}"
        }
    }

    enabled = true
    is_ipv6_enabled = true
    default_root_object = "${var.root}"

    default_cache_behavior {
        allowed_methods = [
            "GET",
            "HEAD",
            "OPTIONS"]
        cached_methods = [
            "GET",
            "HEAD",
            "OPTIONS"]

        forwarded_values {
            cookies {
                forward = "none"
            }

            query_string = true
        }
        default_ttl = 3600
        max_ttl = 86400
        min_ttl = 60
        target_origin_id = "${var.origin_fqdn}"
        viewer_protocol_policy = "https-only"
        compress = true
    }

    price_class = "PriceClass_100"

    restrictions {
        geo_restriction {
            restriction_type = "whitelist"
            locations = ["US"]
        }
    }

    viewer_certificate {
        acm_certificate_arn = "${aws_acm_certificate_validation.CertValidation.certificate_arn}"
        ssl_support_method = "sni-only"
        minimum_protocol_version = "TLSv1.1_2016"
    }
    tags {
        env = "${terraform.env}"
    }
}

S3CloudFrontBucketPolicy

variable "principal" {}
variable "arn" {}
variable "bucket_id" {}

resource "aws_s3_bucket_policy" "Policy" {
    bucket = "${var.bucket_id}"
    policy = "${data.template_file.Policy.rendered}"
}

data "template_file" "Policy" {
    vars {
        arn = "${var.arn}"
        oai = "${var.principal}"
    }
    template = <<POLICY
{
  "Id": "Policy1520441044381",
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Stmt1520439447147",
      "Action": [
        "s3:*"
      ],
      "Effect": "Allow",
      "Resource": "$${arn}/*",
      "Principal": {
        "AWS": [
          "$${oai}"
        ]
      }
    }
  ]
}
POLICY
}

however when I try to actually download something I get

The request could not be satisfied. CloudFront is currently experiencing problems with requesting objects from Amazon S3.

what am I doing wrong? what do I need to fix?

score 1 · Answer 1 · answered Apr 09 '18 at 20:09

This is what I have in my policy:

data "aws_iam_policy_document" "s3_policy" {
  statement {
    actions   = ["s3:GetObject"]
    resources = ["${aws_s3_bucket.current.arn}/*"]

    principals {
      type        = "AWS"
      identifiers = ["${var.origin_access_identity_arn}"]
    }
  }

  statement {
    actions   = ["s3:ListBucket"]
    resources = ["${aws_s3_bucket.current.arn}"]

    principals {
      type        = "AWS"
      identifiers = ["${var.origin_access_identity_arn}"]
    }
  }
}

How do I connect Cloudfront to a private s3 bucket with terraform?

1 Answers1