文档建议反馈控制台
首页
学习
活动
专区
圈层
工具
MCP广场
文章/答案/技术大牛
发布
社区首页 >问答首页 >用Terraform为Django静态文件配置AWS S3桶

用Terraform为Django静态文件配置AWS S3桶
EN

Stack Overflow用户
提问于 2018-05-22 05:06:32
回答 1查看 784关注 0票数 2

我对Terraform很陌生。

我正在尝试配置S3桶以服务Django静态文件。

对这些静态文件的HTTP请求应该有不受限制的访问,但也应该有AWS用户-- Django将使用这个用户帐户将更新的静态文件上载到S3桶。

我写了这个:

代码语言:javascript
复制
resource "aws_iam_user" "integrations_lite_staticfiles_s3_bucket_user" {
  name = "Integrations-Lite-staticfiles-user"
}

resource "aws_iam_access_key" "integrations_lite_staticfiles_s3_bucket_user_key" {
  user = "${aws_iam_user.integrations_lite_staticfiles_s3_bucket_user.name}"
}

data "aws_iam_policy_document" "integrations_lite_staticfiles_s3_user_policy" {
  statement {
    effect = "Allow"
    actions = ["s3:*"]
    resources = ["${aws_s3_bucket.integrations_lite_staticfiles_s3_bucket.arn}"]
  }
}

resource "aws_iam_user_policy" "integrations_lite_staticfiles_s3_user_policy" {
  name = "Integrations-Lite-staticfiles-user-policy"
  user = "${aws_iam_user.integrations_lite_staticfiles_s3_bucket_user.name}"
  policy = "${data.aws_iam_policy_document.integrations_lite_staticfiles_s3_user_policy.json}"
}

data "aws_iam_policy_document" "integrations_lite_staticfiles_s3_bucket_policy" {
  "statement" {
    sid = "PublicReadForGetBucketObjects"
    effect = "Allow"
    actions = ["s3:GetObject"]
    resources = ["${aws_s3_bucket.integrations_lite_staticfiles_s3_bucket.arn}"]
    principals {
      identifiers = ["*"]
      type = "AWS"
    }
  }
}

resource "aws_s3_bucket_policy" "integrations_lite_staticfiles_s3_bucket_policy" {
  bucket = "${aws_s3_bucket.integrations_lite_staticfiles_s3_bucket.id}"
  policy = "${data.aws_iam_policy_document.integrations_lite_staticfiles_s3_user_policy.json}"
}

resource "aws_s3_bucket" "integrations_lite_staticfiles_s3_bucket" {
  region = "${var.region}"
  bucket = "integrations-lite-staticfiles"
  acl = "public-read"
  cors_rule {
    allowed_headers = ["*"]
    allowed_methods = ["PUT","POST"]
    allowed_origins = ["*"]
    expose_headers = ["ETag"]
    max_age_seconds = 3000
  }
  website {
    index_document = "index.html"
  }
}

但是terraform apply的结果是:

代码语言:javascript
复制
* aws_s3_bucket_policy.integrations_lite_staticfiles_s3_bucket_policy: 1 error(s) occurred:

* aws_s3_bucket_policy.integrations_lite_staticfiles_s3_bucket_policy: Error putting S3 policy: MalformedPolicy: Missing required field Principal
    status code: 400, request id: 724BC650DFFCE3B7, host id: ####

但是,将principals添加到aws_s3_bucket_policy.integrations_lite_staticfiles_s3_bucket_policy会产生以下结果:

代码语言:javascript
复制
Error: aws_s3_bucket_policy.integrations_lite_staticfiles_s3_bucket_policy: : invalid or unknown key: principals
terraform
django-staticfiles
static-files
terraform-provider-aws
amazon-s3
EN

回答 1

Stack Overflow用户

回答已采纳

发布于 2018-05-22 08:02:15

我找到了一个解决办法:

代码语言:javascript
复制
resource "aws_iam_group" "manage-integrations-lite-staticfiles-s3-bucket" {
  name = "Manage-Integrations-Lite-static-files"
}

resource "aws_iam_user" "manage-integrations-lite-staticfiles-s3-bucket" {
  name = "Manage-Integrations-Lite-static-files"
}

resource "aws_iam_group_membership" "manage-integrations-lite-staticfiles-s3-bucket" {
  group = "${aws_iam_group.manage-integrations-lite-staticfiles-s3-bucket.name}"
  name = "Manage-Integrations-Lite-static-files"
  users = ["${aws_iam_user.manage-integrations-lite-staticfiles-s3-bucket.name}"]
}

resource "aws_iam_group_policy" "manage-integrations-lite-staticfiles-s3-bucket" {
  group = "${aws_iam_group.manage-integrations-lite-staticfiles-s3-bucket.name}"
  policy =<<POLICY
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "ManageIntegrationsLiteStaticfilesBucket",
      "Effect": "Allow",
      "Action": "s3:*",
      "Resource": [
          "arn:aws:s3:::integrations-lite-staticfiles",
          "arn:aws:s3:::integrations-lite-staticfiles/*"
      ]
    }
  ]
}
POLICY
}

resource "aws_s3_bucket" "integrations-lite-staticfiles-s3-bucket" {
  region = "${var.region}"
  bucket = "integrations-lite-staticfiles"
  acl = "public-read"
  cors_rule {
    allowed_headers = ["*"]
    allowed_methods = ["GET", "HEAD"]
    allowed_origins = ["*"]
    expose_headers = ["ETag"]
    max_age_seconds = 3000
  }
  website {
    index_document = "index.html"
  }
  policy =<<POLICY
{
  "Version":"2012-10-17",
  "Statement":[{
    "Sid":"PublicReadGetObject",
    "Effect":"Allow",
    "Principal": "*",
    "Action":["s3:GetObject"],
    "Resource":[
      "arn:aws:s3:::integrations-lite-staticfiles",
      "arn:aws:s3:::integrations-lite-staticfiles/*"
    ]
  }]
}
POLICY
}

注意:我故意删除了api的关键部分。我更喜欢通过AWS控制台手动生成密钥id和机密。

票数 1
EN
页面原文内容由Stack Overflow提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:

https://stackoverflow.com/questions/50460152

复制
相关文章

相似问题

领券

腾讯云开发者

扫码关注腾讯云开发者

扫码关注腾讯云开发者

领取腾讯云代金券

热门产品

热门推荐

更多推荐

Copyright © 2013 - 2026 Tencent Cloud. All Rights Reserved. 腾讯云 版权所有 

深圳市腾讯计算机系统有限公司 ICP备案/许可证号:粤B2-20090059 粤公网安备44030502008569号

腾讯云计算(北京)有限责任公司 京ICP证150476号 |  京ICP备11018762号

问题归档专栏文章快讯文章归档关键词归档开发者手册归档开发者手册 Section 归档