Merge pull request #2 from jakobpin/master

Replace S3 API with Website endpoints to fix access denied redirect

Author: cloudmaniac

main.tf

@@ -138,11 +138,6 @@ resource "aws_s3_bucket" "website_redirect" {
 }
 
 ## CloudFront
-# Creates an Amazon CloudFront origin access identity (will be used in the distribution origin configuration)
-resource "aws_cloudfront_origin_access_identity" "origin_access_identity_website" {
-  comment = "CloudfrontOriginAccessIdentity - ${var.website-domain-main}"
-}
-
 # Creates the CloudFront distribution to serve the static website
 resource "aws_cloudfront_distribution" "website_cdn_root" {
   enabled     = true
@@ -151,10 +146,13 @@ resource "aws_cloudfront_distribution" "website_cdn_root" {
 
   origin {
     origin_id   = "origin-bucket-${aws_s3_bucket.website_root.id}"
-    domain_name = aws_s3_bucket.website_root.bucket_regional_domain_name
+    domain_name = aws_s3_bucket.website_root.website_endpoint
 
-    s3_origin_config {
-      origin_access_identity = aws_cloudfront_origin_access_identity.origin_access_identity_website.cloudfront_access_identity_path
+    custom_origin_config {
+      origin_protocol_policy = "http-only"
+      http_port              = 80
+      https_port             = 443
+      origin_ssl_protocols   = ["TLSv1.2", "TLSv1.1", "TLSv1"]
     }
   }
 
@@ -234,24 +232,21 @@ resource "aws_route53_record" "website_cdn_root_record" {
 }
 
 
-# Creates policy to limit access to the S3 bucket to CloudFront Origin
+# Creates policy to allow public access to the S3 bucket
 resource "aws_s3_bucket_policy" "update_website_root_bucket_policy" {
   bucket = aws_s3_bucket.website_root.id
 
   policy = <<POLICY
 {
-  "Version": "2008-10-17",
-  "Id": "PolicyForCloudFrontPrivateContent",
+  "Version": "2012-10-17",
+  "Id": "PolicyForWebsiteEndpointsPublicContent",
   "Statement": [
     {
-      "Sid": "AllowCloudFrontOriginAccess",
+      "Sid": "PublicRead",
       "Effect": "Allow",
-      "Principal": {
-        "AWS": "${aws_cloudfront_origin_access_identity.origin_access_identity_website.iam_arn}"
-      },
+      "Principal": "*",
       "Action": [
-        "s3:GetObject",
-        "s3:ListBucket"
+        "s3:GetObject"
       ],
       "Resource": [
         "${aws_s3_bucket.website_root.arn}/*",
@@ -276,9 +271,7 @@ resource "aws_cloudfront_distribution" "website_cdn_redirect" {
     custom_origin_config {
       http_port                = 80
       https_port               = 443
-      origin_keepalive_timeout = 5
       origin_protocol_policy   = "http-only"
-      origin_read_timeout      = 30
       origin_ssl_protocols     = ["TLSv1", "TLSv1.1", "TLSv1.2"]
       }
     }