我有一个 Hugo 网站,我正在尝试将其部署到 S3,并使用 Cloudfront 发行版。我正在使用 Terraform 进行配置。到目前为止,这就是我所拥有的(我排除了证书/域部分,它们有效):
s3.tf:
resource "aws_s3_bucket" "my_site_bucket" {
bucket = var.domain_name
tags = local.storage_tags
}
data "aws_iam_policy_document" "s3_bucket_policy" {
statement {
sid = "1"
actions = [
"s3:GetObject",
]
resources = [
"arn:aws:s3:::${var.domain_name}/*",
]
principals {
type = "AWS"
identifiers = [
aws_cloudfront_origin_access_identity.origin_access_identity.iam_arn,
]
}
}
}
resource "aws_s3_bucket_policy" "s3_bucket_policy" {
bucket = aws_s3_bucket.my_site_bucket.id
policy = data.aws_iam_policy_document.s3_bucket_policy.json
}
cloudfront.tf:
resource "aws_cloudfront_distribution" "my_cloudfront" {
depends_on = [
aws_s3_bucket.my_site_bucket
]
origin {
domain_name = aws_s3_bucket.my_site_bucket.bucket_regional_domain_name
origin_id = "s3-cloudfront"
s3_origin_config {
origin_access_identity = aws_cloudfront_origin_access_identity.origin_access_identity.cloudfront_access_identity_path
}
}
enabled = true
is_ipv6_enabled = true
default_root_object = "index.html"
aliases = [var.domain_name]
restrictions {
geo_restriction {
restriction_type = "none"
}
}
default_cache_behavior {
allowed_methods = ["GET", "HEAD"]
cached_methods = ["GET", "HEAD"]
target_origin_id = "s3-cloudfront"
forwarded_values {
query_string = false
cookies {
forward = "none"
}
}
viewer_protocol_policy = "redirect-to-https"
min_ttl = 0
default_ttl = 3600
max_ttl = 86400
}
price_class = "PriceClass_200"
viewer_certificate {
cloudfront_default_certificate = true
acm_certificate_arn = aws_acm_certificate.my_site.arn
ssl_support_method = "sni-only"
minimum_protocol_version = "TLSv1"
}
tags = local.cdn_tags
}
resource "aws_cloudfront_origin_access_identity" "origin_access_identity" {
comment = "access-identity-${var.domain_name}.s3.amazonaws.com"
}
当我使用此配置部署我的hugo 网站时,它“有点有效”。根 URL
fancydomain.com
有效,并且根 index.html
在浏览器中呈现。但是,当我单击某个链接(例如 fancydomain.com/blog/post-1
)时,我收到关键错误、访问被拒绝消息。当我输入 url fancydomain.com/blog/post-1/index.html
时,页面会按预期显示。我研究过这个问题,之前已经提到过很多次了。我尝试了所有能找到的答案的可能组合,但从未成功。
我理解错误:cloudfront 正在尝试使用特定密钥访问文件,例如:s3://fancydomain.com/blog/post-1
,但它不存在。 s3://fancydomain.com/blog/post-1/index.html
确实存在。
我不知道如何修复我的 terraform 配置。请问您能帮忙吗?
您必须添加
resource "aws_s3_bucket_public_access_block" "bucket_restriction" {
bucket = var.your_bucket_information.id
block_public_acls = true
block_public_policy = true
ignore_public_acls = true
restrict_public_buckets = true
depends_on = [
aws_s3_bucket_policy.web_distribution
]
}
这就是我们如何创建限制以避免使用 S3 生成的 URL 进行访问。