From 377dfa5c81b4f89fb30ee215d646f27c3597c637 Mon Sep 17 00:00:00 2001
From: Erik Stambaugh <erik@erikstambaugh.com>
Date: Sat, 10 Feb 2024 11:20:43 -0800
Subject: [PATCH] Fix S3 bucket ACL so masto can actually post media to it

---
 terraform/outputs.tf |  2 +-
 terraform/s3.tf      | 35 +++++++++++++++++++++++++++--------
 2 files changed, 28 insertions(+), 9 deletions(-)

diff --git a/terraform/outputs.tf b/terraform/outputs.tf
index 7767ea6..e27d5ae 100644
--- a/terraform/outputs.tf
+++ b/terraform/outputs.tf
@@ -10,7 +10,7 @@ output "nameservers" {
   value = module.zone.route53_zone_name_servers
 }
 output "s3_bucket_name" {
-  value = module.s3_bucket.s3_bucket_id
+  value = aws_s3_bucket.s3_bucket.id
 }
 output "my_ip" {
   value = "${chomp(data.http.myip.response_body)}"
diff --git a/terraform/s3.tf b/terraform/s3.tf
index ebdaed7..b738422 100644
--- a/terraform/s3.tf
+++ b/terraform/s3.tf
@@ -1,13 +1,32 @@
 
-module "s3_bucket" {
-  source = "terraform-aws-modules/s3-bucket/aws"
-
+resource "aws_s3_bucket" "s3_bucket" {
   bucket = "mastodon-${random_pet.name.id}"
+}
 
-  versioning = {
-    enabled = false
+resource "aws_s3_bucket_ownership_controls" "s3_bucket" {
+  bucket = aws_s3_bucket.s3_bucket.id
+  rule {
+    object_ownership = "BucketOwnerPreferred"
   }
+}
 
+resource "aws_s3_bucket_public_access_block" "s3_bucket" {
+  bucket = aws_s3_bucket.s3_bucket.id
+
+  block_public_acls       = false
+  block_public_policy     = false
+  ignore_public_acls      = false
+  restrict_public_buckets = false
+}
+
+resource "aws_s3_bucket_acl" "s3_bucket" {
+  depends_on = [
+    aws_s3_bucket_public_access_block.s3_bucket,
+    aws_s3_bucket_ownership_controls.s3_bucket,
+  ]
+
+  bucket = aws_s3_bucket.s3_bucket.id
+  acl    = "public-read"
 }
 
 resource "aws_iam_access_key" "s3" {
@@ -20,7 +39,7 @@ resource "aws_iam_user" "s3" {
 }
 
 resource "aws_iam_user_policy" "s3" {
-  name = "${module.s3_bucket.s3_bucket_id}-access"
+  name = "${aws_s3_bucket.s3_bucket.id}-access"
   user = aws_iam_user.s3.name
 
   policy      = data.aws_iam_policy_document.s3.json
@@ -32,8 +51,8 @@ data "aws_iam_policy_document" "s3" {
       "s3:*"
     ]
     resources = [
-      "${module.s3_bucket.s3_bucket_arn}",
-      "${module.s3_bucket.s3_bucket_arn}/*"
+      "${aws_s3_bucket.s3_bucket.arn}",
+      "${aws_s3_bucket.s3_bucket.arn}/*"
     ]
   }
 }