From 58b571c354f3e45aeed4e2c4ba23effbb6a6faf8 Mon Sep 17 00:00:00 2001
From: Aiden Page <aiden.page@digital.homeoffice.gov.uk>
Date: Thu, 25 Jul 2024 10:18:43 +0100
Subject: [PATCH] change bucket policy

---
 modules/products/static-site/storage.tf | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/modules/products/static-site/storage.tf b/modules/products/static-site/storage.tf
index a90b3ca..1f4519c 100644
--- a/modules/products/static-site/storage.tf
+++ b/modules/products/static-site/storage.tf
@@ -46,11 +46,11 @@ resource "aws_s3_bucket_server_side_encryption_configuration" "static_site_encry
 
 data "aws_iam_policy_document" "static_site_iam_storage_policy_document" {
   statement {
-    sid    = "PublicReadGetObject"
+    sid    = "AllowCloudFrontServicePrincipalReadOnly"
     effect = "Allow"
     principals {
-      type        = "*"
-      identifiers = ["*"]
+      type        = "Service"
+      identifiers = ["cloudfront.amazonaws.com"]
     }
     actions = [
       "s3:GetObject"
@@ -58,6 +58,11 @@ data "aws_iam_policy_document" "static_site_iam_storage_policy_document" {
     resources = [
       "arn:aws:s3:::${aws_s3_bucket.static_site.id}/*"
     ]
+    condition {
+      test     = "StringEquals"
+      variable = "aws:SourceArn"
+      values   = [resource.static_site_distribution.arn]
+    }
   }
 }