Infrastructure as code (#3)

* Moves website to website/ * Adds terraform gitignores * Terraform with AWS provider * Initialises Terraform * Locals and variables for provider * Fetches SSL certificate from ACM * S3 static website bucket * CloudFront distribution * Route53 records * Deployment workflow uses secret S3 bucket suffix * Adds README --------- Co-authored-by: Joe Carstairs <65492573+Sycamost@users.noreply.github.com>
2024-05-05 21:00:40 +01:00
parent 579e12cfeb
commit 86450b3dd8
40 changed files with 293 additions and 3 deletions
--- a/README.md
+++ b/README.md
@@ -2,6 +2,34 @@

 Joe Carstairs' personal website

+Structure:
+
+├website: My public-facing website
+└infrastructure: The infrastructure of my website as code
+
+## Infrastructure
+
+The infrastructure has these components:
+
+- AWS Route53Domains (for domain name registration)
+- AWS Route53 (for domain name resolution)
+- AWS CloudFront (for path-based routing)
+- AWS S3 (for static website hosting)
+
+The CloudFront bit is needed, because S3 static website hosting can only accept
+HTTP requests. CloudFront manages receiving HTTPS requests and forwarding them
+to HTTP.
+
+The S3 bucket includes a secret string of random characters. This is because
+when you set up static website hosting, the S3 API becomes open to the internet,
+and there's no way to turn this off. So you are theoretically open to DDoS
+attacks, for which you will be charged. Including a random string in the bucket
+name makes it less likely that an attacker will find the bucket to send requests
+to.
+
+The secret is stored in a GitHub secret called `S3_BUCKET_SUFFIX` so that it can
+be accessed by GitHub Actions workflows.
+
 ## Invalidating the CloudFront cache

 When you update pages, you’ll need to invalidate the CloudFront cache in order