Infrastructure as code (#3)
* Moves website to website/ * Adds terraform gitignores * Terraform with AWS provider * Initialises Terraform * Locals and variables for provider * Fetches SSL certificate from ACM * S3 static website bucket * CloudFront distribution * Route53 records * Deployment workflow uses secret S3 bucket suffix * Adds README --------- Co-authored-by: Joe Carstairs <65492573+Sycamost@users.noreply.github.com>
This commit is contained in:
Joe Carstairs
78
infrastructure/s3.tf
Normal file
78
infrastructure/s3.tf
Normal file
@@ -0,0 +1,78 @@
|
||||
resource "aws_s3_bucket" "website" {
|
||||
bucket = local.bucket_name
|
||||
}
|
||||
|
||||
locals {
|
||||
bucket_name = "${local.domain}-${var.secret_s3_bucket_suffix}"
|
||||
}
|
||||
|
||||
resource "aws_s3_bucket_website_configuration" "website" {
|
||||
bucket = aws_s3_bucket.website.id
|
||||
|
||||
index_document {
|
||||
suffix = "index.html"
|
||||
}
|
||||
|
||||
error_document {
|
||||
key = "error/index.html"
|
||||
}
|
||||
}
|
||||
|
||||
resource "aws_s3_bucket_ownership_controls" "website" {
|
||||
bucket = aws_s3_bucket.website.id
|
||||
|
||||
rule {
|
||||
object_ownership = "BucketOwnerPreferred"
|
||||
}
|
||||
|
||||
depends_on = [aws_s3_bucket_public_access_block.website]
|
||||
}
|
||||
|
||||
resource "aws_s3_bucket_public_access_block" "website" {
|
||||
bucket = aws_s3_bucket.website.id
|
||||
|
||||
block_public_acls = false
|
||||
block_public_policy = false
|
||||
ignore_public_acls = false
|
||||
restrict_public_buckets = false
|
||||
}
|
||||
|
||||
resource "aws_s3_bucket_acl" "website" {
|
||||
bucket = aws_s3_bucket.website.id
|
||||
|
||||
acl = "public-read"
|
||||
|
||||
depends_on = [aws_s3_bucket_ownership_controls.website]
|
||||
}
|
||||
|
||||
resource "aws_s3_bucket_versioning" "website" {
|
||||
bucket = aws_s3_bucket.website.id
|
||||
|
||||
versioning_configuration {
|
||||
status = "Disabled"
|
||||
}
|
||||
}
|
||||
|
||||
resource "aws_s3_bucket_policy" "website" {
|
||||
bucket = aws_s3_bucket.website.id
|
||||
policy = data.aws_iam_policy_document.website.json
|
||||
}
|
||||
|
||||
# TODO: can we restrict access to just from the CloudFront distro?
|
||||
data "aws_iam_policy_document" "website" {
|
||||
statement {
|
||||
sid = "AllowPublicRead"
|
||||
effect = "Allow"
|
||||
resources = [
|
||||
"arn:aws:s3:::${local.bucket_name}",
|
||||
"arn:aws:s3:::${local.bucket_name}/*",
|
||||
]
|
||||
actions = ["S3:GetObject"]
|
||||
principals {
|
||||
type = "*"
|
||||
identifiers = ["*"]
|
||||
}
|
||||
}
|
||||
|
||||
depends_on = [aws_s3_bucket_public_access_block.website, aws_s3_bucket.website]
|
||||
}
|
||||
Reference in New Issue
Block a user