aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorclarkzjw <[email protected]>2022-12-10 21:23:20 -0800
committerclarkzjw <[email protected]>2022-12-10 21:23:20 -0800
commite2327197c423e23628701dca328fbd05693e7a61 (patch)
tree00b71ed51ef293786c711dc58877fe4ba1ef7ea2
parente24fcdb3c72c83dd20521bac8b2c29847ed67865 (diff)
downloadjinwei.me-e2327197c423e23628701dca328fbd05693e7a61.tar.gz
infra: add s3 acl
-rw-r--r--jinwei.me/infra/.terraform.lock.hcl20
-rw-r--r--jinwei.me/infra/data.tf1
-rw-r--r--jinwei.me/infra/outputs.tf1
-rw-r--r--jinwei.me/infra/s3.tf62
-rw-r--r--jinwei.me/infra/variables.tf13
-rw-r--r--jinwei.me/infra/versions.tf4
6 files changed, 63 insertions, 38 deletions
diff --git a/jinwei.me/infra/.terraform.lock.hcl b/jinwei.me/infra/.terraform.lock.hcl
index 92b4d9c..9fdb71e 100644
--- a/jinwei.me/infra/.terraform.lock.hcl
+++ b/jinwei.me/infra/.terraform.lock.hcl
@@ -1,6 +1,26 @@
1# This file is maintained automatically by "terraform init". 1# This file is maintained automatically by "terraform init".
2# Manual edits may be lost in future updates. 2# Manual edits may be lost in future updates.
3 3
4provider "registry.terraform.io/cloudflare/cloudflare" {
5 version = "2.19.2"
6 constraints = "2.19.2"
7 hashes = [
8 "h1:gcgDf0Ltyopd5j30oCcnjceCyRpJmSBhTTwldOFnJEc=",
9 "zh:35a4d37c7601b537e156a032730e2987f137017e38c9a1a383f75cfeccb1975e",
10 "zh:3bdb1544aef7469813a699ba8d322248c96ffa05573c2bb990e1297aa95473d0",
11 "zh:41a322d3eeeb0dde185ea7a9cafe952c445a683a6a372089f8d003d8d2f4b722",
12 "zh:447ec6386879ff56cd3a97fc5d20b428451a445f8846a0127f5788de9e213b3c",
13 "zh:4a1fa7c6c9e28916009fe3c7a9f7f944e8b4e307ab3d97a34d81ba66769160f6",
14 "zh:5a2cb0e8ddc725c78ba09a817105136f564c7f4fe0173633d82bc3f8005dc15a",
15 "zh:83c0edc0ddd6ad8e3c140dcecafccad69edd199d2526cc9be10d857316f3859e",
16 "zh:a5a1917943a9e8486dc3d0eb315bc899944fe67888e38b35999b6a79907ec762",
17 "zh:a5cfcd8ec0fd3d0c80de8c519ee07b1e899b8f86d5f6f5800bc959190df9eb93",
18 "zh:be3a37ef3f0991989a4e51e5fe16d9cf71571cb1ecb7a41b31d91c2ae2a3313d",
19 "zh:ef1155fd12e3528f686b6a59fc732e35265f8d08450bc27baf8ccebbcd4cff0c",
20 "zh:f3a2293a7ccb14fa16472c7948498d5a19cb5f26e3aeb1b59756c7f9045c277b",
21 ]
22}
23
4provider "registry.terraform.io/hashicorp/aws" { 24provider "registry.terraform.io/hashicorp/aws" {
5 version = "4.46.0" 25 version = "4.46.0"
6 constraints = "~> 4.46" 26 constraints = "~> 4.46"
diff --git a/jinwei.me/infra/data.tf b/jinwei.me/infra/data.tf
index 2102273..8c461e4 100644
--- a/jinwei.me/infra/data.tf
+++ b/jinwei.me/infra/data.tf
@@ -9,3 +9,4 @@ data "aws_ami" "debian" {
9} 9}
10 10
11data "aws_availability_zones" "available" {} 11data "aws_availability_zones" "available" {}
12data "cloudflare_ip_ranges" "cloudflare" {}
diff --git a/jinwei.me/infra/outputs.tf b/jinwei.me/infra/outputs.tf
index 4619f5f..d5df1df 100644
--- a/jinwei.me/infra/outputs.tf
+++ b/jinwei.me/infra/outputs.tf
@@ -32,5 +32,6 @@ output "s3" {
32 description = "S3 bucket for wordpress" 32 description = "S3 bucket for wordpress"
33 value = { 33 value = {
34 bucket_domain_name = aws_s3_bucket.main.bucket_domain_name 34 bucket_domain_name = aws_s3_bucket.main.bucket_domain_name
35 policy = aws_s3_bucket_policy.main.policy
35 } 36 }
36} 37}
diff --git a/jinwei.me/infra/s3.tf b/jinwei.me/infra/s3.tf
index 5626390..58e0502 100644
--- a/jinwei.me/infra/s3.tf
+++ b/jinwei.me/infra/s3.tf
@@ -3,7 +3,7 @@ resource "random_id" "s3_bucket_suffix" {
3} 3}
4 4
5resource "aws_s3_bucket" "main" { 5resource "aws_s3_bucket" "main" {
6 bucket = "${var.name}-${random_id.s3_bucket_suffix.hex}" 6 bucket = "static.jinwei.me"
7} 7}
8 8
9resource "aws_s3_bucket_public_access_block" "main" { 9resource "aws_s3_bucket_public_access_block" "main" {
@@ -12,43 +12,37 @@ resource "aws_s3_bucket_public_access_block" "main" {
12 # https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html 12 # https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html
13 block_public_acls = false 13 block_public_acls = false
14 ignore_public_acls = true 14 ignore_public_acls = true
15 block_public_policy = true 15 block_public_policy = false
16 restrict_public_buckets = true 16 restrict_public_buckets = true
17} 17}
18 18
19#resource "aws_s3_bucket_policy" "main" { 19resource "aws_s3_bucket_policy" "main" {
20# bucket = aws_s3_bucket.main.id 20 bucket = aws_s3_bucket.main.id
21# policy = data.aws_iam_policy_document.bucket_policy.json 21 policy = data.aws_iam_policy_document.bucket_policy.json
22#} 22}
23
24#data "aws_iam_policy_document" "bucket_policy" {
25# # Allow CloudFront to read from the bucket
26# statement {
27# principals {
28# type = "Service"
29# identifiers = [
30# "cloudfront.amazonaws.com"
31# ]
32# }
33# actions = [
34# "s3:GetObject"
35# ]
36# resources = [
37# "${aws_s3_bucket.main.arn}/*",
38# ]
39# condition {
40# test = "StringEquals"
41# variable = "AWS:SourceArn"
42# values = [aws_cloudfront_distribution.main.arn]
43# }
44# }
45#}
46 23
47#resource "aws_ssm_parameter" "s3_bucket" { 24data "aws_iam_policy_document" "bucket_policy" {
48# name = "/${local.name}/s3_bucket" 25 # Allow Cloudflare to read from the bucket
49# type = "String" 26 statement {
50# value = aws_s3_bucket.main.bucket 27 principals {
51#} 28 type = "AWS"
29 identifiers = [
30 "*"
31 ]
32 }
33 actions = [
34 "s3:GetObject"
35 ]
36 resources = [
37 "${aws_s3_bucket.main.arn}/*",
38 ]
39 condition {
40 test = "IpAddress"
41 variable = "AWS:SourceIp"
42 values = data.cloudflare_ip_ranges.cloudflare.cidr_blocks
43 }
44 }
45}
52 46
53resource "aws_s3_object" "healthcheck" { 47resource "aws_s3_object" "healthcheck" {
54 bucket = aws_s3_bucket.main.id 48 bucket = aws_s3_bucket.main.id
diff --git a/jinwei.me/infra/variables.tf b/jinwei.me/infra/variables.tf
index 575b118..9145176 100644
--- a/jinwei.me/infra/variables.tf
+++ b/jinwei.me/infra/variables.tf
@@ -51,7 +51,12 @@ variable "ec2_instance_type" {
51 default = "t2.micro" 51 default = "t2.micro"
52} 52}
53 53
54#variable "ec2_key_name" { 54variable "site_domain" {
55# description = "Name of key pair to log into the EC2 instance. The key pair must already exist." 55 type = string
56# type = string 56 default = "jinwei.me"
57#} 57}
58
59variable "s3_cdn_name" {
60 type = string
61 default = "static"
62}
diff --git a/jinwei.me/infra/versions.tf b/jinwei.me/infra/versions.tf
index 2ff0472..9d28904 100644
--- a/jinwei.me/infra/versions.tf
+++ b/jinwei.me/infra/versions.tf
@@ -4,5 +4,9 @@ terraform {
4 source = "hashicorp/aws" 4 source = "hashicorp/aws"
5 version = "~> 4.46" 5 version = "~> 4.46"
6 } 6 }
7 cloudflare = {
8 source = "cloudflare/cloudflare"
9 version = "2.19.2"
10 }
7 } 11 }
8} 12}
Powered by cgit v1.2.3 (git 2.41.0)