diff options
author | clarkzjw <[email protected]> | 2022-12-10 21:23:20 -0800 |
---|---|---|
committer | clarkzjw <[email protected]> | 2022-12-10 21:23:20 -0800 |
commit | e2327197c423e23628701dca328fbd05693e7a61 (patch) | |
tree | 00b71ed51ef293786c711dc58877fe4ba1ef7ea2 | |
parent | e24fcdb3c72c83dd20521bac8b2c29847ed67865 (diff) | |
download | jinwei.me-e2327197c423e23628701dca328fbd05693e7a61.tar.gz |
infra: add s3 acl
-rw-r--r-- | jinwei.me/infra/.terraform.lock.hcl | 20 | ||||
-rw-r--r-- | jinwei.me/infra/data.tf | 1 | ||||
-rw-r--r-- | jinwei.me/infra/outputs.tf | 1 | ||||
-rw-r--r-- | jinwei.me/infra/s3.tf | 62 | ||||
-rw-r--r-- | jinwei.me/infra/variables.tf | 13 | ||||
-rw-r--r-- | jinwei.me/infra/versions.tf | 4 |
6 files changed, 63 insertions, 38 deletions
diff --git a/jinwei.me/infra/.terraform.lock.hcl b/jinwei.me/infra/.terraform.lock.hcl index 92b4d9c..9fdb71e 100644 --- a/jinwei.me/infra/.terraform.lock.hcl +++ b/jinwei.me/infra/.terraform.lock.hcl | |||
@@ -1,6 +1,26 @@ | |||
1 | # This file is maintained automatically by "terraform init". | 1 | # This file is maintained automatically by "terraform init". |
2 | # Manual edits may be lost in future updates. | 2 | # Manual edits may be lost in future updates. |
3 | 3 | ||
4 | provider "registry.terraform.io/cloudflare/cloudflare" { | ||
5 | version = "2.19.2" | ||
6 | constraints = "2.19.2" | ||
7 | hashes = [ | ||
8 | "h1:gcgDf0Ltyopd5j30oCcnjceCyRpJmSBhTTwldOFnJEc=", | ||
9 | "zh:35a4d37c7601b537e156a032730e2987f137017e38c9a1a383f75cfeccb1975e", | ||
10 | "zh:3bdb1544aef7469813a699ba8d322248c96ffa05573c2bb990e1297aa95473d0", | ||
11 | "zh:41a322d3eeeb0dde185ea7a9cafe952c445a683a6a372089f8d003d8d2f4b722", | ||
12 | "zh:447ec6386879ff56cd3a97fc5d20b428451a445f8846a0127f5788de9e213b3c", | ||
13 | "zh:4a1fa7c6c9e28916009fe3c7a9f7f944e8b4e307ab3d97a34d81ba66769160f6", | ||
14 | "zh:5a2cb0e8ddc725c78ba09a817105136f564c7f4fe0173633d82bc3f8005dc15a", | ||
15 | "zh:83c0edc0ddd6ad8e3c140dcecafccad69edd199d2526cc9be10d857316f3859e", | ||
16 | "zh:a5a1917943a9e8486dc3d0eb315bc899944fe67888e38b35999b6a79907ec762", | ||
17 | "zh:a5cfcd8ec0fd3d0c80de8c519ee07b1e899b8f86d5f6f5800bc959190df9eb93", | ||
18 | "zh:be3a37ef3f0991989a4e51e5fe16d9cf71571cb1ecb7a41b31d91c2ae2a3313d", | ||
19 | "zh:ef1155fd12e3528f686b6a59fc732e35265f8d08450bc27baf8ccebbcd4cff0c", | ||
20 | "zh:f3a2293a7ccb14fa16472c7948498d5a19cb5f26e3aeb1b59756c7f9045c277b", | ||
21 | ] | ||
22 | } | ||
23 | |||
4 | provider "registry.terraform.io/hashicorp/aws" { | 24 | provider "registry.terraform.io/hashicorp/aws" { |
5 | version = "4.46.0" | 25 | version = "4.46.0" |
6 | constraints = "~> 4.46" | 26 | constraints = "~> 4.46" |
diff --git a/jinwei.me/infra/data.tf b/jinwei.me/infra/data.tf index 2102273..8c461e4 100644 --- a/jinwei.me/infra/data.tf +++ b/jinwei.me/infra/data.tf | |||
@@ -9,3 +9,4 @@ data "aws_ami" "debian" { | |||
9 | } | 9 | } |
10 | 10 | ||
11 | data "aws_availability_zones" "available" {} | 11 | data "aws_availability_zones" "available" {} |
12 | data "cloudflare_ip_ranges" "cloudflare" {} | ||
diff --git a/jinwei.me/infra/outputs.tf b/jinwei.me/infra/outputs.tf index 4619f5f..d5df1df 100644 --- a/jinwei.me/infra/outputs.tf +++ b/jinwei.me/infra/outputs.tf | |||
@@ -32,5 +32,6 @@ output "s3" { | |||
32 | description = "S3 bucket for wordpress" | 32 | description = "S3 bucket for wordpress" |
33 | value = { | 33 | value = { |
34 | bucket_domain_name = aws_s3_bucket.main.bucket_domain_name | 34 | bucket_domain_name = aws_s3_bucket.main.bucket_domain_name |
35 | policy = aws_s3_bucket_policy.main.policy | ||
35 | } | 36 | } |
36 | } | 37 | } |
diff --git a/jinwei.me/infra/s3.tf b/jinwei.me/infra/s3.tf index 5626390..58e0502 100644 --- a/jinwei.me/infra/s3.tf +++ b/jinwei.me/infra/s3.tf | |||
@@ -3,7 +3,7 @@ resource "random_id" "s3_bucket_suffix" { | |||
3 | } | 3 | } |
4 | 4 | ||
5 | resource "aws_s3_bucket" "main" { | 5 | resource "aws_s3_bucket" "main" { |
6 | bucket = "${var.name}-${random_id.s3_bucket_suffix.hex}" | 6 | bucket = "static.jinwei.me" |
7 | } | 7 | } |
8 | 8 | ||
9 | resource "aws_s3_bucket_public_access_block" "main" { | 9 | resource "aws_s3_bucket_public_access_block" "main" { |
@@ -12,43 +12,37 @@ resource "aws_s3_bucket_public_access_block" "main" { | |||
12 | # https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html | 12 | # https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html |
13 | block_public_acls = false | 13 | block_public_acls = false |
14 | ignore_public_acls = true | 14 | ignore_public_acls = true |
15 | block_public_policy = true | 15 | block_public_policy = false |
16 | restrict_public_buckets = true | 16 | restrict_public_buckets = true |
17 | } | 17 | } |
18 | 18 | ||
19 | #resource "aws_s3_bucket_policy" "main" { | 19 | resource "aws_s3_bucket_policy" "main" { |
20 | # bucket = aws_s3_bucket.main.id | 20 | bucket = aws_s3_bucket.main.id |
21 | # policy = data.aws_iam_policy_document.bucket_policy.json | 21 | policy = data.aws_iam_policy_document.bucket_policy.json |
22 | #} | 22 | } |
23 | |||
24 | #data "aws_iam_policy_document" "bucket_policy" { | ||
25 | # # Allow CloudFront to read from the bucket | ||
26 | # statement { | ||
27 | # principals { | ||
28 | # type = "Service" | ||
29 | # identifiers = [ | ||
30 | # "cloudfront.amazonaws.com" | ||
31 | # ] | ||
32 | # } | ||
33 | # actions = [ | ||
34 | # "s3:GetObject" | ||
35 | # ] | ||
36 | # resources = [ | ||
37 | # "${aws_s3_bucket.main.arn}/*", | ||
38 | # ] | ||
39 | # condition { | ||
40 | # test = "StringEquals" | ||
41 | # variable = "AWS:SourceArn" | ||
42 | # values = [aws_cloudfront_distribution.main.arn] | ||
43 | # } | ||
44 | # } | ||
45 | #} | ||
46 | 23 | ||
47 | #resource "aws_ssm_parameter" "s3_bucket" { | 24 | data "aws_iam_policy_document" "bucket_policy" { |
48 | # name = "/${local.name}/s3_bucket" | 25 | # Allow Cloudflare to read from the bucket |
49 | # type = "String" | 26 | statement { |
50 | # value = aws_s3_bucket.main.bucket | 27 | principals { |
51 | #} | 28 | type = "AWS" |
29 | identifiers = [ | ||
30 | "*" | ||
31 | ] | ||
32 | } | ||
33 | actions = [ | ||
34 | "s3:GetObject" | ||
35 | ] | ||
36 | resources = [ | ||
37 | "${aws_s3_bucket.main.arn}/*", | ||
38 | ] | ||
39 | condition { | ||
40 | test = "IpAddress" | ||
41 | variable = "AWS:SourceIp" | ||
42 | values = data.cloudflare_ip_ranges.cloudflare.cidr_blocks | ||
43 | } | ||
44 | } | ||
45 | } | ||
52 | 46 | ||
53 | resource "aws_s3_object" "healthcheck" { | 47 | resource "aws_s3_object" "healthcheck" { |
54 | bucket = aws_s3_bucket.main.id | 48 | bucket = aws_s3_bucket.main.id |
diff --git a/jinwei.me/infra/variables.tf b/jinwei.me/infra/variables.tf index 575b118..9145176 100644 --- a/jinwei.me/infra/variables.tf +++ b/jinwei.me/infra/variables.tf | |||
@@ -51,7 +51,12 @@ variable "ec2_instance_type" { | |||
51 | default = "t2.micro" | 51 | default = "t2.micro" |
52 | } | 52 | } |
53 | 53 | ||
54 | #variable "ec2_key_name" { | 54 | variable "site_domain" { |
55 | # description = "Name of key pair to log into the EC2 instance. The key pair must already exist." | 55 | type = string |
56 | # type = string | 56 | default = "jinwei.me" |
57 | #} | 57 | } |
58 | |||
59 | variable "s3_cdn_name" { | ||
60 | type = string | ||
61 | default = "static" | ||
62 | } | ||
diff --git a/jinwei.me/infra/versions.tf b/jinwei.me/infra/versions.tf index 2ff0472..9d28904 100644 --- a/jinwei.me/infra/versions.tf +++ b/jinwei.me/infra/versions.tf | |||
@@ -4,5 +4,9 @@ terraform { | |||
4 | source = "hashicorp/aws" | 4 | source = "hashicorp/aws" |
5 | version = "~> 4.46" | 5 | version = "~> 4.46" |
6 | } | 6 | } |
7 | cloudflare = { | ||
8 | source = "cloudflare/cloudflare" | ||
9 | version = "2.19.2" | ||
10 | } | ||
7 | } | 11 | } |
8 | } | 12 | } |