diff options
| author | clarkzjw <[email protected]> | 2022-12-10 23:55:18 -0800 |
|---|---|---|
| committer | clarkzjw <[email protected]> | 2022-12-10 23:55:18 -0800 |
| commit | a958bdeb69ebbcb440dcf1c1230f62c76c744f8c (patch) | |
| tree | 7bacd530a24fa749c75695a7f1f8b8325749f88d | |
| parent | b4a5f2ee828dd021ab46196e4e05b27074aabe06 (diff) | |
| download | jinwei.me-a958bdeb69ebbcb440dcf1c1230f62c76c744f8c.tar.gz | |
infra: add cloudfront, acm and cloudflare config
| -rw-r--r-- | jinwei.me/infra/.terraform.lock.hcl | 2 | ||||
| -rw-r--r-- | jinwei.me/infra/acm.tf | 41 | ||||
| -rw-r--r-- | jinwei.me/infra/cloudflare.tf | 3 | ||||
| -rw-r--r-- | jinwei.me/infra/cloudfront.tf | 76 | ||||
| -rw-r--r-- | jinwei.me/infra/s3.tf | 8 | ||||
| -rw-r--r-- | jinwei.me/infra/variables.tf | 6 | ||||
| -rw-r--r-- | jinwei.me/infra/versions.tf | 5 |
7 files changed, 134 insertions, 7 deletions
diff --git a/jinwei.me/infra/.terraform.lock.hcl b/jinwei.me/infra/.terraform.lock.hcl index 9fdb71e..e16e9bd 100644 --- a/jinwei.me/infra/.terraform.lock.hcl +++ b/jinwei.me/infra/.terraform.lock.hcl | |||
| @@ -23,7 +23,7 @@ provider "registry.terraform.io/cloudflare/cloudflare" { | |||
| 23 | 23 | ||
| 24 | provider "registry.terraform.io/hashicorp/aws" { | 24 | provider "registry.terraform.io/hashicorp/aws" { |
| 25 | version = "4.46.0" | 25 | version = "4.46.0" |
| 26 | constraints = "~> 4.46" | 26 | constraints = ">= 3.73.0, ~> 4.46" |
| 27 | hashes = [ | 27 | hashes = [ |
| 28 | "h1:EZB4OgvytV38JpWyye9zoMQ0bfT9yB9xSXM5NY3Lrws=", | 28 | "h1:EZB4OgvytV38JpWyye9zoMQ0bfT9yB9xSXM5NY3Lrws=", |
| 29 | "zh:1678e6a4bdb3d81a6713adc62ca0fdb8250c584e10c10d1daca72316e9db8df2", | 29 | "zh:1678e6a4bdb3d81a6713adc62ca0fdb8250c584e10c10d1daca72316e9db8df2", |
diff --git a/jinwei.me/infra/acm.tf b/jinwei.me/infra/acm.tf new file mode 100644 index 0000000..c6900cd --- /dev/null +++ b/jinwei.me/infra/acm.tf | |||
| @@ -0,0 +1,41 @@ | |||
| 1 | resource "aws_acm_certificate" "main" { | ||
| 2 | domain_name = "static.jinwei.me" | ||
| 3 | validation_method = "DNS" | ||
| 4 | |||
| 5 | subject_alternative_names = [ | ||
| 6 | "*.static.jinwei.me", | ||
| 7 | ] | ||
| 8 | } | ||
| 9 | |||
| 10 | resource "aws_acm_certificate_validation" "main" { | ||
| 11 | certificate_arn = aws_acm_certificate.main.arn | ||
| 12 | validation_record_fqdns = [cloudflare_record.acm.hostname] | ||
| 13 | } | ||
| 14 | |||
| 15 | |||
| 16 | # CloudFront requires ACM to be in us-east-1, so duplicate the resources. | ||
| 17 | resource "aws_acm_certificate" "us-east-1" { | ||
| 18 | provider = aws.us-east-1 | ||
| 19 | |||
| 20 | domain_name = "static.jinwei.me" | ||
| 21 | validation_method = "DNS" | ||
| 22 | |||
| 23 | subject_alternative_names = [ | ||
| 24 | "*.static.jinwei.me", | ||
| 25 | ] | ||
| 26 | } | ||
| 27 | |||
| 28 | resource "aws_acm_certificate_validation" "us-east-1" { | ||
| 29 | provider = aws.us-east-1 | ||
| 30 | |||
| 31 | certificate_arn = aws_acm_certificate.us-east-1.arn | ||
| 32 | validation_record_fqdns = [cloudflare_record.acm.hostname] | ||
| 33 | } | ||
| 34 | |||
| 35 | # Cloudflare validation record | ||
| 36 | resource "cloudflare_record" "acm" { | ||
| 37 | zone_id = data.cloudflare_zones.domain.zones[0].id | ||
| 38 | name = tolist(aws_acm_certificate.main.domain_validation_options)[0].resource_record_name | ||
| 39 | type = tolist(aws_acm_certificate.main.domain_validation_options)[0].resource_record_type | ||
| 40 | value = tolist(aws_acm_certificate.main.domain_validation_options)[0].resource_record_value | ||
| 41 | } | ||
diff --git a/jinwei.me/infra/cloudflare.tf b/jinwei.me/infra/cloudflare.tf index 5c79607..a6ca299 100644 --- a/jinwei.me/infra/cloudflare.tf +++ b/jinwei.me/infra/cloudflare.tf | |||
| @@ -7,9 +7,10 @@ data "cloudflare_zones" "domain" { | |||
| 7 | } | 7 | } |
| 8 | 8 | ||
| 9 | resource "cloudflare_record" "s3_bucket" { | 9 | resource "cloudflare_record" "s3_bucket" { |
| 10 | # Point CNAME record in Cloudflare to Cloudfront | ||
| 10 | zone_id = data.cloudflare_zones.domain.zones[0].id | 11 | zone_id = data.cloudflare_zones.domain.zones[0].id |
| 11 | name = var.s3_cdn_name | 12 | name = var.s3_cdn_name |
| 12 | value = aws_s3_bucket.main.bucket_regional_domain_name | 13 | value = aws_cloudfront_distribution.main.domain_name |
| 13 | type = "CNAME" | 14 | type = "CNAME" |
| 14 | 15 | ||
| 15 | ttl = 1 | 16 | ttl = 1 |
diff --git a/jinwei.me/infra/cloudfront.tf b/jinwei.me/infra/cloudfront.tf new file mode 100644 index 0000000..2566584 --- /dev/null +++ b/jinwei.me/infra/cloudfront.tf | |||
| @@ -0,0 +1,76 @@ | |||
| 1 | resource "aws_cloudfront_distribution" "main" { | ||
| 2 | aliases = [var.s3_cloudfront_name] | ||
| 3 | enabled = true | ||
| 4 | http_version = "http2and3" | ||
| 5 | is_ipv6_enabled = true | ||
| 6 | price_class = "PriceClass_All" | ||
| 7 | retain_on_delete = true | ||
| 8 | wait_for_deployment = false | ||
| 9 | |||
| 10 | default_cache_behavior { | ||
| 11 | target_origin_id = aws_s3_bucket.main.bucket_regional_domain_name | ||
| 12 | |||
| 13 | compress = true | ||
| 14 | viewer_protocol_policy = "redirect-to-https" | ||
| 15 | allowed_methods = ["GET", "HEAD"] | ||
| 16 | cached_methods = ["GET", "HEAD"] | ||
| 17 | cache_policy_id = data.aws_cloudfront_cache_policy.managed["CachingOptimized"].id | ||
| 18 | origin_request_policy_id = data.aws_cloudfront_origin_request_policy.managed["CORS-S3Origin"].id | ||
| 19 | } | ||
| 20 | |||
| 21 | origin { | ||
| 22 | origin_id = aws_s3_bucket.main.bucket_regional_domain_name | ||
| 23 | domain_name = aws_s3_bucket.main.bucket_regional_domain_name | ||
| 24 | origin_access_control_id = aws_cloudfront_origin_access_control.main.id | ||
| 25 | } | ||
| 26 | |||
| 27 | restrictions { | ||
| 28 | geo_restriction { | ||
| 29 | restriction_type = "none" | ||
| 30 | } | ||
| 31 | } | ||
| 32 | |||
| 33 | viewer_certificate { | ||
| 34 | acm_certificate_arn = aws_acm_certificate_validation.us-east-1.certificate_arn | ||
| 35 | minimum_protocol_version = "TLSv1.2_2021" | ||
| 36 | ssl_support_method = "sni-only" | ||
| 37 | } | ||
| 38 | } | ||
| 39 | |||
| 40 | resource "aws_cloudfront_origin_access_control" "main" { | ||
| 41 | name = var.s3_cloudfront_name | ||
| 42 | description = var.s3_cloudfront_name | ||
| 43 | origin_access_control_origin_type = "s3" | ||
| 44 | signing_behavior = "always" | ||
| 45 | signing_protocol = "sigv4" | ||
| 46 | } | ||
| 47 | |||
| 48 | # Managed policies | ||
| 49 | locals { | ||
| 50 | managed_cache_policies = [ | ||
| 51 | "Amplify", | ||
| 52 | "CachingDisabled", | ||
| 53 | "CachingOptimized", | ||
| 54 | "CachingOptimizedForUncompressedObjects", | ||
| 55 | "Elemental-MediaPackage", | ||
| 56 | ] | ||
| 57 | managed_origin_request_policies = [ | ||
| 58 | "AllViewer", | ||
| 59 | "CORS-CustomOrigin", | ||
| 60 | "CORS-S3Origin", | ||
| 61 | "Elemental-MediaTailor-PersonalizedManifests", | ||
| 62 | "UserAgentRefererHeaders", | ||
| 63 | ] | ||
| 64 | } | ||
| 65 | |||
| 66 | data "aws_cloudfront_cache_policy" "managed" { | ||
| 67 | for_each = toset(local.managed_cache_policies) | ||
| 68 | |||
| 69 | name = "Managed-${each.key}" | ||
| 70 | } | ||
| 71 | |||
| 72 | data "aws_cloudfront_origin_request_policy" "managed" { | ||
| 73 | for_each = toset(local.managed_origin_request_policies) | ||
| 74 | |||
| 75 | name = "Managed-${each.key}" | ||
| 76 | } | ||
diff --git a/jinwei.me/infra/s3.tf b/jinwei.me/infra/s3.tf index 58e0502..49f8e10 100644 --- a/jinwei.me/infra/s3.tf +++ b/jinwei.me/infra/s3.tf | |||
| @@ -22,7 +22,7 @@ resource "aws_s3_bucket_policy" "main" { | |||
| 22 | } | 22 | } |
| 23 | 23 | ||
| 24 | data "aws_iam_policy_document" "bucket_policy" { | 24 | data "aws_iam_policy_document" "bucket_policy" { |
| 25 | # Allow Cloudflare to read from the bucket | 25 | # Allow Cloudfront to read from the bucket |
| 26 | statement { | 26 | statement { |
| 27 | principals { | 27 | principals { |
| 28 | type = "AWS" | 28 | type = "AWS" |
| @@ -37,9 +37,9 @@ data "aws_iam_policy_document" "bucket_policy" { | |||
| 37 | "${aws_s3_bucket.main.arn}/*", | 37 | "${aws_s3_bucket.main.arn}/*", |
| 38 | ] | 38 | ] |
| 39 | condition { | 39 | condition { |
| 40 | test = "IpAddress" | 40 | test = "StringEquals" |
| 41 | variable = "AWS:SourceIp" | 41 | variable = "AWS:SourceArn" |
| 42 | values = data.cloudflare_ip_ranges.cloudflare.cidr_blocks | 42 | values = [aws_cloudfront_distribution.main.arn] |
| 43 | } | 43 | } |
| 44 | } | 44 | } |
| 45 | } | 45 | } |
diff --git a/jinwei.me/infra/variables.tf b/jinwei.me/infra/variables.tf index 9145176..2ae72ed 100644 --- a/jinwei.me/infra/variables.tf +++ b/jinwei.me/infra/variables.tf | |||
| @@ -12,7 +12,6 @@ variable "region" { | |||
| 12 | description = "AWS region" | 12 | description = "AWS region" |
| 13 | } | 13 | } |
| 14 | 14 | ||
| 15 | |||
| 16 | # RDS | 15 | # RDS |
| 17 | variable "rds_initial_db_name" { | 16 | variable "rds_initial_db_name" { |
| 18 | default = "wordpress" | 17 | default = "wordpress" |
| @@ -60,3 +59,8 @@ variable "s3_cdn_name" { | |||
| 60 | type = string | 59 | type = string |
| 61 | default = "static" | 60 | default = "static" |
| 62 | } | 61 | } |
| 62 | |||
| 63 | variable "s3_cloudfront_name" { | ||
| 64 | type = string | ||
| 65 | default = "static.jinwei.me" | ||
| 66 | } | ||
diff --git a/jinwei.me/infra/versions.tf b/jinwei.me/infra/versions.tf index 9d28904..3200530 100644 --- a/jinwei.me/infra/versions.tf +++ b/jinwei.me/infra/versions.tf | |||
| @@ -10,3 +10,8 @@ terraform { | |||
| 10 | } | 10 | } |
| 11 | } | 11 | } |
| 12 | } | 12 | } |
| 13 | |||
| 14 | provider "aws" { | ||
| 15 | alias = "us-east-1" | ||
| 16 | region = "us-east-1" | ||
| 17 | } | ||