infra: add s3 acl

6 files changed, 63 insertions, 38 deletions

diff --git a/jinwei.me/infra/.terraform.lock.hcl b/jinwei.me/infra/.terraform.lock.hcl
index 92b4d9c..9fdb71e 100644
--- a/jinwei.me/infra/.terraform.lock.hcl
+++ b/jinwei.me/infra/.terraform.lock.hcl
@@ -1,6 +1,26 @@
 # This file is maintained automatically by "terraform init".
 # Manual edits may be lost in future updates.
 
+provider "registry.terraform.io/cloudflare/cloudflare" {
+  version     = "2.19.2"
+  constraints = "2.19.2"
+  hashes = [
+    "h1:gcgDf0Ltyopd5j30oCcnjceCyRpJmSBhTTwldOFnJEc=",
+    "zh:35a4d37c7601b537e156a032730e2987f137017e38c9a1a383f75cfeccb1975e",
+    "zh:3bdb1544aef7469813a699ba8d322248c96ffa05573c2bb990e1297aa95473d0",
+    "zh:41a322d3eeeb0dde185ea7a9cafe952c445a683a6a372089f8d003d8d2f4b722",
+    "zh:447ec6386879ff56cd3a97fc5d20b428451a445f8846a0127f5788de9e213b3c",
+    "zh:4a1fa7c6c9e28916009fe3c7a9f7f944e8b4e307ab3d97a34d81ba66769160f6",
+    "zh:5a2cb0e8ddc725c78ba09a817105136f564c7f4fe0173633d82bc3f8005dc15a",
+    "zh:83c0edc0ddd6ad8e3c140dcecafccad69edd199d2526cc9be10d857316f3859e",
+    "zh:a5a1917943a9e8486dc3d0eb315bc899944fe67888e38b35999b6a79907ec762",
+    "zh:a5cfcd8ec0fd3d0c80de8c519ee07b1e899b8f86d5f6f5800bc959190df9eb93",
+    "zh:be3a37ef3f0991989a4e51e5fe16d9cf71571cb1ecb7a41b31d91c2ae2a3313d",
+    "zh:ef1155fd12e3528f686b6a59fc732e35265f8d08450bc27baf8ccebbcd4cff0c",
+    "zh:f3a2293a7ccb14fa16472c7948498d5a19cb5f26e3aeb1b59756c7f9045c277b",
+  ]
+}
+
 provider "registry.terraform.io/hashicorp/aws" {
   version     = "4.46.0"
   constraints = "~> 4.46"
diff --git a/jinwei.me/infra/data.tf b/jinwei.me/infra/data.tf
index 2102273..8c461e4 100644
--- a/jinwei.me/infra/data.tf
+++ b/jinwei.me/infra/data.tf
@@ -9,3 +9,4 @@ data "aws_ami" "debian" {
 }
 
 data "aws_availability_zones" "available" {}
+data "cloudflare_ip_ranges" "cloudflare" {}
diff --git a/jinwei.me/infra/outputs.tf b/jinwei.me/infra/outputs.tf
index 4619f5f..d5df1df 100644
--- a/jinwei.me/infra/outputs.tf
+++ b/jinwei.me/infra/outputs.tf
@@ -32,5 +32,6 @@ output "s3" {
   description = "S3 bucket for wordpress"
   value = {
     bucket_domain_name = aws_s3_bucket.main.bucket_domain_name
+    policy = aws_s3_bucket_policy.main.policy
   }
 }
diff --git a/jinwei.me/infra/s3.tf b/jinwei.me/infra/s3.tf
index 5626390..58e0502 100644
--- a/jinwei.me/infra/s3.tf
+++ b/jinwei.me/infra/s3.tf
@@ -3,7 +3,7 @@ resource "random_id" "s3_bucket_suffix" {
 }
 
 resource "aws_s3_bucket" "main" {
-  bucket = "${var.name}-${random_id.s3_bucket_suffix.hex}"
+  bucket = "static.jinwei.me"
 }
 
 resource "aws_s3_bucket_public_access_block" "main" {
@@ -12,43 +12,37 @@ resource "aws_s3_bucket_public_access_block" "main" {
   # https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html
   block_public_acls       = false
   ignore_public_acls      = true
-  block_public_policy     = true
+  block_public_policy     = false
   restrict_public_buckets = true
 }
 
-#resource "aws_s3_bucket_policy" "main" {
-#  bucket = aws_s3_bucket.main.id
-#  policy = data.aws_iam_policy_document.bucket_policy.json
-#}
-
-#data "aws_iam_policy_document" "bucket_policy" {
-#  # Allow CloudFront to read from the bucket
-#  statement {
-#    principals {
-#      type = "Service"
-#      identifiers = [
-#        "cloudfront.amazonaws.com"
-#      ]
-#    }
-#    actions = [
-#      "s3:GetObject"
-#    ]
-#    resources = [
-#      "${aws_s3_bucket.main.arn}/*",
-#    ]
-#    condition {
-#      test     = "StringEquals"
-#      variable = "AWS:SourceArn"
-#      values   = [aws_cloudfront_distribution.main.arn]
-#    }
-#  }
-#}
+resource "aws_s3_bucket_policy" "main" {
+  bucket = aws_s3_bucket.main.id
+  policy = data.aws_iam_policy_document.bucket_policy.json
+}
 
-#resource "aws_ssm_parameter" "s3_bucket" {
-#  name  = "/${local.name}/s3_bucket"
-#  type  = "String"
-#  value = aws_s3_bucket.main.bucket
-#}
+data "aws_iam_policy_document" "bucket_policy" {
+  # Allow Cloudflare to read from the bucket
+  statement {
+    principals {
+      type = "AWS"
+      identifiers = [
+        "*"
+      ]
+    }
+    actions = [
+      "s3:GetObject"
+    ]
+    resources = [
+      "${aws_s3_bucket.main.arn}/*",
+    ]
+    condition {
+      test     = "IpAddress"
+      variable = "AWS:SourceIp"
+      values   = data.cloudflare_ip_ranges.cloudflare.cidr_blocks
+    }
+  }
+}
 
 resource "aws_s3_object" "healthcheck" {
   bucket       = aws_s3_bucket.main.id
diff --git a/jinwei.me/infra/variables.tf b/jinwei.me/infra/variables.tf
index 575b118..9145176 100644
--- a/jinwei.me/infra/variables.tf
+++ b/jinwei.me/infra/variables.tf
@@ -51,7 +51,12 @@ variable "ec2_instance_type" {
   default = "t2.micro"
 }
 
-#variable "ec2_key_name" {
-#  description = "Name of key pair to log into the EC2 instance. The key pair must already exist."
-#  type        = string
-#}
+variable "site_domain" {
+  type        = string
+  default     = "jinwei.me"
+}
+
+variable "s3_cdn_name" {
+  type = string
+  default = "static"
+}
diff --git a/jinwei.me/infra/versions.tf b/jinwei.me/infra/versions.tf
index 2ff0472..9d28904 100644
--- a/jinwei.me/infra/versions.tf
+++ b/jinwei.me/infra/versions.tf
@@ -4,5 +4,9 @@ terraform {
       source  = "hashicorp/aws"
       version = "~> 4.46"
     }
+    cloudflare = {
+      source  = "cloudflare/cloudflare"
+      version = "2.19.2"
+    }
   }
 }