2 files changed, 65 insertions, 0 deletions
diff --git a/jinwei.me/infra/outputs.tf b/jinwei.me/infra/outputs.tf
index 3537e02..4619f5f 100644
--- a/jinwei.me/infra/outputs.tf
+++ b/jinwei.me/infra/outputs.tf
@@ -27,3 +27,10 @@ output "instance" {
    private_ip = aws_instance.jinwei_me.private_ip
  }
 }
+output "s3" {
+  description = "S3 bucket for wordpress"
+  value = {
+    bucket_domain_name = aws_s3_bucket.main.bucket_domain_name
+  }
+}
diff --git a/jinwei.me/infra/s3.tf b/jinwei.me/infra/s3.tf
new file mode 100644
index 0000000..5626390
--- /dev/null
+++ b/jinwei.me/infra/s3.tf
@@ -0,0 +1,58 @@
+resource "random_id" "s3_bucket_suffix" {
+  byte_length = 4
+}
+resource "aws_s3_bucket" "main" {
+  bucket = "${var.name}-${random_id.s3_bucket_suffix.hex}"
+}
+resource "aws_s3_bucket_public_access_block" "main" {
+  bucket = aws_s3_bucket.main.id
+  # https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html
+  block_public_acls       = false
+  ignore_public_acls      = true
+  block_public_policy     = true
+  restrict_public_buckets = true
+}
+#resource "aws_s3_bucket_policy" "main" {
+#  bucket = aws_s3_bucket.main.id
+#  policy = data.aws_iam_policy_document.bucket_policy.json
+#}
+#data "aws_iam_policy_document" "bucket_policy" {
+#  # Allow CloudFront to read from the bucket
+#  statement {
+#    principals {
+#      type = "Service"
+#      identifiers = [
+#        "cloudfront.amazonaws.com"
+#      ]
+#    }
+#    actions = [
+#      "s3:GetObject"
+#    ]
+#    resources = [
+#      "${aws_s3_bucket.main.arn}/*",
+#    ]
+#    condition {
+#      test     = "StringEquals"
+#      variable = "AWS:SourceArn"
+#      values   = [aws_cloudfront_distribution.main.arn]
+#    }
+#  }
+#}
+#resource "aws_ssm_parameter" "s3_bucket" {
+#  name  = "/${local.name}/s3_bucket"
+#  type  = "String"
+#  value = aws_s3_bucket.main.bucket
+#}
+resource "aws_s3_object" "healthcheck" {
+  bucket       = aws_s3_bucket.main.id
+  key          = "healthcheck"
+  content      = "OK"
+  content_type = "text/plain"
+}

diff --git a/jinwei.me/infra/outputs.tf b/jinwei.me/infra/outputs.tf index 3537e02..4619f5f 100644 --- a/jinwei.me/infra/outputs.tf +++ b/jinwei.me/infra/outputs.tf
@@ -27,3 +27,10 @@ output "instance" {
27	private_ip = aws_instance.jinwei_me.private_ip	27	private_ip = aws_instance.jinwei_me.private_ip
28	}	28	}
29	}	29	}
		30
		31	output "s3" {
		32	description = "S3 bucket for wordpress"
		33	value = {
		34	bucket_domain_name = aws_s3_bucket.main.bucket_domain_name
		35	}
		36	}


diff --git a/jinwei.me/infra/s3.tf b/jinwei.me/infra/s3.tf new file mode 100644 index 0000000..5626390 --- /dev/null +++ b/jinwei.me/infra/s3.tf
@@ -0,0 +1,58 @@
		1	resource "random_id" "s3_bucket_suffix" {
		2	byte_length = 4
		3	}
		4
		5	resource "aws_s3_bucket" "main" {
		6	bucket = "${var.name}-${random_id.s3_bucket_suffix.hex}"
		7	}
		8
		9	resource "aws_s3_bucket_public_access_block" "main" {
		10	bucket = aws_s3_bucket.main.id
		11
		12	# https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html
		13	block_public_acls = false
		14	ignore_public_acls = true
		15	block_public_policy = true
		16	restrict_public_buckets = true
		17	}
		18
		19	#resource "aws_s3_bucket_policy" "main" {
		20	# bucket = aws_s3_bucket.main.id
		21	# policy = data.aws_iam_policy_document.bucket_policy.json
		22	#}
		23
		24	#data "aws_iam_policy_document" "bucket_policy" {
		25	# # Allow CloudFront to read from the bucket
		26	# statement {
		27	# principals {
		28	# type = "Service"
		29	# identifiers = [
		30	# "cloudfront.amazonaws.com"
		31	# ]
		32	# }
		33	# actions = [
		34	# "s3:GetObject"
		35	# ]
		36	# resources = [
		37	# "${aws_s3_bucket.main.arn}/*",
		38	# ]
		39	# condition {
		40	# test = "StringEquals"
		41	# variable = "AWS:SourceArn"
		42	# values = [aws_cloudfront_distribution.main.arn]
		43	# }
		44	# }
		45	#}
		46
		47	#resource "aws_ssm_parameter" "s3_bucket" {
		48	# name = "/${local.name}/s3_bucket"
		49	# type = "String"
		50	# value = aws_s3_bucket.main.bucket
		51	#}
		52
		53	resource "aws_s3_object" "healthcheck" {
		54	bucket = aws_s3_bucket.main.id
		55	key = "healthcheck"
		56	content = "OK"
		57	content_type = "text/plain"
		58	}