diff options
-rw-r--r-- | jinwei.me/infra/cloudfront.tf | 6 | ||||
-rw-r--r-- | jinwei.me/infra/outputs.tf | 3 | ||||
-rw-r--r-- | jinwei.me/infra/s3.tf | 24 |
3 files changed, 17 insertions, 16 deletions
diff --git a/jinwei.me/infra/cloudfront.tf b/jinwei.me/infra/cloudfront.tf index 2566584..607cb29 100644 --- a/jinwei.me/infra/cloudfront.tf +++ b/jinwei.me/infra/cloudfront.tf | |||
@@ -8,7 +8,7 @@ resource "aws_cloudfront_distribution" "main" { | |||
8 | wait_for_deployment = false | 8 | wait_for_deployment = false |
9 | 9 | ||
10 | default_cache_behavior { | 10 | default_cache_behavior { |
11 | target_origin_id = aws_s3_bucket.main.bucket_regional_domain_name | 11 | target_origin_id = aws_s3_bucket.static.bucket_regional_domain_name |
12 | 12 | ||
13 | compress = true | 13 | compress = true |
14 | viewer_protocol_policy = "redirect-to-https" | 14 | viewer_protocol_policy = "redirect-to-https" |
@@ -19,8 +19,8 @@ resource "aws_cloudfront_distribution" "main" { | |||
19 | } | 19 | } |
20 | 20 | ||
21 | origin { | 21 | origin { |
22 | origin_id = aws_s3_bucket.main.bucket_regional_domain_name | 22 | origin_id = aws_s3_bucket.static.bucket_regional_domain_name |
23 | domain_name = aws_s3_bucket.main.bucket_regional_domain_name | 23 | domain_name = aws_s3_bucket.static.bucket_regional_domain_name |
24 | origin_access_control_id = aws_cloudfront_origin_access_control.main.id | 24 | origin_access_control_id = aws_cloudfront_origin_access_control.main.id |
25 | } | 25 | } |
26 | 26 | ||
diff --git a/jinwei.me/infra/outputs.tf b/jinwei.me/infra/outputs.tf index 08d8d73..1e58892 100644 --- a/jinwei.me/infra/outputs.tf +++ b/jinwei.me/infra/outputs.tf | |||
@@ -31,8 +31,7 @@ output "instance" { | |||
31 | output "s3" { | 31 | output "s3" { |
32 | description = "S3 bucket for wordpress" | 32 | description = "S3 bucket for wordpress" |
33 | value = { | 33 | value = { |
34 | bucket_domain_name = aws_s3_bucket.main.bucket_regional_domain_name | 34 | bucket_domain_name = aws_s3_bucket.static.bucket_regional_domain_name |
35 | policy = aws_s3_bucket_policy.main.policy | ||
36 | } | 35 | } |
37 | } | 36 | } |
38 | 37 | ||
diff --git a/jinwei.me/infra/s3.tf b/jinwei.me/infra/s3.tf index 49f8e10..6c39e4c 100644 --- a/jinwei.me/infra/s3.tf +++ b/jinwei.me/infra/s3.tf | |||
@@ -2,12 +2,13 @@ resource "random_id" "s3_bucket_suffix" { | |||
2 | byte_length = 4 | 2 | byte_length = 4 |
3 | } | 3 | } |
4 | 4 | ||
5 | resource "aws_s3_bucket" "main" { | 5 | resource "aws_s3_bucket" "static" { |
6 | bucket = "static.jinwei.me" | 6 | # https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucketnamingrules.html#:~:text=For%20best%20compatibility,in%20their%20names |
7 | bucket = "${var.name}-${random_id.s3_bucket_suffix.hex}" | ||
7 | } | 8 | } |
8 | 9 | ||
9 | resource "aws_s3_bucket_public_access_block" "main" { | 10 | resource "aws_s3_bucket_public_access_block" "static" { |
10 | bucket = aws_s3_bucket.main.id | 11 | bucket = aws_s3_bucket.static.id |
11 | 12 | ||
12 | # https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html | 13 | # https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html |
13 | block_public_acls = false | 14 | block_public_acls = false |
@@ -16,12 +17,13 @@ resource "aws_s3_bucket_public_access_block" "main" { | |||
16 | restrict_public_buckets = true | 17 | restrict_public_buckets = true |
17 | } | 18 | } |
18 | 19 | ||
19 | resource "aws_s3_bucket_policy" "main" { | 20 | resource "aws_s3_bucket_policy" "static" { |
20 | bucket = aws_s3_bucket.main.id | 21 | bucket = aws_s3_bucket.static.id |
21 | policy = data.aws_iam_policy_document.bucket_policy.json | 22 | policy = data.aws_iam_policy_document.static_bucket_policy.json |
22 | } | 23 | } |
23 | 24 | ||
24 | data "aws_iam_policy_document" "bucket_policy" { | 25 | |
26 | data "aws_iam_policy_document" "static_bucket_policy" { | ||
25 | # Allow Cloudfront to read from the bucket | 27 | # Allow Cloudfront to read from the bucket |
26 | statement { | 28 | statement { |
27 | principals { | 29 | principals { |
@@ -34,7 +36,7 @@ data "aws_iam_policy_document" "bucket_policy" { | |||
34 | "s3:GetObject" | 36 | "s3:GetObject" |
35 | ] | 37 | ] |
36 | resources = [ | 38 | resources = [ |
37 | "${aws_s3_bucket.main.arn}/*", | 39 | "${aws_s3_bucket.static.arn}/*", |
38 | ] | 40 | ] |
39 | condition { | 41 | condition { |
40 | test = "StringEquals" | 42 | test = "StringEquals" |
@@ -44,8 +46,8 @@ data "aws_iam_policy_document" "bucket_policy" { | |||
44 | } | 46 | } |
45 | } | 47 | } |
46 | 48 | ||
47 | resource "aws_s3_object" "healthcheck" { | 49 | resource "aws_s3_object" "check" { |
48 | bucket = aws_s3_bucket.main.id | 50 | bucket = aws_s3_bucket.static.id |
49 | key = "healthcheck" | 51 | key = "healthcheck" |
50 | content = "OK" | 52 | content = "OK" |
51 | content_type = "text/plain" | 53 | content_type = "text/plain" |