aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--jinwei.me/infra/cloudfront.tf6
-rw-r--r--jinwei.me/infra/outputs.tf3
-rw-r--r--jinwei.me/infra/s3.tf24
3 files changed, 17 insertions, 16 deletions
diff --git a/jinwei.me/infra/cloudfront.tf b/jinwei.me/infra/cloudfront.tf
index 2566584..607cb29 100644
--- a/jinwei.me/infra/cloudfront.tf
+++ b/jinwei.me/infra/cloudfront.tf
@@ -8,7 +8,7 @@ resource "aws_cloudfront_distribution" "main" {
8 wait_for_deployment = false 8 wait_for_deployment = false
9 9
10 default_cache_behavior { 10 default_cache_behavior {
11 target_origin_id = aws_s3_bucket.main.bucket_regional_domain_name 11 target_origin_id = aws_s3_bucket.static.bucket_regional_domain_name
12 12
13 compress = true 13 compress = true
14 viewer_protocol_policy = "redirect-to-https" 14 viewer_protocol_policy = "redirect-to-https"
@@ -19,8 +19,8 @@ resource "aws_cloudfront_distribution" "main" {
19 } 19 }
20 20
21 origin { 21 origin {
22 origin_id = aws_s3_bucket.main.bucket_regional_domain_name 22 origin_id = aws_s3_bucket.static.bucket_regional_domain_name
23 domain_name = aws_s3_bucket.main.bucket_regional_domain_name 23 domain_name = aws_s3_bucket.static.bucket_regional_domain_name
24 origin_access_control_id = aws_cloudfront_origin_access_control.main.id 24 origin_access_control_id = aws_cloudfront_origin_access_control.main.id
25 } 25 }
26 26
diff --git a/jinwei.me/infra/outputs.tf b/jinwei.me/infra/outputs.tf
index 08d8d73..1e58892 100644
--- a/jinwei.me/infra/outputs.tf
+++ b/jinwei.me/infra/outputs.tf
@@ -31,8 +31,7 @@ output "instance" {
31output "s3" { 31output "s3" {
32 description = "S3 bucket for wordpress" 32 description = "S3 bucket for wordpress"
33 value = { 33 value = {
34 bucket_domain_name = aws_s3_bucket.main.bucket_regional_domain_name 34 bucket_domain_name = aws_s3_bucket.static.bucket_regional_domain_name
35 policy = aws_s3_bucket_policy.main.policy
36 } 35 }
37} 36}
38 37
diff --git a/jinwei.me/infra/s3.tf b/jinwei.me/infra/s3.tf
index 49f8e10..6c39e4c 100644
--- a/jinwei.me/infra/s3.tf
+++ b/jinwei.me/infra/s3.tf
@@ -2,12 +2,13 @@ resource "random_id" "s3_bucket_suffix" {
2 byte_length = 4 2 byte_length = 4
3} 3}
4 4
5resource "aws_s3_bucket" "main" { 5resource "aws_s3_bucket" "static" {
6 bucket = "static.jinwei.me" 6 # https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucketnamingrules.html#:~:text=For%20best%20compatibility,in%20their%20names
7 bucket = "${var.name}-${random_id.s3_bucket_suffix.hex}"
7} 8}
8 9
9resource "aws_s3_bucket_public_access_block" "main" { 10resource "aws_s3_bucket_public_access_block" "static" {
10 bucket = aws_s3_bucket.main.id 11 bucket = aws_s3_bucket.static.id
11 12
12 # https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html 13 # https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html
13 block_public_acls = false 14 block_public_acls = false
@@ -16,12 +17,13 @@ resource "aws_s3_bucket_public_access_block" "main" {
16 restrict_public_buckets = true 17 restrict_public_buckets = true
17} 18}
18 19
19resource "aws_s3_bucket_policy" "main" { 20resource "aws_s3_bucket_policy" "static" {
20 bucket = aws_s3_bucket.main.id 21 bucket = aws_s3_bucket.static.id
21 policy = data.aws_iam_policy_document.bucket_policy.json 22 policy = data.aws_iam_policy_document.static_bucket_policy.json
22} 23}
23 24
24data "aws_iam_policy_document" "bucket_policy" { 25
26data "aws_iam_policy_document" "static_bucket_policy" {
25 # Allow Cloudfront to read from the bucket 27 # Allow Cloudfront to read from the bucket
26 statement { 28 statement {
27 principals { 29 principals {
@@ -34,7 +36,7 @@ data "aws_iam_policy_document" "bucket_policy" {
34 "s3:GetObject" 36 "s3:GetObject"
35 ] 37 ]
36 resources = [ 38 resources = [
37 "${aws_s3_bucket.main.arn}/*", 39 "${aws_s3_bucket.static.arn}/*",
38 ] 40 ]
39 condition { 41 condition {
40 test = "StringEquals" 42 test = "StringEquals"
@@ -44,8 +46,8 @@ data "aws_iam_policy_document" "bucket_policy" {
44 } 46 }
45} 47}
46 48
47resource "aws_s3_object" "healthcheck" { 49resource "aws_s3_object" "check" {
48 bucket = aws_s3_bucket.main.id 50 bucket = aws_s3_bucket.static.id
49 key = "healthcheck" 51 key = "healthcheck"
50 content = "OK" 52 content = "OK"
51 content_type = "text/plain" 53 content_type = "text/plain"
Powered by cgit v1.2.3 (git 2.41.0)