From e2327197c423e23628701dca328fbd05693e7a61 Mon Sep 17 00:00:00 2001 From: clarkzjw Date: Sat, 10 Dec 2022 21:23:20 -0800 Subject: infra: add s3 acl --- jinwei.me/infra/.terraform.lock.hcl | 20 ++++++++++++ jinwei.me/infra/data.tf | 1 + jinwei.me/infra/outputs.tf | 1 + jinwei.me/infra/s3.tf | 62 +++++++++++++++++-------------------- jinwei.me/infra/variables.tf | 13 +++++--- jinwei.me/infra/versions.tf | 4 +++ 6 files changed, 63 insertions(+), 38 deletions(-) diff --git a/jinwei.me/infra/.terraform.lock.hcl b/jinwei.me/infra/.terraform.lock.hcl index 92b4d9c..9fdb71e 100644 --- a/jinwei.me/infra/.terraform.lock.hcl +++ b/jinwei.me/infra/.terraform.lock.hcl @@ -1,6 +1,26 @@ # This file is maintained automatically by "terraform init". # Manual edits may be lost in future updates. +provider "registry.terraform.io/cloudflare/cloudflare" { + version = "2.19.2" + constraints = "2.19.2" + hashes = [ + "h1:gcgDf0Ltyopd5j30oCcnjceCyRpJmSBhTTwldOFnJEc=", + "zh:35a4d37c7601b537e156a032730e2987f137017e38c9a1a383f75cfeccb1975e", + "zh:3bdb1544aef7469813a699ba8d322248c96ffa05573c2bb990e1297aa95473d0", + "zh:41a322d3eeeb0dde185ea7a9cafe952c445a683a6a372089f8d003d8d2f4b722", + "zh:447ec6386879ff56cd3a97fc5d20b428451a445f8846a0127f5788de9e213b3c", + "zh:4a1fa7c6c9e28916009fe3c7a9f7f944e8b4e307ab3d97a34d81ba66769160f6", + "zh:5a2cb0e8ddc725c78ba09a817105136f564c7f4fe0173633d82bc3f8005dc15a", + "zh:83c0edc0ddd6ad8e3c140dcecafccad69edd199d2526cc9be10d857316f3859e", + "zh:a5a1917943a9e8486dc3d0eb315bc899944fe67888e38b35999b6a79907ec762", + "zh:a5cfcd8ec0fd3d0c80de8c519ee07b1e899b8f86d5f6f5800bc959190df9eb93", + "zh:be3a37ef3f0991989a4e51e5fe16d9cf71571cb1ecb7a41b31d91c2ae2a3313d", + "zh:ef1155fd12e3528f686b6a59fc732e35265f8d08450bc27baf8ccebbcd4cff0c", + "zh:f3a2293a7ccb14fa16472c7948498d5a19cb5f26e3aeb1b59756c7f9045c277b", + ] +} + provider "registry.terraform.io/hashicorp/aws" { version = "4.46.0" constraints = "~> 4.46" diff --git a/jinwei.me/infra/data.tf b/jinwei.me/infra/data.tf index 2102273..8c461e4 100644 --- a/jinwei.me/infra/data.tf +++ b/jinwei.me/infra/data.tf @@ -9,3 +9,4 @@ data "aws_ami" "debian" { } data "aws_availability_zones" "available" {} +data "cloudflare_ip_ranges" "cloudflare" {} diff --git a/jinwei.me/infra/outputs.tf b/jinwei.me/infra/outputs.tf index 4619f5f..d5df1df 100644 --- a/jinwei.me/infra/outputs.tf +++ b/jinwei.me/infra/outputs.tf @@ -32,5 +32,6 @@ output "s3" { description = "S3 bucket for wordpress" value = { bucket_domain_name = aws_s3_bucket.main.bucket_domain_name + policy = aws_s3_bucket_policy.main.policy } } diff --git a/jinwei.me/infra/s3.tf b/jinwei.me/infra/s3.tf index 5626390..58e0502 100644 --- a/jinwei.me/infra/s3.tf +++ b/jinwei.me/infra/s3.tf @@ -3,7 +3,7 @@ resource "random_id" "s3_bucket_suffix" { } resource "aws_s3_bucket" "main" { - bucket = "${var.name}-${random_id.s3_bucket_suffix.hex}" + bucket = "static.jinwei.me" } resource "aws_s3_bucket_public_access_block" "main" { @@ -12,43 +12,37 @@ resource "aws_s3_bucket_public_access_block" "main" { # https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html block_public_acls = false ignore_public_acls = true - block_public_policy = true + block_public_policy = false restrict_public_buckets = true } -#resource "aws_s3_bucket_policy" "main" { -# bucket = aws_s3_bucket.main.id -# policy = data.aws_iam_policy_document.bucket_policy.json -#} - -#data "aws_iam_policy_document" "bucket_policy" { -# # Allow CloudFront to read from the bucket -# statement { -# principals { -# type = "Service" -# identifiers = [ -# "cloudfront.amazonaws.com" -# ] -# } -# actions = [ -# "s3:GetObject" -# ] -# resources = [ -# "${aws_s3_bucket.main.arn}/*", -# ] -# condition { -# test = "StringEquals" -# variable = "AWS:SourceArn" -# values = [aws_cloudfront_distribution.main.arn] -# } -# } -#} +resource "aws_s3_bucket_policy" "main" { + bucket = aws_s3_bucket.main.id + policy = data.aws_iam_policy_document.bucket_policy.json +} -#resource "aws_ssm_parameter" "s3_bucket" { -# name = "/${local.name}/s3_bucket" -# type = "String" -# value = aws_s3_bucket.main.bucket -#} +data "aws_iam_policy_document" "bucket_policy" { + # Allow Cloudflare to read from the bucket + statement { + principals { + type = "AWS" + identifiers = [ + "*" + ] + } + actions = [ + "s3:GetObject" + ] + resources = [ + "${aws_s3_bucket.main.arn}/*", + ] + condition { + test = "IpAddress" + variable = "AWS:SourceIp" + values = data.cloudflare_ip_ranges.cloudflare.cidr_blocks + } + } +} resource "aws_s3_object" "healthcheck" { bucket = aws_s3_bucket.main.id diff --git a/jinwei.me/infra/variables.tf b/jinwei.me/infra/variables.tf index 575b118..9145176 100644 --- a/jinwei.me/infra/variables.tf +++ b/jinwei.me/infra/variables.tf @@ -51,7 +51,12 @@ variable "ec2_instance_type" { default = "t2.micro" } -#variable "ec2_key_name" { -# description = "Name of key pair to log into the EC2 instance. The key pair must already exist." -# type = string -#} +variable "site_domain" { + type = string + default = "jinwei.me" +} + +variable "s3_cdn_name" { + type = string + default = "static" +} diff --git a/jinwei.me/infra/versions.tf b/jinwei.me/infra/versions.tf index 2ff0472..9d28904 100644 --- a/jinwei.me/infra/versions.tf +++ b/jinwei.me/infra/versions.tf @@ -4,5 +4,9 @@ terraform { source = "hashicorp/aws" version = "~> 4.46" } + cloudflare = { + source = "cloudflare/cloudflare" + version = "2.19.2" + } } } -- cgit v1.2.3