diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index 498522d..176d822 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -38,19 +38,55 @@ jobs: - run: terraform plan -out=tfplan.out - run: terraform apply -input=false tfplan.out + terraform-20-cloudfront: + runs-on: ubuntu-latest + defaults: + run: + working-directory: infrastructure/20_cloudfront + steps: + - uses: actions/checkout@v4 + - uses: aws-actions/configure-aws-credentials@v4 + with: + role-to-assume: arn:aws:iam::448878779811:role/twitch-live-1710204-my-web-site + role-session-name: github-ipppontech-my-web-site-to-aws-via-oidc + aws-region: ${{ env.AWS_REGION }} + - uses: hashicorp/setup-terraform@v3 + with: + terraform_version: "1.9.7" + terraform_wrapper: false + - run: terraform fmt -check -recursive + - run: terraform init -backend=false + - run: terraform validate + - run: terraform init + - run: terraform plan -out=tfplan.out + - run: terraform apply -input=false tfplan.out + build: needs: - terraform-10-boostrap + - terraform-20-cloudfront runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 + - uses: aws-actions/configure-aws-credentials@v4 + with: + role-to-assume: arn:aws:iam::448878779811:role/twitch-live-1710204-my-web-site + role-session-name: github-ipppontech-my-web-site-to-aws-via-oidc + aws-region: ${{ env.AWS_REGION }} - name: Use Node.js LTS uses: actions/setup-node@v4 with: cache: 'npm' node-version: 'lts/*' registry-url: 'https://registry.npmjs.org' + - uses: unfor19/install-aws-cli-action@v1 + with: + version: 2 + verbose: false - name: build run: | npm ci npm run build + - name: copy dist folder to S3 + run: | + aws s3 cp dist s3://twitch-live-17102024-my-web-site-origin/ diff --git a/infrastructure/20_cloudfront/backend.tf b/infrastructure/20_cloudfront/backend.tf new file mode 100644 index 0000000..685148a --- /dev/null +++ b/infrastructure/20_cloudfront/backend.tf @@ -0,0 +1,10 @@ +# Note: at the moment, it's not possible to use variables in Terraform backend +terraform { + backend "s3" { + bucket = "twitch-live-17102024-tf-states" + key = "20_cloudfront/terraform.tfstate" + region = "eu-west-3" + dynamodb_table = "twitch-live-17102024-tf-states-lock" + encrypt = true + } +} diff --git a/infrastructure/20_cloudfront/cloudfront.tf b/infrastructure/20_cloudfront/cloudfront.tf new file mode 100644 index 0000000..766db04 --- /dev/null +++ b/infrastructure/20_cloudfront/cloudfront.tf @@ -0,0 +1,44 @@ +locals { + origin_id = "myOriginId" +} + +module "cdn" { + source = "terraform-aws-modules/cloudfront/aws" + + # aliases = ["cdn.example.com"] + + comment = "My awesome CloudFront" + enabled = true + is_ipv6_enabled = true + price_class = "PriceClass_All" + retain_on_delete = false + wait_for_deployment = false + + create_origin_access_identity = true + + origin_access_control = { + s3_oac = { + description = "CloudFront access to S3" + origin_type = "s3" + signing_behavior = "always" + signing_protocol = "sigv4" + } + } + + origin = { + s3_one = { + domain_name = module.s3_bucket.s3_bucket_bucket_domain_name + origin_access_control = "s3_oac" # key in `origin_access_control` + origin_id = local.origin_id + } + } + + default_cache_behavior = { + target_origin_id = local.origin_id + viewer_protocol_policy = "allow-all" + } + # viewer_certificate = { + # acm_certificate_arn = "arn:aws:acm:us-east-1:135367859851:certificate/1032b155-22da-4ae0-9f69-e206f825458b" + # ssl_support_method = "sni-only" + # } +} diff --git a/infrastructure/20_cloudfront/data.tf b/infrastructure/20_cloudfront/data.tf new file mode 100644 index 0000000..8fc4b38 --- /dev/null +++ b/infrastructure/20_cloudfront/data.tf @@ -0,0 +1 @@ +data "aws_caller_identity" "current" {} diff --git a/infrastructure/20_cloudfront/providers.tf b/infrastructure/20_cloudfront/providers.tf new file mode 100644 index 0000000..b748065 --- /dev/null +++ b/infrastructure/20_cloudfront/providers.tf @@ -0,0 +1,10 @@ +provider "aws" { + region = var.region + + default_tags { + tags = { + project = basename(abspath("${path.module}/../..")) + subproject = basename(abspath(path.module)) + } + } +} diff --git a/infrastructure/20_cloudfront/s3_origin.tf b/infrastructure/20_cloudfront/s3_origin.tf new file mode 100644 index 0000000..b5d0b84 --- /dev/null +++ b/infrastructure/20_cloudfront/s3_origin.tf @@ -0,0 +1,33 @@ +locals { + origin_bucket_name = "twitch-live-17102024-my-web-site-origin" +} + +module "s3_bucket" { + source = "terraform-aws-modules/s3-bucket/aws" + + bucket = local.origin_bucket_name + acl = "private" + + control_object_ownership = true + object_ownership = "ObjectWriter" + + server_side_encryption_configuration = { + rule = { + apply_server_side_encryption_by_default = { + sse_algorithm = "AES256" + } + } + } + + # policy = data.aws_iam_policy_document.origin_bucket_policy.json +} + + +# data "aws_iam_policy_document" "origin_bucket_policy" { +# statement { +# effect = "Allow" +# principals { +# +# } +# } +# } diff --git a/infrastructure/20_cloudfront/variables.tf b/infrastructure/20_cloudfront/variables.tf new file mode 100644 index 0000000..d5aee15 --- /dev/null +++ b/infrastructure/20_cloudfront/variables.tf @@ -0,0 +1,5 @@ +variable "region" { + description = "Default AWS region" + default = "eu-west-3" + type = string +} diff --git a/infrastructure/20_cloudfront/versions.tf b/infrastructure/20_cloudfront/versions.tf new file mode 100644 index 0000000..a8d9277 --- /dev/null +++ b/infrastructure/20_cloudfront/versions.tf @@ -0,0 +1,9 @@ +terraform { + required_version = "~> 1.0" + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 5.0" + } + } +}