-
-
Save addshore/444e7e97e2c0c0f9f47c47e5a288b8e9 to your computer and use it in GitHub Desktop.
Terraform Module for dev-preview service on AWS
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // Provider configuration | |
| terraform { | |
| required_providers { | |
| aws = { | |
| source = "hashicorp/aws" | |
| version = "~> 3.0" | |
| } | |
| } | |
| } | |
| resource "aws_s3_bucket" "dev-preview" { | |
| bucket = var.bucket_name | |
| } | |
| resource "aws_s3_bucket_ownership_controls" "dev-preview" { | |
| bucket = aws_s3_bucket.dev-preview.id | |
| rule { | |
| object_ownership = "BucketOwnerPreferred" | |
| } | |
| } | |
| resource "aws_s3_bucket_public_access_block" "dev-preview" { | |
| bucket = aws_s3_bucket.dev-preview.id | |
| block_public_acls = false | |
| block_public_policy = false | |
| ignore_public_acls = false | |
| restrict_public_buckets = false | |
| } | |
| resource "aws_s3_bucket_acl" "dev-preview" { | |
| depends_on = [ | |
| aws_s3_bucket_ownership_controls.dev-preview, | |
| aws_s3_bucket_public_access_block.dev-preview, | |
| ] | |
| bucket = aws_s3_bucket.dev-preview.id | |
| acl = "public-read" | |
| } | |
| resource "aws_s3_bucket_website_configuration" "dev-preview" { | |
| bucket = aws_s3_bucket.dev-preview.id | |
| index_document { | |
| suffix = "index.html" | |
| } | |
| } | |
| resource "aws_s3_bucket_policy" "dev-preview" { | |
| bucket = aws_s3_bucket.dev-preview.id | |
| policy = data.aws_iam_policy_document.dev-preview.json | |
| } | |
| data "aws_iam_policy_document" "dev-preview" { | |
| statement { | |
| sid = "PublicReadGetObject" | |
| effect = "Allow" | |
| principals { | |
| type = "*" | |
| identifiers = ["*"] | |
| } | |
| actions = [ | |
| "s3:GetObject", | |
| ] | |
| resources = [ | |
| aws_s3_bucket.dev-preview.arn, | |
| "${aws_s3_bucket.dev-preview.arn}/*", | |
| ] | |
| } | |
| } | |
| resource "aws_iam_user" "dev-preview-writer" { | |
| name = "dev-preview-writer" | |
| } | |
| resource "aws_iam_access_key" "dev-preview-writer" { | |
| user = aws_iam_user.dev-preview-writer.name | |
| } | |
| resource "aws_iam_user_policy" "dev-preview-writer" { | |
| name = "dev-preview-writer" | |
| user = aws_iam_user.dev-preview-writer.name | |
| policy = data.aws_iam_policy_document.dev-preview-writer.json | |
| } | |
| data "aws_iam_policy_document" "dev-preview-writer" { | |
| statement { | |
| sid = "AllowDevPreviewWriting" | |
| effect = "Allow" | |
| actions = [ | |
| "s3:PutObject", | |
| "s3:GetObject", | |
| "s3:AbortMultipartUpload", | |
| "s3:ListBucket", | |
| "s3:DeleteObject", | |
| "s3:GetObjectVersion", | |
| "s3:ListMultipartUploadParts" | |
| ] | |
| resources = [ | |
| aws_s3_bucket.dev-preview.arn, | |
| "${aws_s3_bucket.dev-preview.arn}/*", | |
| ] | |
| } | |
| } | |
| resource "aws_s3_bucket_lifecycle_configuration" "dev-preview" { | |
| bucket = aws_s3_bucket.dev-preview.id | |
| rule { | |
| id = "expiry-life-cycle" | |
| expiration { | |
| days = var.expiry_days | |
| } | |
| status = "Enabled" | |
| } | |
| } | |
| locals { | |
| s3_origin_id = "dev-preview-S3Origin" | |
| } | |
| resource "aws_cloudfront_distribution" "dev-preview" { | |
| origin { | |
| domain_name = aws_s3_bucket.dev-preview.bucket_regional_domain_name | |
| origin_id = local.s3_origin_id | |
| } | |
| enabled = true | |
| is_ipv6_enabled = true | |
| comment = "A distribution of a dev-preview bucket, managed by Terraform" | |
| default_root_object = "index.html" | |
| # AWS Managed Caching Policy (CachingDisabled) | |
| default_cache_behavior { | |
| # Using the CachingDisabled managed policy ID: | |
| cache_policy_id = "4135ea2d-6df8-44a3-9df3-4b5a84be39ad" | |
| allowed_methods = ["GET", "HEAD", "OPTIONS"] | |
| cached_methods = ["GET", "HEAD", "OPTIONS"] | |
| viewer_protocol_policy = "redirect-to-https" | |
| target_origin_id = local.s3_origin_id | |
| } | |
| restrictions { | |
| geo_restriction { | |
| restriction_type = "whitelist" | |
| locations = var.allowed_access_locations | |
| } | |
| } | |
| viewer_certificate { | |
| cloudfront_default_certificate = true | |
| } | |
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| output "domain" { | |
| description = "Domain name of the distributed bucket" | |
| value = aws_cloudfront_distribution.dev-preview.domain_name | |
| } | |
| output "writer-key-id" { | |
| description = "value of the access key id for the writer user" | |
| value = aws_iam_access_key.dev-preview-writer.id | |
| } | |
| output "writer-key-secret" { | |
| description = "value of the access key secret for the writer user" | |
| value = aws_iam_access_key.dev-preview-writer.secret | |
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Input variable definitions | |
| variable "bucket_name" { | |
| description = "Name of the s3 bucket. Must be unique." | |
| type = string | |
| } | |
| variable "expiry_days" { | |
| description = "Number of days before objects expire." | |
| type = number | |
| default = 90 | |
| } | |
| variable "allowed_access_locations" { | |
| description = "List of locations access is allowed from." | |
| type = list(string) | |
| default = [ "GB", "US", "CA", "DE" ] | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment