125 lines
2.7 KiB
HCL
125 lines
2.7 KiB
HCL
provider "aws" {
|
|
region = var.aws_region
|
|
assume_role {
|
|
role_arn = "arn:aws:iam::677425296084:role/tuffas-applier"
|
|
}
|
|
}
|
|
|
|
provider "cloudflare" {
|
|
}
|
|
|
|
# block with type resource, uses provider's aws_s3_bucket resource type and names it site
|
|
resource "aws_s3_bucket" "site" {
|
|
# presumably
|
|
bucket = var.site_domain
|
|
}
|
|
|
|
# necessary to allow public users to eventually hit the s3 bucket
|
|
resource "aws_s3_bucket_public_access_block" "site" {
|
|
bucket = aws_s3_bucket.site.id
|
|
|
|
block_public_acls = false
|
|
block_public_policy = false
|
|
ignore_public_acls = false
|
|
restrict_public_buckets = false
|
|
}
|
|
|
|
# name says it all
|
|
resource "aws_s3_bucket_website_configuration" "site" {
|
|
bucket = aws_s3_bucket.site.id
|
|
|
|
# Note that this isn't an =, i don't know why
|
|
index_document {
|
|
suffix = "index.html"
|
|
}
|
|
|
|
error_document {
|
|
key = "error.html"
|
|
}
|
|
}
|
|
|
|
# This controls the ownership of the objects inside the bucket upon upload
|
|
# If possible, this sets the ownership of objects to the bucket owner
|
|
resource "aws_s3_bucket_ownership_controls" "site" {
|
|
bucket = aws_s3_bucket.site.id
|
|
|
|
rule {
|
|
object_ownership = "BucketOwnerPreferred"
|
|
}
|
|
}
|
|
|
|
resource "aws_s3_bucket_acl" "site" {
|
|
|
|
bucket = aws_s3_bucket.site.id
|
|
|
|
acl = "public-read"
|
|
depends_on = [
|
|
aws_s3_bucket_ownership_controls.site,
|
|
aws_s3_bucket_public_access_block.site
|
|
]
|
|
|
|
}
|
|
|
|
# Full permissions for the bucket, which allows anyone to access any object in the bucket
|
|
resource "aws_s3_bucket_policy" "site" {
|
|
bucket = aws_s3_bucket.site.id
|
|
|
|
policy = jsonencode({
|
|
Version = "2012-10-17"
|
|
Statement = [
|
|
{
|
|
Sid = "PublicReadGetObject"
|
|
Effect = "Allow"
|
|
Principal = "*"
|
|
Action = "s3:GetObject"
|
|
Resource = [
|
|
aws_s3_bucket.site.arn,
|
|
"${aws_s3_bucket.site.arn}/*",
|
|
]
|
|
},
|
|
]
|
|
})
|
|
|
|
depends_on = [
|
|
aws_s3_bucket_public_access_block.site
|
|
]
|
|
}
|
|
|
|
|
|
# Cloudflare time
|
|
|
|
# data block is about retrieving data from ext. source, not configuring a resource that lives in state
|
|
data "cloudflare_zones" "domain" {
|
|
# why a filter?
|
|
filter {
|
|
name = var.site_domain
|
|
}
|
|
}
|
|
|
|
# DNS setup
|
|
resource "cloudflare_record" "site_cname" {
|
|
zone_id = data.cloudflare_zones.domain.zones[0].id
|
|
name = var.site_domain
|
|
value = aws_s3_bucket_website_configuration.site.website_endpoint
|
|
type = "CNAME"
|
|
ttl = 1
|
|
proxied = true
|
|
}
|
|
|
|
resource "cloudflare_record" "www" {
|
|
zone_id = data.cloudflare_zones.domain.zones[0].id
|
|
name = "www"
|
|
value = var.site_domain
|
|
type = "CNAME"
|
|
ttl = 1
|
|
proxied = true
|
|
}
|
|
|
|
resource "cloudflare_page_rule" "https" {
|
|
zone_id = data.cloudflare_zones.domain.zones[0].id
|
|
target = "*.${var.site_domain}/*"
|
|
actions {
|
|
always_use_https = true
|
|
}
|
|
}
|