diff --git a/.gitignore b/.gitignore index 1c72bc2..623bf3e 100644 --- a/.gitignore +++ b/.gitignore @@ -25,3 +25,6 @@ pnpm-debug.log* # Custom src/assets/deck_of_cards src/assets/avatars + +# terraform +*.terraform diff --git a/.infrastructure/Makefile b/.infrastructure/Makefile new file mode 100644 index 0000000..41847f5 --- /dev/null +++ b/.infrastructure/Makefile @@ -0,0 +1,215 @@ +# Copyright 2016 Philip G. Porada +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +.ONESHELL: +.SHELL := /usr/bin/bash +.PHONY: apply destroy-backend destroy destroy-target plan-destroy plan plan-target prep + +-include Makefile.env +# VARS="variables/$(ENV)-$(REGION).tfvars" +VARS="$(ENV)-$(REGION).tfvars" +CURRENT_FOLDER=$(shell basename "$$(pwd)") +S3_BUCKET="$(ENV)-$(REGION)-$(PROJECT)-terraform" +DYNAMODB_TABLE="$(ENV)-$(REGION)-$(PROJECT)-terraform" +WORKSPACE="$(ENV)-$(REGION)" +BOLD=$(shell tput bold) +RED=$(shell tput setaf 1) +GREEN=$(shell tput setaf 2) +YELLOW=$(shell tput setaf 3) +RESET=$(shell tput sgr0) + +help: + @grep -E '^[a-zA-Z_-]+:.*?## .*$$' $(MAKEFILE_LIST) | sort | awk 'BEGIN {FS = ":.*?## "}; {printf "\033[36m%-30s\033[0m %s\n", $$1, $$2}' + +set-env: + @if [ -z $(ENV) ]; then \ + echo "$(BOLD)$(RED)ENV was not set$(RESET)"; \ + ERROR=1; \ + fi + @if [ -z $(REGION) ]; then \ + echo "$(BOLD)$(RED)REGION was not set$(RESET)"; \ + ERROR=1; \ + fi + @if [ -z $(AWS_PROFILE) ]; then \ + echo "$(BOLD)$(RED)AWS_PROFILE was not set.$(RESET)"; \ + ERROR=1; \ + fi + @if [ ! -z $${ERROR} ] && [ $${ERROR} -eq 1 ]; then \ + echo "$(BOLD)Example usage: \`AWS_PROFILE=whatever ENV=demo REGION=us-east-2 make plan\`$(RESET)"; \ + exit 1; \ + fi + @if [ ! -f "$(VARS)" ]; then \ + echo "$(BOLD)$(RED)Could not find variables file: $(VARS)$(RESET)"; \ + exit 1; \ + fi + +prep: set-env ## Prepare a new workspace (environment) if needed, configure the tfstate backend, update any modules, and switch to the workspace + @echo "$(BOLD)Verifying that the S3 bucket $(S3_BUCKET) for remote state exists$(RESET)" + @if ! aws --profile $(AWS_PROFILE) s3api head-bucket --region $(REGION) --bucket $(S3_BUCKET) > /dev/null 2>&1 ; then \ + echo "$(BOLD)S3 bucket $(S3_BUCKET) was not found, creating new bucket with versioning enabled to store tfstate$(RESET)"; \ + aws --profile $(AWS_PROFILE) s3api create-bucket \ + --bucket $(S3_BUCKET) \ + --acl private \ + --region $(REGION) \ + --create-bucket-configuration LocationConstraint=$(REGION) > /dev/null 2>&1 ; \ + aws --profile $(AWS_PROFILE) s3api put-bucket-versioning \ + --bucket $(S3_BUCKET) \ + --versioning-configuration Status=Enabled > /dev/null 2>&1 ; \ + echo "$(BOLD)$(GREEN)S3 bucket $(S3_BUCKET) created$(RESET)"; \ + else + echo "$(BOLD)$(GREEN)S3 bucket $(S3_BUCKET) exists$(RESET)"; \ + fi + @echo "$(BOLD)Verifying that the DynamoDB table exists for remote state locking$(RESET)" + @if ! aws --profile $(AWS_PROFILE) --region $(REGION) dynamodb describe-table --table-name $(DYNAMODB_TABLE) > /dev/null 2>&1 ; then \ + echo "$(BOLD)DynamoDB table $(DYNAMODB_TABLE) was not found, creating new DynamoDB table to maintain locks$(RESET)"; \ + aws --profile $(AWS_PROFILE) dynamodb create-table \ + --region $(REGION) \ + --table-name $(DYNAMODB_TABLE) \ + --attribute-definitions AttributeName=LockID,AttributeType=S \ + --key-schema AttributeName=LockID,KeyType=HASH \ + --provisioned-throughput ReadCapacityUnits=5,WriteCapacityUnits=5 > /dev/null 2>&1 ; \ + echo "$(BOLD)$(GREEN)DynamoDB table $(DYNAMODB_TABLE) created$(RESET)"; \ + echo "Sleeping for 10 seconds to allow DynamoDB state to propagate through AWS"; \ + sleep 10; \ + else + echo "$(BOLD)$(GREEN)DynamoDB Table $(DYNAMODB_TABLE) exists$(RESET)"; \ + fi + @aws ec2 --profile=$(AWS_PROFILE) describe-key-pairs | jq -r '.KeyPairs[].KeyName' | grep "$(ENV)_infra_key" > /dev/null 2>&1; \ + if [ $$? -ne 0 ]; then \ + echo "$(BOLD)$(RED)EC2 Key Pair $(INFRA_KEY)_infra_key was not found$(RESET)"; \ + read -p '$(BOLD)Do you want to generate a new keypair? [y/Y]: $(RESET)' ANSWER && \ + if [ "$${ANSWER}" == "y" ] || [ "$${ANSWER}" == "Y" ]; then \ + mkdir -p ~/.ssh; \ + ssh-keygen -t rsa -b 4096 -N '' -f ~/.ssh/$(ENV)_infra_key; \ + aws ec2 --profile=$(AWS_PROFILE) import-key-pair --key-name "$(ENV)_infra_key" --public-key-material "file://~/.ssh/$(ENV)_infra_key.pub"; \ + fi; \ + else \ + echo "$(BOLD)$(GREEN)EC2 Key Pair $(ENV)_infra_key exists$(RESET)";\ + fi + @echo "$(BOLD)Configuring the terraform backend$(RESET)" + @terraform init \ + -input=false \ + -force-copy \ + -lock=true \ + -upgrade \ + -verify-plugins=true \ + -backend=true \ + -backend-config="profile=$(AWS_PROFILE)" \ + -backend-config="region=$(REGION)" \ + -backend-config="bucket=$(S3_BUCKET)" \ + -backend-config="key=$(ENV)/$(CURRENT_FOLDER)/terraform.tfstate" \ + -backend-config="dynamodb_table=$(DYNAMODB_TABLE)"\ + -backend-config="acl=private" + @echo "$(BOLD)Switching to workspace $(WORKSPACE)$(RESET)" + @terraform workspace select $(WORKSPACE) || terraform workspace new $(WORKSPACE) + +plan: prep ## Show what terraform thinks it will do + @terraform plan \ + -lock=true \ + -input=false \ + -refresh=true \ + -var-file="$(VARS)" + +format: prep ## Rewrites all Terraform configuration files to a canonical format. + @terraform fmt \ + -write=true \ + -recursive + +# https://github.com/terraform-linters/tflint +lint: prep ## Check for possible errors, best practices, etc in current directory! + @tflint + +# https://github.com/liamg/tfsec +check-security: prep ## Static analysis of your terraform templates to spot potential security issues. + @tfsec . + +documentation: prep ## Generate README.md for a module + @terraform-docs \ + markdown table \ + --sort-by-required . > README.md + +plan-target: prep ## Shows what a plan looks like for applying a specific resource + @echo "$(YELLOW)$(BOLD)[INFO] $(RESET)"; echo "Example to type for the following question: module.rds.aws_route53_record.rds-master" + @read -p "PLAN target: " DATA && \ + terraform plan \ + -lock=true \ + -input=true \ + -refresh=true \ + -var-file="$(VARS)" \ + -target=$$DATA + +plan-destroy: prep ## Creates a destruction plan. + @terraform plan \ + -input=false \ + -refresh=true \ + -destroy \ + -var-file="$(VARS)" + +apply: prep ## Have terraform do the things. This will cost money. + @terraform apply \ + -lock=true \ + -input=false \ + -refresh=true \ + -var-file="$(VARS)" + +destroy: prep ## Destroy the things + @terraform destroy \ + -lock=true \ + -input=false \ + -refresh=true \ + -var-file="$(VARS)" + +destroy-target: prep ## Destroy a specific resource. Caution though, this destroys chained resources. + @echo "$(YELLOW)$(BOLD)[INFO] Specifically destroy a piece of Terraform data.$(RESET)"; echo "Example to type for the following question: module.rds.aws_route53_record.rds-master" + @read -p "Destroy target: " DATA && \ + terraform destroy \ + -lock=true \ + -input=false \ + -refresh=true \ + -var-file=$(VARS) \ + -target=$$DATA + +destroy-backend: ## Destroy S3 bucket and DynamoDB table + @if ! aws --profile $(AWS_PROFILE) dynamodb delete-table \ + --region $(REGION) \ + --table-name $(DYNAMODB_TABLE) > /dev/null 2>&1 ; then \ + echo "$(BOLD)$(RED)Unable to delete DynamoDB table $(DYNAMODB_TABLE)$(RESET)"; \ + else + echo "$(BOLD)$(RED)DynamoDB table $(DYNAMODB_TABLE) does not exist.$(RESET)"; \ + fi + @if ! aws --profile $(AWS_PROFILE) s3api delete-objects \ + --region $(REGION) \ + --bucket $(S3_BUCKET) \ + --delete "$$(aws --profile $(AWS_PROFILE) s3api list-object-versions \ + --region $(REGION) \ + --bucket $(S3_BUCKET) \ + --output=json \ + --query='{Objects: Versions[].{Key:Key,VersionId:VersionId}}')" > /dev/null 2>&1 ; then \ + echo "$(BOLD)$(RED)Unable to delete objects in S3 bucket $(S3_BUCKET)$(RESET)"; \ + fi + @if ! aws --profile $(AWS_PROFILE) s3api delete-objects \ + --region $(REGION) \ + --bucket $(S3_BUCKET) \ + --delete "$$(aws --profile $(AWS_PROFILE) s3api list-object-versions \ + --region $(REGION) \ + --bucket $(S3_BUCKET) \ + --output=json \ + --query='{Objects: DeleteMarkers[].{Key:Key,VersionId:VersionId}}')" > /dev/null 2>&1 ; then \ + echo "$(BOLD)$(RED)Unable to delete markers in S3 bucket $(S3_BUCKET)$(RESET)"; \ + fi + @if ! aws --profile $(AWS_PROFILE) s3api delete-bucket \ + --region $(REGION) \ + --bucket $(S3_BUCKET) > /dev/null 2>&1 ; then \ + echo "$(BOLD)$(RED)Unable to delete S3 bucket $(S3_BUCKET) itself$(RESET)"; \ + fi diff --git a/.infrastructure/Makefile.env b/.infrastructure/Makefile.env new file mode 100644 index 0000000..33e1bad --- /dev/null +++ b/.infrastructure/Makefile.env @@ -0,0 +1,4 @@ +ENV="prod" +REGION="eu-west-1" +PROJECT="onmyojideckbuilder" +AWS_PROFILE="admin" diff --git a/.infrastructure/lambda/main.js b/.infrastructure/lambda/main.js new file mode 100644 index 0000000..6c9f2bf --- /dev/null +++ b/.infrastructure/lambda/main.js @@ -0,0 +1,29 @@ +"use strict"; + +exports.handler = (event, context, callback) => { + // Extract the request from the Cloudfront event that is sent to Lambda@Edge + var request = event.Records[0].cf.request; + + // Extract the URI from the request + var oldURI = request.uri; + + // Match any '/' that occurs at the end of a URI. Replace it with a default index + function replace_uri(uri) { + uri = uri.replace(/\/$/, "/index.html"); + // uri = uri.replace(/\.io\/search\?q\=(.*)/, ".io/search/index.html?q=$1"); + // console.log(uri) + return uri; + } + // var newURI = oldURI.replace(/\/$/, "/index.html"); + var newURI = replace_uri(oldURI); + + // Log the URI as received by Cloudfront and the new URI to be used to fetch from the origin + console.log(`Old URI: ${oldURI}`); + console.log(`New URI: ${newURI}`); + + // Replace the received URI with the URI that includes the index page + request.uri = newURI; + + // Return to Cloudfront + return callback(null, request); +}; diff --git a/.infrastructure/lambda/main.js.zip b/.infrastructure/lambda/main.js.zip new file mode 100644 index 0000000..bfff512 Binary files /dev/null and b/.infrastructure/lambda/main.js.zip differ diff --git a/.infrastructure/main.tf b/.infrastructure/main.tf new file mode 100644 index 0000000..f46caee --- /dev/null +++ b/.infrastructure/main.tf @@ -0,0 +1,133 @@ +# aws config +provider "aws" { + region = var.region + profile = var.profile + version = "~> 2.66" +} + +provider "aws" { + alias = "us_east_1" + profile = var.profile + region = "us-east-1" +} + +# tags +locals { + tags = { + "Project" = "onmyoji-deck-builder" + "Description" = "website to build and share onmyoji decks" + } +} + +# cloudfront +module "cloudfront_s3_cdn" { + source = "git::https://github.com/cloudposse/terraform-aws-cloudfront-s3-cdn.git?ref=tags/0.52.0" + stage = var.stage + name = var.name + parent_zone_id = var.parent_zone_id + acm_certificate_arn = var.acm_certificate_arn + use_regional_s3_endpoint = true + origin_force_destroy = true + compress = true + cors_allowed_headers = ["*"] + cors_allowed_methods = ["GET", "HEAD", "PUT", "POST"] + cors_allowed_origins = var.allowed_origins + tags = local.tags + aliases = var.aliases + index_document = "index.html" + lambda_function_association = [ + { + event_type : "origin-request", + lambda_arn : aws_lambda_function.directory_indexes.qualified_arn, + include_body : false + } + ] + + # this policy sets the bucket to be public for all newly created files + additional_bucket_policy = <<-EOT + { + "Version": "2012-10-17", + "Statement": [ + { + "Sid":"PublicRead", + "Effect":"Allow", + "Principal":"*", + "Action":["s3:GetObject"], + "Resource":"arn:aws:s3:::${module.cloudfront_s3_cdn.s3_bucket}/*" + } + ] + } + EOT +} + +data "archive_file" "lambda_main" { + type = "zip" + source_file = var.source_file + output_path = "${var.source_file}.zip" +} + +resource "aws_lambda_function" "directory_indexes" { + provider = aws.us_east_1 + function_name = "${var.stage}-${var.name}-directory_indexes" + filename = "${var.source_file}.zip" + source_code_hash = data.archive_file.lambda_main.output_base64sha256 + # s3_bucket = aws_s3_bucket.lambda_s3.id + # s3_key = var.lambda_key + handler = var.handler + runtime = var.runtime + role = aws_iam_role.lambda_role.arn + publish = true + tags = local.tags + + depends_on = [aws_iam_role_policy_attachment.lambda_logging] +} + +## Lambda iam role & policies + +resource "aws_iam_role" "lambda_role" { + name = "${var.stage}-${var.name}-lambda" + tags = local.tags + + assume_role_policy = <<-EOT + { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Principal": { + "Service": [ + "lambda.amazonaws.com", + "edgelambda.amazonaws.com" + ] + }, + "Action": "sts:AssumeRole" + } + ] + } + EOT +} + +resource "aws_iam_policy" "lambda_logging" { + name = "${var.stage}-${var.name}-lambda_logging" + policy = <<-EOT + { + "Version": "2012-10-17", + "Statement": [ + { + "Action": [ + "logs:CreateLogGroup", + "logs:CreateLogStream", + "logs:PutLogEvents" + ], + "Resource": "arn:aws:logs:*:*:*", + "Effect": "Allow" + } + ] + } + EOT +} + +resource "aws_iam_role_policy_attachment" "lambda_logging" { + role = aws_iam_role.lambda_role.name + policy_arn = aws_iam_policy.lambda_logging.arn +} diff --git a/.infrastructure/outputs.tf b/.infrastructure/outputs.tf new file mode 100644 index 0000000..eb09683 --- /dev/null +++ b/.infrastructure/outputs.tf @@ -0,0 +1,39 @@ +output "cf_id" { + value = module.cloudfront_s3_cdn.cf_id + description = "ID of AWS CloudFront distribution" +} + +output "cf_arn" { + value = module.cloudfront_s3_cdn.cf_arn + description = "ARN of AWS CloudFront distribution" +} + +output "cf_status" { + value = module.cloudfront_s3_cdn.cf_status + description = "Current status of the distribution" +} + +output "cf_domain_name" { + value = module.cloudfront_s3_cdn.cf_domain_name + description = "Domain name corresponding to the distribution" +} + +output "cf_etag" { + value = module.cloudfront_s3_cdn.cf_etag + description = "Current version of the distribution's information" +} + +output "cf_hosted_zone_id" { + value = module.cloudfront_s3_cdn.cf_hosted_zone_id + description = "CloudFront Route 53 zone ID" +} + +output "s3_bucket" { + value = module.cloudfront_s3_cdn.s3_bucket + description = "Name of S3 bucket" +} + +output "s3_bucket_domain_name" { + value = module.cloudfront_s3_cdn.s3_bucket_domain_name + description = "Domain of S3 bucket" +} diff --git a/.infrastructure/prod-eu-west-1.tfvars b/.infrastructure/prod-eu-west-1.tfvars new file mode 100644 index 0000000..d6bcb23 --- /dev/null +++ b/.infrastructure/prod-eu-west-1.tfvars @@ -0,0 +1,19 @@ +# module +name = "onmyojideckbuilder" +region = "eu-west-1" +stage = "prod" +profile = "admin" + +# cloudfront +acm_certificate_arn = "arn:aws:acm:us-east-1:745437999005:certificate/f510b1b0-f475-43c6-a217-e884b77a894d" +parent_zone_id = "Z0511918V1SF3MCG22JU" +aliases = ["onmyojideckbuilder.com"] +allowed_origins = ["*.onmyojideckbuilder.com"] + +# s3 & lambda +acl = "private" +lambda_key = "main.zip" +source_file = "./lambda/main.js" +handler = "main.handler" +runtime = "nodejs12.x" +s3_region = "us-east-1" diff --git a/.infrastructure/terraform.tfstate.d/prod-eu-west-1/.terraform.tfstate.lock.info b/.infrastructure/terraform.tfstate.d/prod-eu-west-1/.terraform.tfstate.lock.info new file mode 100644 index 0000000..2a89841 --- /dev/null +++ b/.infrastructure/terraform.tfstate.d/prod-eu-west-1/.terraform.tfstate.lock.info @@ -0,0 +1 @@ +{"ID":"98905c4f-6035-74f7-7650-6a47316a4218","Operation":"OperationTypeApply","Info":"","Who":"dtomlinson@daniel-macbook.local","Version":"0.13.5","Created":"2021-03-18T00:59:02.31725Z","Path":"terraform.tfstate.d/prod-eu-west-1/terraform.tfstate"} \ No newline at end of file diff --git a/.infrastructure/terraform.tfstate.d/prod-eu-west-1/terraform.tfstate b/.infrastructure/terraform.tfstate.d/prod-eu-west-1/terraform.tfstate new file mode 100644 index 0000000..e087d58 --- /dev/null +++ b/.infrastructure/terraform.tfstate.d/prod-eu-west-1/terraform.tfstate @@ -0,0 +1,608 @@ +{ + "version": 4, + "terraform_version": "0.13.5", + "serial": 14, + "lineage": "baf13f49-a91e-4ef3-40f8-b010f53cf030", + "outputs": { + "s3_bucket": { + "value": "prod-onmyojideckbuilder-origin", + "type": "string" + }, + "s3_bucket_domain_name": { + "value": "prod-onmyojideckbuilder-origin.s3.eu-west-1.amazonaws.com", + "type": "string" + } + }, + "resources": [ + { + "mode": "data", + "type": "archive_file", + "name": "lambda_main", + "provider": "provider[\"registry.terraform.io/hashicorp/archive\"]", + "instances": [ + { + "schema_version": 0, + "attributes": { + "excludes": null, + "id": "320d4868dd37d1674e98bd790b8a54b006838d04", + "output_base64sha256": "5EVmwQDkgGfYMpMXNaWHUz3cmb/dSssoWl8mM8o3aMs=", + "output_md5": "611fc9e8b494e4b399217f632b8e35ed", + "output_path": "./lambda/main.js.zip", + "output_sha": "320d4868dd37d1674e98bd790b8a54b006838d04", + "output_size": 601, + "source": [], + "source_content": null, + "source_content_filename": null, + "source_dir": null, + "source_file": "./lambda/main.js", + "type": "zip" + } + } + ] + }, + { + "mode": "managed", + "type": "aws_iam_policy", + "name": "lambda_logging", + "provider": "provider[\"registry.terraform.io/hashicorp/aws\"]", + "instances": [ + { + "schema_version": 0, + "attributes": { + "arn": "arn:aws:iam::745437999005:policy/prod-onmyojideckbuilder-lambda_logging", + "description": "", + "id": "arn:aws:iam::745437999005:policy/prod-onmyojideckbuilder-lambda_logging", + "name": "prod-onmyojideckbuilder-lambda_logging", + "name_prefix": null, + "path": "/", + "policy": "{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Action\": [\n \"logs:CreateLogGroup\",\n \"logs:CreateLogStream\",\n \"logs:PutLogEvents\"\n ],\n \"Resource\": \"arn:aws:logs:*:*:*\",\n \"Effect\": \"Allow\"\n }\n ]\n}\n" + }, + "private": "bnVsbA==" + } + ] + }, + { + "mode": "managed", + "type": "aws_iam_role", + "name": "lambda_role", + "provider": "provider[\"registry.terraform.io/hashicorp/aws\"]", + "instances": [ + { + "schema_version": 0, + "attributes": { + "arn": "arn:aws:iam::745437999005:role/prod-onmyojideckbuilder-lambda", + "assume_role_policy": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"lambda.amazonaws.com\",\"edgelambda.amazonaws.com\"]},\"Action\":\"sts:AssumeRole\"}]}", + "create_date": "2021-03-18T00:54:31Z", + "description": "", + "force_detach_policies": false, + "id": "prod-onmyojideckbuilder-lambda", + "max_session_duration": 3600, + "name": "prod-onmyojideckbuilder-lambda", + "name_prefix": null, + "path": "/", + "permissions_boundary": null, + "tags": { + "Description": "website to build and share onmyoji decks", + "Project": "onmyoji-deck-builder" + }, + "unique_id": "AROA23D4RF6OTBMEPSDVE" + }, + "private": "bnVsbA==" + } + ] + }, + { + "mode": "managed", + "type": "aws_iam_role_policy_attachment", + "name": "lambda_logging", + "provider": "provider[\"registry.terraform.io/hashicorp/aws\"]", + "instances": [ + { + "schema_version": 0, + "attributes": { + "id": "prod-onmyojideckbuilder-lambda-20210318005433729100000002", + "policy_arn": "arn:aws:iam::745437999005:policy/prod-onmyojideckbuilder-lambda_logging", + "role": "prod-onmyojideckbuilder-lambda" + }, + "private": "bnVsbA==", + "dependencies": [ + "aws_iam_policy.lambda_logging", + "aws_iam_role.lambda_role" + ] + } + ] + }, + { + "mode": "managed", + "type": "aws_lambda_function", + "name": "directory_indexes", + "provider": "provider[\"registry.terraform.io/hashicorp/aws\"].us_east_1", + "instances": [ + { + "schema_version": 0, + "attributes": { + "arn": "arn:aws:lambda:us-east-1:745437999005:function:prod-onmyojideckbuilder-directory_indexes", + "dead_letter_config": [], + "description": "", + "environment": [], + "file_system_config": [], + "filename": "./lambda/main.js.zip", + "function_name": "prod-onmyojideckbuilder-directory_indexes", + "handler": "main.handler", + "id": "prod-onmyojideckbuilder-directory_indexes", + "invoke_arn": "arn:aws:apigateway:us-east-1:lambda:path/2015-03-31/functions/arn:aws:lambda:us-east-1:745437999005:function:prod-onmyojideckbuilder-directory_indexes/invocations", + "kms_key_arn": "", + "last_modified": "2021-03-18T00:54:40.108+0000", + "layers": null, + "memory_size": 128, + "publish": true, + "qualified_arn": "arn:aws:lambda:us-east-1:745437999005:function:prod-onmyojideckbuilder-directory_indexes:1", + "reserved_concurrent_executions": -1, + "role": "arn:aws:iam::745437999005:role/prod-onmyojideckbuilder-lambda", + "runtime": "nodejs12.x", + "s3_bucket": null, + "s3_key": null, + "s3_object_version": null, + "source_code_hash": "5EVmwQDkgGfYMpMXNaWHUz3cmb/dSssoWl8mM8o3aMs=", + "source_code_size": 601, + "tags": { + "Description": "website to build and share onmyoji decks", + "Project": "onmyoji-deck-builder" + }, + "timeout": 3, + "timeouts": null, + "tracing_config": [ + { + "mode": "PassThrough" + } + ], + "version": "1", + "vpc_config": [] + }, + "private": "eyJlMmJmYjczMC1lY2FhLTExZTYtOGY4OC0zNDM2M2JjN2M0YzAiOnsiY3JlYXRlIjo2MDAwMDAwMDAwMDB9fQ==", + "dependencies": [ + "aws_iam_policy.lambda_logging", + "aws_iam_role.lambda_role", + "aws_iam_role_policy_attachment.lambda_logging", + "data.archive_file.lambda_main" + ] + } + ] + }, + { + "module": "module.cloudfront_s3_cdn", + "mode": "data", + "type": "aws_iam_policy_document", + "name": "origin", + "provider": "provider[\"registry.terraform.io/hashicorp/aws\"]", + "instances": [ + { + "schema_version": 0, + "attributes": { + "id": "637012258", + "json": "{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Sid\": \"S3GetObjectForCloudFront\",\n \"Effect\": \"Allow\",\n \"Action\": \"s3:GetObject\",\n \"Resource\": \"arn:aws:s3:::${bucket_name}${origin_path}*\",\n \"Principal\": {\n \"AWS\": \"${cloudfront_origin_access_identity_iam_arn}\"\n }\n },\n {\n \"Sid\": \"S3ListBucketForCloudFront\",\n \"Effect\": \"Allow\",\n \"Action\": \"s3:ListBucket\",\n \"Resource\": \"arn:aws:s3:::${bucket_name}\",\n \"Principal\": {\n \"AWS\": \"${cloudfront_origin_access_identity_iam_arn}\"\n }\n },\n {\n \"Sid\": \"PublicRead\",\n \"Effect\": \"Allow\",\n \"Action\": [\n \"s3:GetObject\"\n ],\n \"Resource\": \"arn:aws:s3:::prod-onmyojideckbuilder-origin/*\",\n \"Principal\": \"*\"\n }\n ]\n}", + "override_json": "{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Sid\":\"PublicRead\",\n \"Effect\":\"Allow\",\n \"Principal\":\"*\",\n \"Action\":[\"s3:GetObject\"],\n \"Resource\":\"arn:aws:s3:::prod-onmyojideckbuilder-origin/*\"\n }\n ]\n}\n", + "policy_id": null, + "source_json": null, + "statement": [ + { + "actions": [ + "s3:GetObject" + ], + "condition": [], + "effect": "Allow", + "not_actions": [], + "not_principals": [], + "not_resources": [], + "principals": [ + { + "identifiers": [ + "${cloudfront_origin_access_identity_iam_arn}" + ], + "type": "AWS" + } + ], + "resources": [ + "arn:aws:s3:::${bucket_name}${origin_path}*" + ], + "sid": "S3GetObjectForCloudFront" + }, + { + "actions": [ + "s3:ListBucket" + ], + "condition": [], + "effect": "Allow", + "not_actions": [], + "not_principals": [], + "not_resources": [], + "principals": [ + { + "identifiers": [ + "${cloudfront_origin_access_identity_iam_arn}" + ], + "type": "AWS" + } + ], + "resources": [ + "arn:aws:s3:::${bucket_name}" + ], + "sid": "S3ListBucketForCloudFront" + } + ], + "version": "2012-10-17" + } + } + ] + }, + { + "module": "module.cloudfront_s3_cdn", + "mode": "data", + "type": "aws_iam_policy_document", + "name": "origin_website", + "provider": "provider[\"registry.terraform.io/hashicorp/aws\"]", + "instances": [ + { + "schema_version": 0, + "attributes": { + "id": "2989024212", + "json": "{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Sid\": \"S3GetObjectForCloudFront\",\n \"Effect\": \"Allow\",\n \"Action\": \"s3:GetObject\",\n \"Resource\": \"arn:aws:s3:::${bucket_name}${origin_path}*\",\n \"Principal\": {\n \"AWS\": \"*\"\n }\n },\n {\n \"Sid\": \"PublicRead\",\n \"Effect\": \"Allow\",\n \"Action\": [\n \"s3:GetObject\"\n ],\n \"Resource\": \"arn:aws:s3:::prod-onmyojideckbuilder-origin/*\",\n \"Principal\": \"*\"\n }\n ]\n}", + "override_json": "{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Sid\":\"PublicRead\",\n \"Effect\":\"Allow\",\n \"Principal\":\"*\",\n \"Action\":[\"s3:GetObject\"],\n \"Resource\":\"arn:aws:s3:::prod-onmyojideckbuilder-origin/*\"\n }\n ]\n}\n", + "policy_id": null, + "source_json": null, + "statement": [ + { + "actions": [ + "s3:GetObject" + ], + "condition": [], + "effect": "Allow", + "not_actions": [], + "not_principals": [], + "not_resources": [], + "principals": [ + { + "identifiers": [ + "*" + ], + "type": "AWS" + } + ], + "resources": [ + "arn:aws:s3:::${bucket_name}${origin_path}*" + ], + "sid": "S3GetObjectForCloudFront" + } + ], + "version": "2012-10-17" + } + } + ] + }, + { + "module": "module.cloudfront_s3_cdn", + "mode": "data", + "type": "aws_s3_bucket", + "name": "selected", + "provider": "provider[\"registry.terraform.io/hashicorp/aws\"]", + "instances": [ + { + "schema_version": 0, + "attributes": { + "arn": "arn:aws:s3:::prod-onmyojideckbuilder-origin", + "bucket": "prod-onmyojideckbuilder-origin", + "bucket_domain_name": "prod-onmyojideckbuilder-origin.s3.amazonaws.com", + "bucket_regional_domain_name": "prod-onmyojideckbuilder-origin.s3.eu-west-1.amazonaws.com", + "hosted_zone_id": "Z1BKCTXD74EZPE", + "id": "prod-onmyojideckbuilder-origin", + "region": "eu-west-1", + "website_domain": null, + "website_endpoint": null + } + } + ] + }, + { + "module": "module.cloudfront_s3_cdn", + "mode": "data", + "type": "template_file", + "name": "default", + "provider": "provider[\"registry.terraform.io/hashicorp/template\"]", + "instances": [ + { + "schema_version": 0, + "attributes": { + "filename": null, + "id": "fe3f480e1db2aede6d6d5ec8f112356a914f3fe62dc64248e9a9ee28c0b51963", + "rendered": "{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Sid\": \"S3GetObjectForCloudFront\",\n \"Effect\": \"Allow\",\n \"Action\": \"s3:GetObject\",\n \"Resource\": \"arn:aws:s3:::prod-onmyojideckbuilder-origin/*\",\n \"Principal\": {\n \"AWS\": \"arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity E2UDO80PGVO0I7\"\n }\n },\n {\n \"Sid\": \"S3ListBucketForCloudFront\",\n \"Effect\": \"Allow\",\n \"Action\": \"s3:ListBucket\",\n \"Resource\": \"arn:aws:s3:::prod-onmyojideckbuilder-origin\",\n \"Principal\": {\n \"AWS\": \"arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity E2UDO80PGVO0I7\"\n }\n },\n {\n \"Sid\": \"PublicRead\",\n \"Effect\": \"Allow\",\n \"Action\": [\n \"s3:GetObject\"\n ],\n \"Resource\": \"arn:aws:s3:::prod-onmyojideckbuilder-origin/*\",\n \"Principal\": \"*\"\n }\n ]\n}", + "template": "{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Sid\": \"S3GetObjectForCloudFront\",\n \"Effect\": \"Allow\",\n \"Action\": \"s3:GetObject\",\n \"Resource\": \"arn:aws:s3:::${bucket_name}${origin_path}*\",\n \"Principal\": {\n \"AWS\": \"${cloudfront_origin_access_identity_iam_arn}\"\n }\n },\n {\n \"Sid\": \"S3ListBucketForCloudFront\",\n \"Effect\": \"Allow\",\n \"Action\": \"s3:ListBucket\",\n \"Resource\": \"arn:aws:s3:::${bucket_name}\",\n \"Principal\": {\n \"AWS\": \"${cloudfront_origin_access_identity_iam_arn}\"\n }\n },\n {\n \"Sid\": \"PublicRead\",\n \"Effect\": \"Allow\",\n \"Action\": [\n \"s3:GetObject\"\n ],\n \"Resource\": \"arn:aws:s3:::prod-onmyojideckbuilder-origin/*\",\n \"Principal\": \"*\"\n }\n ]\n}", + "vars": { + "bucket_name": "prod-onmyojideckbuilder-origin", + "cloudfront_origin_access_identity_iam_arn": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity E2UDO80PGVO0I7", + "origin_path": "/" + } + } + } + ] + }, + { + "module": "module.cloudfront_s3_cdn", + "mode": "managed", + "type": "aws_cloudfront_origin_access_identity", + "name": "default", + "provider": "provider[\"registry.terraform.io/hashicorp/aws\"]", + "instances": [ + { + "index_key": 0, + "schema_version": 0, + "attributes": { + "caller_reference": "terraform-20210318005431202400000001", + "cloudfront_access_identity_path": "origin-access-identity/cloudfront/E2UDO80PGVO0I7", + "comment": "prod-onmyojideckbuilder", + "etag": "E1TCA4Q1CA5VJS", + "iam_arn": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity E2UDO80PGVO0I7", + "id": "E2UDO80PGVO0I7", + "s3_canonical_user_id": "0cfcad41a6b0276d057a0ebf19d20c199a1506b2fff651979fa92da43f68347b1f60e881f157f22b76dde44b55009f31" + }, + "private": "bnVsbA==" + } + ] + }, + { + "module": "module.cloudfront_s3_cdn", + "mode": "managed", + "type": "aws_s3_bucket", + "name": "origin", + "provider": "provider[\"registry.terraform.io/hashicorp/aws\"]", + "instances": [ + { + "index_key": 0, + "schema_version": 0, + "attributes": { + "acceleration_status": "", + "acl": "private", + "arn": "arn:aws:s3:::prod-onmyojideckbuilder-origin", + "bucket": "prod-onmyojideckbuilder-origin", + "bucket_domain_name": "prod-onmyojideckbuilder-origin.s3.amazonaws.com", + "bucket_prefix": null, + "bucket_regional_domain_name": "prod-onmyojideckbuilder-origin.s3.eu-west-1.amazonaws.com", + "cors_rule": [ + { + "allowed_headers": [ + "*" + ], + "allowed_methods": [ + "GET", + "HEAD", + "PUT", + "POST" + ], + "allowed_origins": [ + "*.onmyojideckbuilder.com" + ], + "expose_headers": [ + "ETag" + ], + "max_age_seconds": 3600 + }, + { + "allowed_headers": [ + "*" + ], + "allowed_methods": [ + "GET", + "HEAD", + "PUT", + "POST" + ], + "allowed_origins": [ + "onmyojideckbuilder.com" + ], + "expose_headers": [ + "ETag" + ], + "max_age_seconds": 3600 + } + ], + "force_destroy": true, + "grant": [], + "hosted_zone_id": "Z1BKCTXD74EZPE", + "id": "prod-onmyojideckbuilder-origin", + "lifecycle_rule": [], + "logging": [], + "object_lock_configuration": [], + "policy": null, + "region": "eu-west-1", + "replication_configuration": [], + "request_payer": "BucketOwner", + "server_side_encryption_configuration": [ + { + "rule": [ + { + "apply_server_side_encryption_by_default": [ + { + "kms_master_key_id": "", + "sse_algorithm": "AES256" + } + ] + } + ] + } + ], + "tags": { + "Attributes": "origin", + "Description": "website to build and share onmyoji decks", + "Name": "prod-onmyojideckbuilder-origin", + "Project": "onmyoji-deck-builder", + "Stage": "prod" + }, + "versioning": [ + { + "enabled": true, + "mfa_delete": false + } + ], + "website": [], + "website_domain": null, + "website_endpoint": null + }, + "private": "bnVsbA==" + } + ] + }, + { + "module": "module.cloudfront_s3_cdn", + "mode": "managed", + "type": "aws_s3_bucket_policy", + "name": "default", + "provider": "provider[\"registry.terraform.io/hashicorp/aws\"]", + "instances": [ + { + "index_key": 0, + "schema_version": 0, + "attributes": { + "bucket": "prod-onmyojideckbuilder-origin", + "id": "prod-onmyojideckbuilder-origin", + "policy": "{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Sid\": \"S3GetObjectForCloudFront\",\n \"Effect\": \"Allow\",\n \"Action\": \"s3:GetObject\",\n \"Resource\": \"arn:aws:s3:::prod-onmyojideckbuilder-origin/*\",\n \"Principal\": {\n \"AWS\": \"arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity E2UDO80PGVO0I7\"\n }\n },\n {\n \"Sid\": \"S3ListBucketForCloudFront\",\n \"Effect\": \"Allow\",\n \"Action\": \"s3:ListBucket\",\n \"Resource\": \"arn:aws:s3:::prod-onmyojideckbuilder-origin\",\n \"Principal\": {\n \"AWS\": \"arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity E2UDO80PGVO0I7\"\n }\n },\n {\n \"Sid\": \"PublicRead\",\n \"Effect\": \"Allow\",\n \"Action\": [\n \"s3:GetObject\"\n ],\n \"Resource\": \"arn:aws:s3:::prod-onmyojideckbuilder-origin/*\",\n \"Principal\": \"*\"\n }\n ]\n}" + }, + "private": "bnVsbA==", + "dependencies": [ + "module.cloudfront_s3_cdn.aws_cloudfront_origin_access_identity.default", + "module.cloudfront_s3_cdn.aws_s3_bucket.origin", + "module.cloudfront_s3_cdn.data.aws_iam_policy_document.origin", + "module.cloudfront_s3_cdn.data.aws_iam_policy_document.origin_website", + "module.cloudfront_s3_cdn.data.template_file.default" + ] + } + ] + }, + { + "module": "module.cloudfront_s3_cdn.module.logs", + "mode": "managed", + "type": "aws_s3_bucket", + "name": "default", + "provider": "provider[\"registry.terraform.io/hashicorp/aws\"]", + "instances": [ + { + "index_key": 0, + "schema_version": 0, + "attributes": { + "acceleration_status": "", + "acl": "log-delivery-write", + "arn": "arn:aws:s3:::prod-onmyojideckbuilder-logs", + "bucket": "prod-onmyojideckbuilder-logs", + "bucket_domain_name": "prod-onmyojideckbuilder-logs.s3.amazonaws.com", + "bucket_prefix": null, + "bucket_regional_domain_name": "prod-onmyojideckbuilder-logs.s3.eu-west-1.amazonaws.com", + "cors_rule": [], + "force_destroy": true, + "grant": [], + "hosted_zone_id": "Z1BKCTXD74EZPE", + "id": "prod-onmyojideckbuilder-logs", + "lifecycle_rule": [ + { + "abort_incomplete_multipart_upload_days": 5, + "enabled": true, + "expiration": [ + { + "date": "", + "days": 90, + "expired_object_delete_marker": false + } + ], + "id": "prod-onmyojideckbuilder-logs", + "noncurrent_version_expiration": [ + { + "days": 90 + } + ], + "noncurrent_version_transition": [ + { + "days": 30, + "storage_class": "GLACIER" + } + ], + "prefix": "", + "tags": null, + "transition": [ + { + "date": "", + "days": 30, + "storage_class": "STANDARD_IA" + }, + { + "date": "", + "days": 60, + "storage_class": "GLACIER" + } + ] + } + ], + "logging": [], + "object_lock_configuration": [], + "policy": "", + "region": "eu-west-1", + "replication_configuration": [], + "request_payer": "BucketOwner", + "server_side_encryption_configuration": [ + { + "rule": [ + { + "apply_server_side_encryption_by_default": [ + { + "kms_master_key_id": "", + "sse_algorithm": "AES256" + } + ] + } + ] + } + ], + "tags": { + "Attributes": "logs", + "Description": "website to build and share onmyoji decks", + "Name": "prod-onmyojideckbuilder-logs", + "Project": "onmyoji-deck-builder", + "Stage": "prod" + }, + "versioning": [ + { + "enabled": false, + "mfa_delete": false + } + ], + "website": [], + "website_domain": null, + "website_endpoint": null + }, + "private": "bnVsbA==" + } + ] + }, + { + "module": "module.cloudfront_s3_cdn.module.logs", + "mode": "managed", + "type": "aws_s3_bucket_public_access_block", + "name": "default", + "provider": "provider[\"registry.terraform.io/hashicorp/aws\"]", + "instances": [ + { + "index_key": 0, + "schema_version": 0, + "attributes": { + "block_public_acls": true, + "block_public_policy": true, + "bucket": "prod-onmyojideckbuilder-logs", + "id": "prod-onmyojideckbuilder-logs", + "ignore_public_acls": true, + "restrict_public_buckets": true + }, + "private": "bnVsbA==", + "dependencies": [ + "module.cloudfront_s3_cdn.module.logs.aws_s3_bucket.default" + ] + } + ] + } + ] +} diff --git a/.infrastructure/variables.tf b/.infrastructure/variables.tf new file mode 100644 index 0000000..55a7186 --- /dev/null +++ b/.infrastructure/variables.tf @@ -0,0 +1,55 @@ +variable "name" { + +} + +variable "region" { + +} + +variable "stage" { + +} + +variable "profile" { + +} + +variable "acm_certificate_arn" { + +} + +variable "parent_zone_id" { + +} + +variable "aliases" { + +} + +variable "allowed_origins" { + +} + +variable "acl" { + +} + +variable "lambda_key" { + +} + +variable "source_file" { + +} + +variable "handler" { + +} + +variable "runtime" { + +} + +variable "s3_region" { + +}