onmyoji-deck-builder/.infrastructure/main.tf

# aws config
provider "aws" {
  region  = var.region
  profile = var.profile
  version = "~> 2.66"
}

provider "aws" {
  alias   = "us_east_1"
  profile = var.profile
  region  = "us-east-1"
}

# tags
locals {
  tags = {
    "Project"     = "onmyoji-deck-builder"
    "Description" = "website to build and share onmyoji decks"
  }
}

# cloudfront
module "cloudfront_s3_cdn" {
  source                   = "git::https://github.com/cloudposse/terraform-aws-cloudfront-s3-cdn.git?ref=tags/0.52.0"
  stage                    = var.stage
  name                     = var.name
  parent_zone_id           = var.parent_zone_id
  dns_alias_enabled        = true
  acm_certificate_arn      = var.acm_certificate_arn
  use_regional_s3_endpoint = true
  origin_force_destroy     = true
  compress                 = true
  cors_allowed_headers     = ["*"]
  cors_allowed_methods     = ["GET", "HEAD", "PUT", "POST"]
  cors_allowed_origins     = var.allowed_origins
  tags                     = local.tags
  aliases                  = var.aliases
  index_document           = "index.html"
  error_document           = "index.html"
  website_enabled          = true
  # lambda_function_association = [
  #   {
  #     event_type : "origin-request",
  #     lambda_arn : aws_lambda_function.directory_indexes.qualified_arn,
  #     include_body : false
  #   }
  # ]

  # this policy sets the bucket to be public for all newly created files
  additional_bucket_policy = <<-EOT
  {
    "Version": "2012-10-17",
    "Statement": [
      {
        "Sid":"PublicRead",
        "Effect":"Allow",
        "Principal":"*",
        "Action":["s3:GetObject"],
        "Resource":"arn:aws:s3:::${module.cloudfront_s3_cdn.s3_bucket}/*"
      }
    ]
  }
  EOT
}

# data "archive_file" "lambda_main" {
#   type        = "zip"
#   source_file = var.source_file
#   output_path = "${var.source_file}.zip"
# }

# resource "aws_lambda_function" "directory_indexes" {
#   provider         = aws.us_east_1
#   function_name    = "${var.stage}-${var.name}-directory_indexes"
#   filename         = "${var.source_file}.zip"
#   source_code_hash = data.archive_file.lambda_main.output_base64sha256
#   # s3_bucket     = aws_s3_bucket.lambda_s3.id
#   # s3_key        = var.lambda_key
#   handler = var.handler
#   runtime = var.runtime
#   role    = aws_iam_role.lambda_role.arn
#   publish = true
#   tags    = local.tags

#   depends_on = [aws_iam_role_policy_attachment.lambda_logging]
# }

# ## Lambda iam role & policies

# resource "aws_iam_role" "lambda_role" {
#   name = "${var.stage}-${var.name}-lambda"
#   tags = local.tags

#   assume_role_policy = <<-EOT
#   {
#     "Version": "2012-10-17",
#     "Statement": [
#         {
#           "Effect": "Allow",
#           "Principal": {
#               "Service": [
#                 "lambda.amazonaws.com",
#                 "edgelambda.amazonaws.com"
#               ]
#           },
#           "Action": "sts:AssumeRole"
#         }
#     ]
#   }
#   EOT
# }

# resource "aws_iam_policy" "lambda_logging" {
#   name   = "${var.stage}-${var.name}-lambda_logging"
#   policy = <<-EOT
#   {
#     "Version": "2012-10-17",
#     "Statement": [
#       {
#         "Action": [
#           "logs:CreateLogGroup",
#           "logs:CreateLogStream",
#           "logs:PutLogEvents"
#         ],
#         "Resource": "arn:aws:logs:*:*:*",
#         "Effect": "Allow"
#       }
#     ]
#   }
#   EOT
# }

# resource "aws_iam_role_policy_attachment" "lambda_logging" {
#   role       = aws_iam_role.lambda_role.name
#   policy_arn = aws_iam_policy.lambda_logging.arn
# }