diff options
| author | Owen Jacobson <owen@grimoire.ca> | 2018-03-10 20:56:37 -0500 |
|---|---|---|
| committer | Owen Jacobson <owen@grimoire.ca> | 2018-03-10 20:56:37 -0500 |
| commit | d3a7300dc8342111a1ba30d6e2ad95e608a7363b (patch) | |
| tree | 2cad6671e3d61b9638cddb9d54969812a35c08f1 /bliki.tf | |
| parent | 57a0b91171ff5e93f13c2ba4bad485641b65ec3b (diff) | |
Infrastructure for publishing the site to S3/CloudFormation.
Diffstat (limited to 'bliki.tf')
| -rw-r--r-- | bliki.tf | 98 |
1 files changed, 98 insertions, 0 deletions
diff --git a/bliki.tf b/bliki.tf new file mode 100644 index 0000000..d83b5b4 --- /dev/null +++ b/bliki.tf @@ -0,0 +1,98 @@ +terraform { + backend "s3" { + bucket = "terraform.grimoire" + key = "bliki.tfstate" + region = "ca-central-1" + } +} + +provider "aws" { + version = "~> 1.11" + + region = "ca-central-1" +} + +resource "aws_s3_bucket" "bliki" { + bucket = "grimoire.ca" + + website { + index_document = "index.html" + } +} + +resource "aws_s3_bucket_policy" "bliki" { + bucket = "${aws_s3_bucket.bliki.id}" + policy = <<POLICY +{ + "Version":"2012-10-17", + "Statement":[ + { + "Effect":"Allow", + "Principal": "*", + "Action": ["s3:GetObject"], + "Resource": ["${aws_s3_bucket.bliki.arn}/*"] + } + ] +} +POLICY +} + +resource "aws_cloudfront_distribution" "bliki" { + enabled = true + is_ipv6_enabled = true + + aliases = ["grimoire.ca"] + + default_root_object = "index.html" + + price_class = "PriceClass_100" + + origin { + origin_id = "bliki" + # Use the website endpoint, not the bucket endpoint, to get / -> /index.html + # translation through S3's website config. + domain_name = "${aws_s3_bucket.bliki.website_endpoint}" + + custom_origin_config { + http_port = 80 + https_port = 443 + + # Because the origin is a non-URL-safe bucket name, S3's default TLS + # config doesn't apply. Since we can't provide our own cert, force HTTP. + origin_protocol_policy = "http-only" + origin_ssl_protocols = ["TLSv1.2"] + } + } + + default_cache_behavior { + target_origin_id = "bliki" + + allowed_methods = ["GET", "HEAD", "OPTIONS"] + cached_methods = ["GET", "HEAD"] + viewer_protocol_policy = "redirect-to-https" + + compress = true + + min_ttl = 0 + default_ttl = 900 + max_ttl = 3600 + + forwarded_values { + query_string = false + + cookies { + forward = "none" + } + } + } + + restrictions { + geo_restriction { + restriction_type = "none" + } + } + + viewer_certificate { + cloudfront_default_certificate = true + } +} |