TF Config for s3 hosting

Author: jaredmoody

.gitignore

@@ -25,3 +25,10 @@ doc/
 
 # Vagrant artifacts
 ubuntu-*-console.log
+
+# OpenTofu / Terraform
+infra/.terraform/
+infra/.terraform.lock.hcl
+infra/terraform.tfstate
+infra/terraform.tfstate.backup
+infra/terraform.tfvars

infra/buildspec.yml

@@ -0,0 +1,15 @@
+version: 0.2
+
+phases:
+  install:
+    runtime-versions:
+      ruby: 3.2
+    commands:
+      - gem install bundler --no-document
+      - bundle install --jobs 4 --retry 3
+  build:
+    commands:
+      - bundle exec middleman build --clean --watcher-disable
+  post_build:
+    commands:
+      - aws s3 sync build/ s3://$S3_BUCKET/ --delete

infra/main.tf

@@ -0,0 +1,214 @@
+terraform {
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 5.0"
+    }
+  }
+}
+
+provider "aws" {
+  region = "us-east-1"
+}
+
+# S3 bucket for the static site
+resource "aws_s3_bucket" "site" {
+  bucket = var.domain
+}
+
+resource "aws_s3_bucket_website_configuration" "site" {
+  bucket = aws_s3_bucket.site.id
+
+  index_document {
+    suffix = "index.html"
+  }
+}
+
+resource "aws_s3_bucket_public_access_block" "site" {
+  bucket = aws_s3_bucket.site.id
+
+  block_public_acls       = false
+  block_public_policy     = false
+  ignore_public_acls      = false
+  restrict_public_buckets = false
+}
+
+resource "aws_s3_bucket_policy" "site" {
+  bucket     = aws_s3_bucket.site.id
+  depends_on = [aws_s3_bucket_public_access_block.site]
+
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [{
+      Effect    = "Allow"
+      Principal = "*"
+      Action    = "s3:GetObject"
+      Resource  = "${aws_s3_bucket.site.arn}/*"
+    }]
+  })
+}
+
+# Artifact bucket for CodePipeline (private)
+resource "aws_s3_bucket" "artifacts" {
+  bucket = "${var.domain}-pipeline-artifacts"
+}
+
+resource "aws_s3_bucket_lifecycle_configuration" "artifacts" {
+  bucket = aws_s3_bucket.artifacts.id
+
+  rule {
+    id     = "expire"
+    status = "Enabled"
+    filter {}
+    expiration {
+      days = 7
+    }
+  }
+}
+
+# CodeBuild
+resource "aws_iam_role" "codebuild" {
+  name = "api-docs-codebuild"
+
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [{
+      Effect    = "Allow"
+      Principal = { Service = "codebuild.amazonaws.com" }
+      Action    = "sts:AssumeRole"
+    }]
+  })
+}
+
+resource "aws_iam_role_policy" "codebuild" {
+  role = aws_iam_role.codebuild.id
+
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Effect   = "Allow"
+        Action   = ["logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents"]
+        Resource = "*"
+      },
+      {
+        Effect   = "Allow"
+        Action   = ["s3:PutObject", "s3:DeleteObject", "s3:ListBucket"]
+        Resource = [aws_s3_bucket.site.arn, "${aws_s3_bucket.site.arn}/*"]
+      },
+      {
+        Effect   = "Allow"
+        Action   = ["s3:GetObject", "s3:GetObjectVersion", "s3:PutObject"]
+        Resource = "${aws_s3_bucket.artifacts.arn}/*"
+      }
+    ]
+  })
+}
+
+resource "aws_codebuild_project" "site" {
+  name         = "api-docs"
+  service_role = aws_iam_role.codebuild.arn
+
+  artifacts {
+    type = "CODEPIPELINE"
+  }
+
+  environment {
+    compute_type = "BUILD_GENERAL1_SMALL"
+    image        = "aws/codebuild/standard:7.0"
+    type         = "LINUX_CONTAINER"
+
+    environment_variable {
+      name  = "S3_BUCKET"
+      value = aws_s3_bucket.site.bucket
+    }
+  }
+
+  source {
+    type      = "CODEPIPELINE"
+    buildspec = "infra/buildspec.yml"
+  }
+}
+
+# CodePipeline
+resource "aws_iam_role" "codepipeline" {
+  name = "api-docs-codepipeline"
+
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [{
+      Effect    = "Allow"
+      Principal = { Service = "codepipeline.amazonaws.com" }
+      Action    = "sts:AssumeRole"
+    }]
+  })
+}
+
+resource "aws_iam_role_policy" "codepipeline" {
+  role = aws_iam_role.codepipeline.id
+
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Effect   = "Allow"
+        Action   = ["s3:GetObject", "s3:GetObjectVersion", "s3:PutObject", "s3:ListBucket"]
+        Resource = [aws_s3_bucket.artifacts.arn, "${aws_s3_bucket.artifacts.arn}/*"]
+      },
+      {
+        Effect   = "Allow"
+        Action   = ["codebuild:BatchGetBuilds", "codebuild:StartBuild"]
+        Resource = aws_codebuild_project.site.arn
+      },
+      {
+        Effect   = "Allow"
+        Action   = "codestar-connections:UseConnection"
+        Resource = var.github_connection_arn
+      }
+    ]
+  })
+}
+
+resource "aws_codepipeline" "site" {
+  name     = "api-docs"
+  role_arn = aws_iam_role.codepipeline.arn
+
+  artifact_store {
+    location = aws_s3_bucket.artifacts.bucket
+    type     = "S3"
+  }
+
+  stage {
+    name = "Source"
+    action {
+      name             = "Source"
+      category         = "Source"
+      owner            = "AWS"
+      provider         = "CodeStarSourceConnection"
+      version          = "1"
+      output_artifacts = ["source"]
+      configuration = {
+        ConnectionArn        = var.github_connection_arn
+        FullRepositoryId     = "jetbuilt/jetbuilt-api-docs"
+        BranchName           = "main"
+        OutputArtifactFormat = "CODEBUILD_CLONE_REF"
+        DetectChanges        = "true"
+      }
+    }
+  }
+
+  stage {
+    name = "Build"
+    action {
+      name            = "Build"
+      category        = "Build"
+      owner           = "AWS"
+      provider        = "CodeBuild"
+      version         = "1"
+      input_artifacts = ["source"]
+      configuration = {
+        ProjectName = aws_codebuild_project.site.name
+      }
+    }
+  }
+}

infra/outputs.tf

@@ -0,0 +1,4 @@
+output "site_endpoint" {
+  description = "S3 website endpoint — use this as the Cloudflare origin"
+  value       = aws_s3_bucket_website_configuration.site.website_endpoint
+}

infra/variables.tf

@@ -0,0 +1,8 @@
+variable "domain" {
+  default = "api.jetbuilt.com"
+}
+
+variable "github_connection_arn" {
+  description = "ARN of the existing CodeStar connection for GitHub"
+  default     = "arn:aws:codeconnections:us-east-1:476548171748:connection/14ed4999-877c-4ca9-b791-d265cc159a6e"
+}