Merge branch 'main' into mate_update_donation_details

tokyo-rust · Aug 3, 2024 · a83351d · a83351d
2 parents 44988bb + 1c20a92
commit a83351d
Show file tree

Hide file tree

Showing 13 changed files with 325 additions and 220 deletions.
diff --git a/.github/actions/build-static/action.yaml b/.github/actions/build-static/action.yaml
@@ -0,0 +1,25 @@
+name: Build Static Site
+description: Build the Tokyo Rust static website
+runs:
+  using: composite
+  steps:
+    - name: Install Zola
+      id: install-zola
+      uses: taiki-e/install-action@v2
+      with:
+        tool: [email protected]
+
+    - name: Setup Node
+      id: setup-node
+      uses: actions/setup-node@v4
+
+    - name: Install Node Packages
+      id: install-node-packages
+      shell: bash
+      run: cd static-site && npm install
+
+    - name: Build Static Site
+      id: build-static-site
+      shell: bash
+      working-directory: ./static-site
+      run: zola build
diff --git a/.github/actions/check-links/action.yaml b/.github/actions/check-links/action.yaml
@@ -0,0 +1,12 @@
+name: Test Static Site Links
+description: Test a built static site locally (not the deployed version)
+runs:
+  using: composite
+  steps:
+    - name: Check Links
+      id: lychee
+      uses: lycheeverse/lychee-action@v1
+      with:
+        args: --accept 200,429 --base ./static-site/public ./static-site/public
+        jobSummary: true
+        fail: true
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
@@ -0,0 +1,26 @@
+name: Build Site and Test Links
+on:
+  workflow_dispatch:
+  pull_request:
+    branches:
+      - main
+    paths:
+      - static-site/**
+
+jobs:
+  deploy:
+    name: Build and Test Links
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        id: checkout
+
+      - name: Build The Site
+        id: build
+        uses: "./.github/actions/build-static"
+
+      - name: Check Links
+        id: lychee
+        uses: "./.github/actions/check-links"
diff --git a/.github/workflows/publish_static.yaml b/.github/workflows/publish_static.yaml
@@ -17,32 +17,13 @@ jobs:
         uses: actions/checkout@v4
         id: checkout
 
-      - name: Install Zola
-        id: install-zola
-        uses: taiki-e/install-action@v2
-        with:
-          tool: [email protected]
-
-      - name: Setup Node
-        id: setup-node
-        uses: actions/setup-node@v4
-
-      - name: Install Node Packages
-        id: install-node-packages
-        run: cd static-site && npm install
-
-      - name: Build Static Site
-        id: build-static-site
-        working-directory: ./static-site
-        run: zola build
+      - name: Build The Site
+        id: build
+        uses: "./.github/actions/build-static"
 
       - name: Check Links
         id: lychee
-        uses: lycheeverse/lychee-action@v1
-        with:
-          args: --base ./static-site/public ./static-site/public
-          jobSummary: true
-          fail: true
+        uses: "./.github/actions/check-links"
 
       - name: Configure AWS Credentials
         id: configure-aws-creds

diff --git a/infrastructure/static-site.tf b/infrastructure/static-site.tf
@@ -6,7 +6,7 @@ locals {
   domain_name = "www.${local.host_name}"
 }
 
-resource "aws_s3_bucket" "tokyo-rust" {
+resource "aws_s3_bucket" "www_tokyorust" {
   bucket = local.domain_name
 
   tags = {
@@ -15,12 +15,24 @@ resource "aws_s3_bucket" "tokyo-rust" {
   }
 }
 
-resource "aws_s3_bucket_policy" "cloudfront_access_policy" {
-  bucket = aws_s3_bucket.tokyo-rust.id
-  policy = data.aws_iam_policy_document.allow_cloudfront_read_access.json
+resource "aws_s3_bucket" "root_tokyorust" {
+  bucket = local.host_name
+
+  tags = {
+    tokyorust = ""
+   static = ""
+  }
+}
+
+ resource "aws_s3_bucket_website_configuration" "root_tokyorust" {
+  bucket = aws_s3_bucket.root_tokyorust.id
+
+  redirect_all_requests_to {
+    host_name =  "${local.domain_name}"
+  }
 }
 
-data "aws_iam_policy_document" "allow_cloudfront_read_access" {
+data "aws_iam_policy_document" "www_tokyorust_allow_cloudfront_read_access" {
   version = "2012-10-17"
   statement {
     actions = [
@@ -36,19 +48,58 @@ data "aws_iam_policy_document" "allow_cloudfront_read_access" {
     effect = "Allow"
 
     resources = [
-      aws_s3_bucket.tokyo-rust.arn,
-      "${aws_s3_bucket.tokyo-rust.arn}/*",
+      aws_s3_bucket.www_tokyorust.arn,
+      "${aws_s3_bucket.www_tokyorust.arn}/*",
     ]
 
     condition {
       test     = "StringEquals"
       variable = "aws:SourceArn"
-      values   = [aws_cloudfront_distribution.s3_distribution.arn]
+      values   = [aws_cloudfront_distribution.www_distribution.arn]
     }
 
   }
 }
 
+data "aws_iam_policy_document" "root_tokyorust_allow_cloudfront_read_access" {
+  version = "2012-10-17"
+  statement {
+    actions = [
+      "s3:GetObject",
+      "s3:ListBucket",
+    ]
+
+    principals {
+      type = "Service"
+      identifiers = ["cloudfront.amazonaws.com"]
+    }
+
+    effect = "Allow"
+
+    resources = [
+      aws_s3_bucket.root_tokyorust.arn,
+      "${aws_s3_bucket.root_tokyorust.arn}/*",
+    ]
+
+    condition {
+      test     = "StringEquals"
+      variable = "aws:SourceArn"
+      values   = [aws_cloudfront_distribution.root_distribution.arn]
+    }
+
+  }
+}
+
+resource "aws_s3_bucket_policy" "www_tokyorust_cloudfront_access_policy" {
+  bucket = aws_s3_bucket.www_tokyorust.id
+  policy = data.aws_iam_policy_document.www_tokyorust_allow_cloudfront_read_access.json
+}
+
+resource "aws_s3_bucket_policy" "root_tokyorust_cloudfront_access_policy" {
+  bucket = aws_s3_bucket.root_tokyorust.id
+  policy = data.aws_iam_policy_document.root_tokyorust_allow_cloudfront_read_access.json
+}
+
 resource "aws_cloudfront_origin_access_control" "tokyorust" {
   name                              = "Tokyo-Rust-Access"
   description                       = "The access control for the Tokyo Rust website."
@@ -61,9 +112,9 @@ resource "aws_cloudfront_origin_access_identity" "tokyorust" {
   comment = "Access identity for Tokyo Rust static site"
 }
 
-resource "aws_cloudfront_distribution" "s3_distribution" {
+resource "aws_cloudfront_distribution" "www_distribution" {
   origin {
-    domain_name              = aws_s3_bucket.tokyo-rust.bucket_domain_name
+    domain_name              = aws_s3_bucket.www_tokyorust.bucket_domain_name
     origin_id                = local.s3_origin_id
     origin_access_control_id = aws_cloudfront_origin_access_control.tokyorust.id
 
@@ -86,6 +137,7 @@ resource "aws_cloudfront_distribution" "s3_distribution" {
   }
 
   enabled = true
+  comment = "CloudFront distribution for ${local.domain_name}"
   default_root_object = "index.html"
   http_version = "http2"
   is_ipv6_enabled = true
@@ -104,7 +156,62 @@ resource "aws_cloudfront_distribution" "s3_distribution" {
     default_ttl = 86400
     max_ttl = 31536000
     cache_policy_id = aws_cloudfront_cache_policy.tokyorust.id
+ }
+
+  price_class = "PriceClass_200"
+
+  tags = {
+    tokyorust = ""
+    static = ""
   }
+}
+
+resource "aws_cloudfront_distribution" "root_distribution" {
+  origin {
+    domain_name              = aws_s3_bucket_website_configuration.root_tokyorust.website_endpoint
+    origin_id                = local.s3_origin_id
+
+    custom_origin_config {
+      origin_protocol_policy = "http-only"
+      http_port  = "80"
+      https_port = "443"
+      origin_ssl_protocols = ["TLSv1.2"]
+    }
+
+    # s3_origin_config {
+    #   origin_access_identity = aws_cloudfront_origin_access_identity.tokyorust.cloudfront_access_identity_path
+    # }
+  }
+
+  aliases = [local.host_name]
+
+  restrictions {
+    geo_restriction {
+      restriction_type = "none"
+    }
+  }
+
+  viewer_certificate {
+    acm_certificate_arn = local.ssl_cert_arn
+    ssl_support_method = "sni-only"
+  }
+
+  enabled = true
+  comment = "CloudFront distribution for ${local.host_name}"
+  default_root_object = "index.html"
+  http_version = "http2"
+  is_ipv6_enabled = true
+
+  default_cache_behavior {
+    compress = true
+    viewer_protocol_policy = "redirect-to-https"
+    cached_methods = ["GET", "HEAD"]
+    target_origin_id = local.s3_origin_id
+    allowed_methods = ["GET", "HEAD"]
+    default_ttl = 86400
+    max_ttl = 31536000
+    cache_policy_id = aws_cloudfront_cache_policy.tokyorust.id
+ }
 
   price_class = "PriceClass_200"
 
@@ -115,7 +222,7 @@ resource "aws_cloudfront_distribution" "s3_distribution" {
 }
 
 resource "aws_cloudfront_cache_policy" "tokyorust" {
-  name = "tokyo-tust-static-site-cache-policy"
+  name = "tokyo-rust-static-site-cache-policy"
 
   parameters_in_cache_key_and_forwarded_to_origin {
     cookies_config {
@@ -140,50 +247,26 @@ resource "aws_route53_zone" "tokyorust" {
   }
 }
 
-resource "aws_route53_record" "tokyorust" {
+resource "aws_route53_record" "www_tokyorust" {
   zone_id = aws_route53_zone.tokyorust.id
   name    = local.domain_name
   type    = "A"
   alias {
-    name = aws_cloudfront_distribution.s3_distribution.domain_name
-    zone_id = aws_cloudfront_distribution.s3_distribution.hosted_zone_id
+    name = aws_cloudfront_distribution.www_distribution.domain_name
+    zone_id = aws_cloudfront_distribution.www_distribution.hosted_zone_id
     evaluate_target_health = false
   }
 }
 
-resource "aws_iam_policy" "tokyorust-static-deployer" {
-  name        = "tokyo-rust-static-deployer"
-  description = "Necessary permissions to deploy the Tokyo Rust static site"
-
-  policy = jsonencode({
-    Version = "2012-10-17",
-    Statement = [
-      {
-        Sid = "AccessToWebsiteBuckets",
-        Effect = "Allow",
-        Action = [
-          "s3:PutBucketWebsite",
-          "s3:PutObject",
-          "s3:PutObjectAcl",
-          "s3:GetObject",
-          "s3:ListBucket",
-          "s3:DeleteObject"
-        ],
-        Resource = [
-          "${aws_s3_bucket.tokyo-rust.arn}",
-          "${aws_s3_bucket.tokyo-rust.arn}/*",
-        ]
-      },
-      {
-        Sid = "AccessToCloudfront",
-        Effect = "Allow",
-        Action = [
-          "cloudfront:GetInvalidation",
-          "cloudfront:CreateInvalidation"],
-        Resource = "*"
-      }
-    ]
-  })
+resource "aws_route53_record" "root_tokyorust" {
+  zone_id = aws_route53_zone.tokyorust.id
+  name    = local.host_name
+  type    = "A"
+  alias {
+    name = aws_cloudfront_distribution.root_distribution.domain_name
+    zone_id = aws_cloudfront_distribution.root_distribution.hosted_zone_id
+    evaluate_target_health = false
+  }
 }
 
 resource "aws_iam_user" "tokyorust-static-deployer" {
@@ -196,13 +279,8 @@ resource "aws_iam_user" "tokyorust-static-deployer" {
   }
 }
 
-resource "aws_iam_user_policy_attachment" "tokyorust-static-deployer" {
-  user   = aws_iam_user.tokyorust-static-deployer.name
-  policy_arn  = aws_iam_policy.tokyorust-static-deployer.arn
-}
-
 resource "aws_s3_bucket_website_configuration" "tokyorust" {
-  bucket = aws_s3_bucket.tokyo-rust.id
+  bucket = aws_s3_bucket.www_tokyorust.id
 
   index_document {
     suffix = "index.html"