From 9ffa59dce5ef8e5e829386447db6da172fb58925 Mon Sep 17 00:00:00 2001
From: marcellmueller <marcel@button.is>
Date: Thu, 5 Dec 2024 14:57:41 -0800
Subject: [PATCH] chore: add aws deploy workflow

---
 .github/workflows/deploy-aws.yml | 30 +++++++++++++++++++++++++
 .pre-commit-config.yaml          |  1 +
 infrastructure/deploy.yml        | 38 ++++++++++++++++++++++++++++++++
 3 files changed, 69 insertions(+)
 create mode 100644 .github/workflows/deploy-aws.yml
 create mode 100644 infrastructure/deploy.yml

diff --git a/.github/workflows/deploy-aws.yml b/.github/workflows/deploy-aws.yml
new file mode 100644
index 00000000..0705c044
--- /dev/null
+++ b/.github/workflows/deploy-aws.yml
@@ -0,0 +1,30 @@
+name: Deploy AWS
+
+on:
+  pull_request:
+
+environment:
+  name: development
+
+permissions:
+  id-token: write # This is required for GitHub OIDC auth with AWS
+  contents: read # This is required for actions/checkout
+
+jobs:
+  deploy_to_aws:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v3
+
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@v2
+        with:
+          role-to-assume: ${{ secrets.AWS_DEPLOY_ROLE_ARN }}
+          aws-region: ${{ secrets.AWS_REGION }}
+
+      - name: Deploy to AWS CloudFormation
+        uses: aws-actions/aws-cloudformation-github-deploy@v1
+        with:
+          name: test-deploy-s3
+          template: infrastructure/deploy.yaml
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index 08e19d55..b5039c82 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -5,6 +5,7 @@ repos:
       - id: trailing-whitespace
       - id: end-of-file-fixer
       - id: check-yaml
+        args: ["--unsafe"]
       - id: check-added-large-files
 
   - repo: https://github.com/pre-commit/mirrors-eslint
diff --git a/infrastructure/deploy.yml b/infrastructure/deploy.yml
new file mode 100644
index 00000000..8834f5b1
--- /dev/null
+++ b/infrastructure/deploy.yml
@@ -0,0 +1,38 @@
+Description: A template for static hosting using S3 bucket
+
+Outputs:
+  S3BucketName:
+    Value:
+      Ref: Bucket
+
+Resources:
+  Bucket:
+    Type: AWS::S3::Bucket
+    Properties:
+      BucketName: !Sub "${AWS::StackName}-bucket-${AWS::AccountId}"
+      BucketEncryption:
+        ServerSideEncryptionConfiguration:
+          - ServerSideEncryptionByDefault:
+              SSEAlgorithm: aws:kms
+              KMSMasterKeyID: alias/aws/s3
+      PublicAccessBlockConfiguration:
+        IgnorePublicAcls: true
+        RestrictPublicBuckets: true
+
+  BucketBucketPolicy:
+    Type: AWS::S3::BucketPolicy
+    Properties:
+      Bucket: !Ref Bucket
+      PolicyDocument:
+        Id: RequireEncryptionInTransit
+        Version: "2012-10-17"
+        Statement:
+          - Principal: "*"
+            Action: "*"
+            Effect: Deny
+            Resource:
+              - !GetAtt Bucket.Arn
+              - !Sub "${BucketArn}/*"
+            Condition:
+              Bool:
+                aws:SecureTransport: "false"