fix: post live twitch implementation

ippontech · Oct 17, 2024 · 093f583 · 093f583
1 parent 9781ef3
commit 093f583
Show file tree

Hide file tree

Showing 6 changed files with 102 additions and 21 deletions.
diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
@@ -8,6 +8,9 @@ on:
 
 env:
   AWS_REGION: eu-west-3
+  ORIGIN_BUCKET_NAME: twitch-live-17102024-my-web-site-origin
+  ROLE_ARN: arn:aws:iam::448878779811:role/twitch-live-17102024-my-web-site
+  ROLE_SESSON_NAME: github-ipppontech-my-web-site-to-aws-via-oidc
 
 # Permission can be added at job level or workflow level
 permissions:
@@ -24,8 +27,8 @@ jobs:
       - uses: actions/checkout@v4
       - uses: aws-actions/configure-aws-credentials@v4
         with:
-          role-to-assume: arn:aws:iam::448878779811:role/twitch-live-1710204-my-web-site
-          role-session-name: github-ipppontech-my-web-site-to-aws-via-oidc
+          role-to-assume: ${{ env.ROLE_ARN }}
+          role-session-name: ${{ env.ROLE_SESSION_NAME }}
           aws-region: ${{ env.AWS_REGION }}
       - uses: hashicorp/setup-terraform@v3
         with:
@@ -47,8 +50,8 @@ jobs:
       - uses: actions/checkout@v4
       - uses: aws-actions/configure-aws-credentials@v4
         with:
-          role-to-assume: arn:aws:iam::448878779811:role/twitch-live-1710204-my-web-site
-          role-session-name: github-ipppontech-my-web-site-to-aws-via-oidc
+          role-to-assume: ${{ env.ROLE_ARN }}
+          role-session-name: ${{ env.ROLE_SESSION_NAME }}
           aws-region: ${{ env.AWS_REGION }}
       - uses: hashicorp/setup-terraform@v3
         with:
@@ -70,8 +73,8 @@ jobs:
       - uses: actions/checkout@v4
       - uses: aws-actions/configure-aws-credentials@v4
         with:
-          role-to-assume: arn:aws:iam::448878779811:role/twitch-live-1710204-my-web-site
-          role-session-name: github-ipppontech-my-web-site-to-aws-via-oidc
+          role-to-assume: ${{ env.ROLE_ARN }}
+          role-session-name: ${{ env.ROLE_SESSION_NAME }}
           aws-region: ${{ env.AWS_REGION }}
       - name: Use Node.js LTS
         uses: actions/setup-node@v4
@@ -87,6 +90,14 @@ jobs:
         run: |
           npm ci
           npm run build
+      - name: clean S3 origin bucket
+        run: |
+          aws s3api delete-objects \
+            --bucket ${{ env.ORIGIN_BUCKET_NAME }} \
+            --delete "$(aws s3api list-object-versions \
+            --bucket ${{ env.ORIGIN_BUCKET_NAME }} \
+            --output=json \
+            --query='{Objects: Versions[].{Key:Key,VersionId:VersionId}}')"
       - name: copy dist folder to S3
         run: |
-          aws s3 cp --recursive dist s3://twitch-live-17102024-my-web-site-origin/
+          aws s3 cp --recursive dist s3://${{ env.ORIGIN_BUCKET_NAME }}/
diff --git a/infrastructure/10_bootstrap/.terraform.lock.hcl b/infrastructure/10_bootstrap/.terraform.lock.hcl
diff --git a/infrastructure/10_bootstrap/github_oidc.tf b/infrastructure/10_bootstrap/github_oidc.tf
@@ -1,5 +1,5 @@
 locals {
-  role_name = "twitch-live-1710204-my-web-site"
+  role_name = "twitch-live-17102024-my-web-site"
 }
 
 import {
@@ -102,7 +102,7 @@ data "aws_iam_policy_document" "twitch_live_runner" {
       "iam:*"
     ]
     resources = [
-      "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/twitch-live-1710204-my-web-site"
+      "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/twitch-live-17102024-my-web-site"
     ]
   }
 }
diff --git a/infrastructure/20_cloudfront/.terraform.lock.hcl b/infrastructure/20_cloudfront/.terraform.lock.hcl
diff --git a/infrastructure/20_cloudfront/cloudfront.tf b/infrastructure/20_cloudfront/cloudfront.tf
@@ -3,7 +3,8 @@ locals {
 }
 
 module "cdn" {
-  source = "terraform-aws-modules/cloudfront/aws"
+  source  = "terraform-aws-modules/cloudfront/aws"
+  version = "3.4.1"
 
   # aliases = ["cdn.example.com"]
 
@@ -37,6 +38,7 @@ module "cdn" {
     target_origin_id       = local.origin_id
     viewer_protocol_policy = "allow-all"
   }
+
   #   viewer_certificate = {
   #     acm_certificate_arn = "arn:aws:acm:us-east-1:135367859851:certificate/1032b155-22da-4ae0-9f69-e206f825458b"
   #     ssl_support_method  = "sni-only"

diff --git a/infrastructure/20_cloudfront/s3_origin.tf b/infrastructure/20_cloudfront/s3_origin.tf
@@ -3,13 +3,14 @@ locals {
 }
 
 module "s3_bucket" {
-  source = "terraform-aws-modules/s3-bucket/aws"
+  source  = "terraform-aws-modules/s3-bucket/aws"
+  version = "4.2.1"
 
   bucket = local.origin_bucket_name
   acl    = "private"
 
   control_object_ownership = true
-  object_ownership         = "ObjectWriter"
+  object_ownership         = "BucketOwnerEnforced"
 
   server_side_encryption_configuration = {
     rule = {
@@ -19,15 +20,32 @@ module "s3_bucket" {
     }
   }
 
-  # policy = data.aws_iam_policy_document.origin_bucket_policy.json
+  policy = data.aws_iam_policy_document.origin_bucket_policy.json
 }
 
 
-# data "aws_iam_policy_document" "origin_bucket_policy" {
-#   statement {
-#     effect = "Allow"
-#     principals {
-#
-#     }
-#   }
-# }
+data "aws_iam_policy_document" "origin_bucket_policy" {
+  # Origin Access Controls
+  statement {
+    sid = "S3GetObjectsDistribution"
+    actions = [
+      "s3:GetObject"
+    ]
+    resources = [
+      "${module.s3_bucket.s3_bucket_arn}/*"
+    ]
+
+    principals {
+      type        = "Service"
+      identifiers = ["cloudfront.amazonaws.com"]
+    }
+
+    condition {
+      test     = "StringEquals"
+      variable = "aws:SourceArn"
+      values = [
+        module.cdn.cloudfront_distribution_arn
+      ]
+    }
+  }
+}