From 364a51f21a6856a64c5f593e525d33c440afdc90 Mon Sep 17 00:00:00 2001
From: "Collin J. Doering" <collin@rekahsoft.ca>
Date: Sun, 21 Nov 2021 11:39:43 -0500
Subject: [PATCH] WIP: pulumi POC deployment implementation

---
 .gitignore             |  4 ++
 infra/Pulumi.dev.yaml  |  1 +
 infra/Pulumi.yaml      |  6 +++
 infra/__main__.py      |  3 ++
 infra/main.tf          | 89 +++++++++++++++++++++++++-----------------
 infra/requirements.txt |  1 +
 6 files changed, 69 insertions(+), 35 deletions(-)
 create mode 100644 infra/Pulumi.dev.yaml
 create mode 100644 infra/Pulumi.yaml
 create mode 100644 infra/__main__.py
 create mode 100644 infra/requirements.txt

diff --git a/.gitignore b/.gitignore
index 1182e90..aebdef0 100644
--- a/.gitignore
+++ b/.gitignore
@@ -19,3 +19,7 @@ dist
 terraform.tfstate.d
 *.local.tfvars
 *.plan
+
+# Pulumi
+*.pyc
+infra/venv/
diff --git a/infra/Pulumi.dev.yaml b/infra/Pulumi.dev.yaml
new file mode 100644
index 0000000..04a4f6c
--- /dev/null
+++ b/infra/Pulumi.dev.yaml
@@ -0,0 +1 @@
+encryptionsalt: v1:41djbtbdfn8=:v1:nmi4l6XY2PicKzLx:b50NBop6ZJ24hPXiuLA8DOF/vwa3/g==
diff --git a/infra/Pulumi.yaml b/infra/Pulumi.yaml
new file mode 100644
index 0000000..3881205
--- /dev/null
+++ b/infra/Pulumi.yaml
@@ -0,0 +1,6 @@
+name: blog-rekahsoft-ca
+runtime:
+  name: python
+  options:
+    virtualenv: venv
+description: Personal blog of Collin Doering
diff --git a/infra/__main__.py b/infra/__main__.py
new file mode 100644
index 0000000..e1b925b
--- /dev/null
+++ b/infra/__main__.py
@@ -0,0 +1,3 @@
+"""A Python Pulumi program"""
+
+import pulumi
diff --git a/infra/main.tf b/infra/main.tf
index 56ff589..0a7e9cc 100644
--- a/infra/main.tf
+++ b/infra/main.tf
@@ -28,18 +28,14 @@ provider "aws" {
   }
 }
 
-provider "null" {
-  version = "~> 2.1"
-}
+# provider "null" {
+#   version = "~> 2.1"
+# }
 
 provider "random" {
   version = "~> 2.1"
 }
 
-provider "template" {
-  version = "~> 2.1"
-}
-
 #
 # Local values to be re-used throughout this template
 
@@ -55,18 +51,41 @@ locals {
   naked_domain  = "${local.subdomain}${var.dns_apex}"
   domain        = "${local.www}${local.naked_domain}"
   project_env   = "${var.project}-${terraform.workspace}"
+
+  bucket_arn     = aws_s3_bucket.static.arn
+  user_arn       = aws_iam_user.app_deploy.arn
+  cloudfront_arn = aws_cloudfront_origin_access_identity.origin_access_identity.iam_arn
 }
 
 #
 # Data Sources
 
-data "template_file" "s3_origin_policy" {
-  template = file("templates/s3_origin_policy.json")
+data "aws_iam_policy_document" "s3_origin_policy" {
+  statement {
+    principals {
+      type = "AWS"
+      identifiers = [local.cloudfront_arn]
+    }
+    actions = ["s3:GetObject"]
+    resources = ["${local.bucket_arn}/*"]
+  }
 
-  vars = {
-    bucket_arn     = aws_s3_bucket.static.arn
-    user_arn       = aws_iam_user.app_deploy.arn
-    cloudfront_arn = aws_cloudfront_origin_access_identity.origin_access_identity.iam_arn
+  statement {
+    principals {
+      type = "AWS"
+      identifiers = [local.user_arn]
+    }
+    actions = ["s3:ListBucket"]
+    resources = ["${local.bucket_arn}"]
+  }
+
+  statement {
+    principals {
+      type = "AWS"
+      identifiers = [local.user_arn]
+    }
+    actions = ["s3:*"]
+    resources = ["${local.bucket_arn}/*"]
   }
 }
 
@@ -210,7 +229,7 @@ resource "aws_route53_record" "static_redirect_ipv6" {
 
 resource "aws_s3_bucket_policy" "static_policy" {
   bucket = aws_s3_bucket.static.id
-  policy = data.template_file.s3_origin_policy.rendered
+  policy = data.aws_iam_policy_document.s3_origin_policy.json
 }
 
 resource "aws_cloudfront_origin_access_identity" "origin_access_identity" {
@@ -386,29 +405,29 @@ resource "aws_cloudfront_distribution" "cdn_redirect" {
   }
 }
 
-resource "null_resource" "deploy_app" {
-  triggers = {
-    always = uuid()
-  }
+# resource "null_resource" "deploy_app" {
+#   triggers = {
+#     always = uuid()
+#   }
 
-  provisioner "local-exec" {
-    interpreter = ["bash", "-c"]
-    command     = <<SCRIPT
-: Create temporary aws config and credentials files
-export AWS_CONFIG_FILE=$(mktemp);
-export AWS_SHARED_CREDENTIALS_FILE=$(mktemp);
+#   provisioner "local-exec" {
+#     interpreter = ["bash", "-c"]
+#     command     = <<SCRIPT
+# : Create temporary aws config and credentials files
+# export AWS_CONFIG_FILE=$(mktemp);
+# export AWS_SHARED_CREDENTIALS_FILE=$(mktemp);
 
-: Add default AWS account profile;
-aws configure --profile ${aws_iam_user.app_deploy.name} set aws_access_key_id ${aws_iam_access_key.app_deploy.id};
-aws configure --profile ${aws_iam_user.app_deploy.name} set aws_secret_access_key ${aws_iam_access_key.app_deploy.secret};
-aws configure --profile ${aws_iam_user.app_deploy.name} set region ${var.region};
+# : Add default AWS account profile;
+# aws configure --profile ${aws_iam_user.app_deploy.name} set aws_access_key_id ${aws_iam_access_key.app_deploy.id};
+# aws configure --profile ${aws_iam_user.app_deploy.name} set aws_secret_access_key ${aws_iam_access_key.app_deploy.secret};
+# aws configure --profile ${aws_iam_user.app_deploy.name} set region ${var.region};
 
-: Sync latest app build to s3 bucket;
-aws --profile ${aws_iam_user.app_deploy.name} s3 sync --delete ../_site s3://${aws_s3_bucket.static.id}/;
+# : Sync latest app build to s3 bucket;
+# aws --profile ${aws_iam_user.app_deploy.name} s3 sync --delete ../_site s3://${aws_s3_bucket.static.id}/;
 
-: Cleanup temporary aws config and credentials files
-rm $${AWS_CONFIG_FILE} $${AWS_SHARED_CREDENTIALS_FILE};
-SCRIPT
+# : Cleanup temporary aws config and credentials files
+# rm $${AWS_CONFIG_FILE} $${AWS_SHARED_CREDENTIALS_FILE};
+# SCRIPT
 
-  }
-}
+#   }
+# }
diff --git a/infra/requirements.txt b/infra/requirements.txt
new file mode 100644
index 0000000..bc4e430
--- /dev/null
+++ b/infra/requirements.txt
@@ -0,0 +1 @@
+pulumi>=3.0.0,<4.0.0