rekahsoft
/
blog-rekahsoft-ca
1
1
Fork 0
Code Issues 2 Pull Requests Releases Wiki Activity

Compare commits

merge into: rekahsoft:master
Branches Tags
rekahsoft:master
rekahsoft:cleanup
rekahsoft:poc-pulumi
...
pull from: rekahsoft:poc-pulumi
Branches Tags
rekahsoft:master
rekahsoft:cleanup
rekahsoft:poc-pulumi

1 Commits
master ... poc-pulumi

Author SHA1 Message Date
Collin J. Doering 364a51f21a
WIP: pulumi POC deployment implementation 2021-11-21 11:39:43 -05:00
6 changed files with 69 additions and 35 deletions
Show Stats Expand all files Collapse all files

4
.gitignore vendored
View File

@ -19,3 +19,7 @@ dist
terraform.tfstate.d terraform.tfstate.d
*.local.tfvars *.local.tfvars
*.plan *.plan
# Pulumi
*.pyc
infra/venv/

1
infra/Pulumi.dev.yaml Normal file
View File

@ -0,0 +1 @@
encryptionsalt: v1:41djbtbdfn8=:v1:nmi4l6XY2PicKzLx:b50NBop6ZJ24hPXiuLA8DOF/vwa3/g==

6
infra/Pulumi.yaml Normal file
View File

@ -0,0 +1,6 @@
name: blog-rekahsoft-ca
runtime:
name: python
options:
virtualenv: venv
description: Personal blog of Collin Doering

3
infra/__main__.py Normal file
View File

@ -0,0 +1,3 @@
"""A Python Pulumi program"""
import pulumi

89
infra/main.tf
View File

@ -28,18 +28,14 @@ provider "aws" {
} }
} }
provider "null" { # provider "null" {
version = "~> 2.1" # version = "~> 2.1"
} # }
provider "random" { provider "random" {
version = "~> 2.1" version = "~> 2.1"
} }
provider "template" {
version = "~> 2.1"
}
# #
# Local values to be re-used throughout this template # Local values to be re-used throughout this template
@ -55,18 +51,41 @@ locals {
naked_domain = "${local.subdomain}${var.dns_apex}" naked_domain = "${local.subdomain}${var.dns_apex}"
domain = "${local.www}${local.naked_domain}" domain = "${local.www}${local.naked_domain}"
project_env = "${var.project}-${terraform.workspace}" project_env = "${var.project}-${terraform.workspace}"
bucket_arn = aws_s3_bucket.static.arn
user_arn = aws_iam_user.app_deploy.arn
cloudfront_arn = aws_cloudfront_origin_access_identity.origin_access_identity.iam_arn
} }
# #
# Data Sources # Data Sources
data "template_file" "s3_origin_policy" { data "aws_iam_policy_document" "s3_origin_policy" {
template = file("templates/s3_origin_policy.json") statement {
principals {
type = "AWS"
identifiers = [local.cloudfront_arn]
}
actions = ["s3:GetObject"]
resources = ["${local.bucket_arn}/*"]
}
vars = { statement {
bucket_arn = aws_s3_bucket.static.arn principals {
user_arn = aws_iam_user.app_deploy.arn type = "AWS"
cloudfront_arn = aws_cloudfront_origin_access_identity.origin_access_identity.iam_arn identifiers = [local.user_arn]
}
actions = ["s3:ListBucket"]
resources = ["${local.bucket_arn}"]
}
statement {
principals {
type = "AWS"
identifiers = [local.user_arn]
}
actions = ["s3:*"]
resources = ["${local.bucket_arn}/*"]
} }
} }
@ -210,7 +229,7 @@ resource "aws_route53_record" "static_redirect_ipv6" {
resource "aws_s3_bucket_policy" "static_policy" { resource "aws_s3_bucket_policy" "static_policy" {
bucket = aws_s3_bucket.static.id bucket = aws_s3_bucket.static.id
policy = data.template_file.s3_origin_policy.rendered policy = data.aws_iam_policy_document.s3_origin_policy.json
} }
resource "aws_cloudfront_origin_access_identity" "origin_access_identity" { resource "aws_cloudfront_origin_access_identity" "origin_access_identity" {
@ -386,29 +405,29 @@ resource "aws_cloudfront_distribution" "cdn_redirect" {
} }
} }
resource "null_resource" "deploy_app" { # resource "null_resource" "deploy_app" {
triggers = { # triggers = {
always = uuid() # always = uuid()
} # }
provisioner "local-exec" { # provisioner "local-exec" {
interpreter = ["bash", "-c"] # interpreter = ["bash", "-c"]
command = <<SCRIPT # command = <<SCRIPT
: Create temporary aws config and credentials files # : Create temporary aws config and credentials files
export AWS_CONFIG_FILE=$(mktemp); # export AWS_CONFIG_FILE=$(mktemp);
export AWS_SHARED_CREDENTIALS_FILE=$(mktemp); # export AWS_SHARED_CREDENTIALS_FILE=$(mktemp);
: Add default AWS account profile; # : Add default AWS account profile;
aws configure --profile ${aws_iam_user.app_deploy.name} set aws_access_key_id ${aws_iam_access_key.app_deploy.id}; # aws configure --profile ${aws_iam_user.app_deploy.name} set aws_access_key_id ${aws_iam_access_key.app_deploy.id};
aws configure --profile ${aws_iam_user.app_deploy.name} set aws_secret_access_key ${aws_iam_access_key.app_deploy.secret}; # aws configure --profile ${aws_iam_user.app_deploy.name} set aws_secret_access_key ${aws_iam_access_key.app_deploy.secret};
aws configure --profile ${aws_iam_user.app_deploy.name} set region ${var.region}; # aws configure --profile ${aws_iam_user.app_deploy.name} set region ${var.region};
: Sync latest app build to s3 bucket; # : Sync latest app build to s3 bucket;
aws --profile ${aws_iam_user.app_deploy.name} s3 sync --delete ../_site s3://${aws_s3_bucket.static.id}/; # aws --profile ${aws_iam_user.app_deploy.name} s3 sync --delete ../_site s3://${aws_s3_bucket.static.id}/;
: Cleanup temporary aws config and credentials files # : Cleanup temporary aws config and credentials files
rm $${AWS_CONFIG_FILE} $${AWS_SHARED_CREDENTIALS_FILE}; # rm $${AWS_CONFIG_FILE} $${AWS_SHARED_CREDENTIALS_FILE};
SCRIPT # SCRIPT
} # }
} # }

1
infra/requirements.txt Normal file
View File

@ -0,0 +1 @@
pulumi>=3.0.0,<4.0.0