A modern, production-ready portfolio website featuring AWS cloud deployment, automated CI/CD, and enterprise-grade security.
- π Responsive Frontend: Modern HTML/CSS design with multiple themes
- π§ RESTful API: Flask backend with guestbook functionality
- βοΈ AWS Cloud Infrastructure: Automated deployment with CloudFormation
- π Enterprise Security: XSS protection, rate limiting, CORS configuration
- π Automated CI/CD: GitHub Actions for seamless deployment
- π Monitoring & Logging: CloudWatch integration
- π³ Containerized: Docker support for consistent deployments
βββββββββββββββββββ βββββββββββββββββββ βββββββββββββββββββ
β CloudFront β β S3 Bucket β β EC2 Instance β
β (CDN) ββββββ€ (Frontend) β β (API) β
βββββββββββββββββββ βββββββββββββββββββ βββββββββββββββββββ
β β β
βββββββββββββββββββββββββΌββββββββββββββββββββββββ
β
βββββββββββββββββββ
β CloudFormation β
β (IaC) β
βββββββββββββββββββ
- HTML5, CSS3
- Responsive design
- Multiple page themes
- Python 3.11
- Flask framework
- Gunicorn WSGI server
- Rate limiting & CORS protection
- AWS S3: Static website hosting
- AWS CloudFront: CDN and caching
- AWS EC2: API server
- AWS CloudFormation: Infrastructure as Code
- AWS CloudWatch: Monitoring and logging
- GitHub Actions: CI/CD automation
- Docker: Containerization
- AWS CLI: Deployment scripts
- AWS account
- GitHub account
- AWS CLI installed
- Git installed
git clone https://github.com/YOUR_USERNAME/aws-portfolio-project.git
cd aws-portfolio-projectaws configureRefer to GitHub Secrets Guide
# Using automated script
./scripts/deploy.sh --bucket your-unique-bucket-name
# Or using GitHub Actions (automatic deployment)
git push origin mainaws-portfolio-project/
βββ .github/workflows/ # GitHub Actions CI/CD
βββ api/ # Flask API application
β βββ app.py # Main application
β βββ Dockerfile # Container configuration
β βββ requirements.txt # Python dependencies
β βββ test_app.py # API tests
β βββ env.production.example # Environment configuration
βββ frontend/ # Static website files
β βββ index.html # Main page
β βββ index-chinese.html # Chinese version
β βββ simple.html # Simple theme
β βββ tech-style.html # Tech theme
β βββ styles.css # Stylesheet
β βββ assets/ # Static assets
βββ iac/cfn/ # Infrastructure as Code
β βββ template.yaml # CloudFormation template
βββ scripts/ # Deployment scripts
β βββ deploy.sh # Main deployment script
βββ docs/ # Documentation
β βββ ARCHITECTURE.md # Architecture overview
β βββ DEPLOYMENT_CHECKLIST.md # Deployment guide
β βββ GITHUB_SECRETS_GUIDE.md # Secrets configuration
β βββ SECURITY.md # Security guidelines
β βββ SECURITY_CHECKLIST.md # Security checklist
βββ README.md # This file
- β Input Validation: XSS attack prevention
- β Rate Limiting: DDoS attack protection
- β CORS Configuration: Cross-origin request control
- β IAM Roles: Least privilege principle
- β Security Groups: Network access control
- β HTTPS Encryption: SSL/TLS secure connections
- β Container Security: Non-root user execution
cd api
pip install -r requirements.txt
python test_app.pycd api
docker build -t portfolio-api .
docker run -p 5000:80 portfolio-api- CloudWatch Logs: Application log collection
- CloudWatch Metrics: Performance monitoring
- Health Checks: Automatic service status checks
- Log Rotation: Automatic log management
FLASK_ENV: Execution environment (development/production)FLASK_DEBUG: Debug modeALLOWED_ORIGINS: CORS allowed originsRATE_LIMIT_PER_MINUTE: Requests per minute limitRATE_LIMIT_PER_HOUR: Requests per hour limit
BucketName: S3 bucket nameDomainName: Custom domain (optional)CertificateArn: SSL certificate ARN (optional)InstanceType: EC2 instance type
This section records key knowledge and pitfalls encountered while setting up automated deployment with GitHub Actions + AWS S3 + CloudFront.
-
GitHub Actions Workflow
- Defined in
.github/workflows/*.yml - Triggered via
pushorworkflow_dispatch jobsconsist of ordered steps (commonly: test / build / deploy)
- Defined in
-
OIDC and AWS IAM
- No need to store long-lived
AWS_ACCESS_KEY_ID/AWS_SECRET_ACCESS_KEY - Use GitHub OIDC provider to request short-lived AWS credentials
- IAM Role trust policy must allow
arn:aws:iam::<account_id>:oidc-provider/token.actions.githubusercontent.com
- No need to store long-lived
-
S3 + CloudFront Deployment Best Practices
- Static assets (CSS/JS/Images) β long cache (30 days β 1 year)
- HTML β
no-cacheso clients always fetch the latest version - Delete removed files:
aws s3 sync --deleteto avoid stale files - CloudFront invalidation: invalidate only HTML files (
/index.htmletc.) instead of/*to save cost
-
Workflow file name too strict
- Trust policy restricted with
job_workflow_ref - Any file rename caused deployment failure
- Fix: use
repo:<repo>:ref:refs/heads/main*for flexibility
- Trust policy restricted with
-
OIDC Not Authorized
- Common reasons:
- Condition mismatch with
github.workflow_ref - Forgot to add
id-token: writein workflow permissions - IAM Role missing
sts:AssumeRoleWithWebIdentity
- Condition mismatch with
- Common reasons:
-
CloudFront invalidation format error
findcommand produced invalid path strings- Fix: ensure paths look like
/file.htmlwithout extra quotes
-
IAM permissions too broad / too narrow
- Initially granted full S3 permissions β unsafe
- Refined to:
s3:ListBucket,s3:GetObject*,s3:PutObject*,s3:DeleteObject*(scoped to specific bucket)cloudfront:CreateInvalidation(scoped to specific distribution)
-
Insufficient debug info
- Without printing GitHub context, IAM policy troubleshooting was hard
- Added
echo ${{ github.repository }}and similar outputs to compare against trust policy
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "GitHubOidcTrustRepoMain",
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::277375108569:oidc-provider/token.actions.githubusercontent.com"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"token.actions.githubusercontent.com:aud": "sts.amazonaws.com",
"token.actions.githubusercontent.com:repository": "ChuLiYu/aws-portfolio-project"
},
"StringLike": {
"token.actions.githubusercontent.com:sub": "repo:ChuLiYu/aws-portfolio-project:ref:refs/heads/main*"
}
}
}
]
}
## π Documentation
- [Architecture Overview](docs/ARCHITECTURE.md)
- [Deployment Checklist](docs/DEPLOYMENT_CHECKLIST.md)
- [Security Guidelines](docs/SECURITY.md)
- [GitHub Secrets Guide](docs/GITHUB_SECRETS_GUIDE.md)
- [Security Checklist](docs/SECURITY_CHECKLIST.md)
- [DNS and CloudFront Migration](docs/DNS_CLOUDFRONT_MIGRATION.md)
## π€ Contributing
Contributions are welcome! Please feel free to submit issues and pull requests.
### Development Workflow
1. Fork the project
2. Create a feature branch
3. Commit your changes
4. Create a pull request
## π License
MIT License - see [LICENSE](LICENSE) file for details
## π Support
If you encounter any issues:
1. Check the [Deployment Checklist](docs/DEPLOYMENT_CHECKLIST.md)
2. Review the [Security Checklist](docs/SECURITY_CHECKLIST.md)
3. Submit an [Issue](https://github.com/YOUR_USERNAME/aws-portfolio-project/issues)
## π― Roadmap
- [ ] Multi-language support
- [ ] Database integration
- [ ] User authentication
- [ ] Admin dashboard
- [ ] Performance optimization
- [ ] Additional cloud service integrations
---
**β If this project helps you, please give it a star!**