diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index da558a4..55451bb 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -60,6 +60,11 @@ jobs: cd terraform terraform init terraform apply -auto-approve + env: + TF_VAR_cloudflare_api_token: ${{ secrets.CLOUDFLARE_API_TOKEN }} + TF_VAR_aws_region: ${{ secrets.AWS_REGION }} + TF_VAR_aws_access_key_id: ${{ secrets.AWS_ACCESS_KEY_ID }} + TF_VAR_aws_secret_access_key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - name: Deploy | S3 run: | diff --git a/terraform/.terraform.lock.hcl b/terraform/.terraform.lock.hcl index 0fa7c0c..01fee26 100644 --- a/terraform/.terraform.lock.hcl +++ b/terraform/.terraform.lock.hcl @@ -1,6 +1,29 @@ # This file is maintained automatically by "terraform init". # Manual edits may be lost in future updates. +provider "registry.terraform.io/cloudflare/cloudflare" { + version = "4.30.0" + constraints = "~> 4.0" + hashes = [ + "h1:FhhTF09/BBk37akGLFx9/uWkGUGwSNRub8vP80TaF7Q=", + "zh:218d1948b59e3d2e3af082724a0d057bcca5a5643c5e7c3b85eefc02430edd6b", + "zh:24eb677bc1b205565efb5c0d1c464f63d1e240aac61f5b2ef15165fe842cb7e2", + "zh:27896ed2a4f05f6a46ef25e674e445e89bd4bfba8cddbe95940109c6dc3179cc", + "zh:38b3b8297a9650b0ed09d57e0d802f5d851062bdadf72825652232c9a67346ac", + "zh:58d49ec9f414d0ff71e94cc991e1e3e33a13502ce0fea1393edd1297d0877bab", + "zh:5ed92c556e72cc4ea7fdf6db9e0dd7b093d179e26f2d2989b21a004a6402f2ae", + "zh:71f5c64702a7b2102f6d5edfd767953cd5b1248093c05983b909de06cf0c40cc", + "zh:788a023967db63b8eda9c0415851a743daf4073bab66b0bd1204bccbb54c9f8f", + "zh:7b9cd30355b4f63941284998167c3f3e5d208685e5176928275436de012f62d2", + "zh:890df766e9b839623b1f0437355032a3c006226a6c200cd911e15ee1a9014e9f", + "zh:923ec04258fde407f0fce80488268f4277ffac68fb7240eee4f4373a344c5469", + "zh:97473bdb848a7f77832fde6d0e68877bdcc17bf47ae3639fb09e1aeff4a92a01", + "zh:9b8754d8f7c15878ecb8897a6ffc4e9ec95f4e5f0560f4129af82a8200e602ea", + "zh:b890723ed524d34e7fbee6c119714be23e1783b82441ce4c18871c9d54f10cbd", + "zh:c75e0e5f406653c9b4928d97a38410ad7bb20d48e260c17ae3125a77b0457bf5", + ] +} + provider "registry.terraform.io/hashicorp/aws" { version = "4.67.0" constraints = "~> 4.16" diff --git a/terraform/main.tf b/terraform/main.tf index dd14718..a5d2527 100644 --- a/terraform/main.tf +++ b/terraform/main.tf @@ -4,8 +4,11 @@ terraform { source = "hashicorp/aws" version = "~> 4.16" } + cloudflare = { + source = "cloudflare/cloudflare" + version = "~> 4.0" + } } - required_version = ">= 1.8.0" backend "s3" { @@ -16,7 +19,13 @@ terraform { } provider "aws" { - region = "us-east-1" + region = var.aws_region + access_key = var.aws_access_key_id + secret_key = var.aws_secret_access_key +} + +provider "cloudflare" { + api_token = var.cloudflare_api_token } ## Config @@ -24,6 +33,7 @@ provider "aws" { locals { s3_origin_id = "WebS3Origin" bucket_name = "www.spencer.imbleau.com" + zone = "9aad55f2e0a8d9373badd4361227cabe" } ## S3 @@ -134,3 +144,86 @@ data "aws_iam_policy_document" "view_objects_policy" { } } + +## Cloudfront + +resource "cloudflare_record" "tls_dns_validation" { + zone_id = local.zone + comment = "ACM Verification for ${aws_acm_certificate.tls_cert.domain_name}" + name = tolist(aws_acm_certificate.tls_cert.domain_validation_options)[0].resource_record_name + value = tolist(aws_acm_certificate.tls_cert.domain_validation_options)[0].resource_record_value + type = tolist(aws_acm_certificate.tls_cert.domain_validation_options)[0].resource_record_type + proxied = "false" +} + +resource "cloudflare_record" "web_distribution_naked" { + zone_id = local.zone + name = "@" + value = "192.0.2.1" + type = "A" + proxied = "true" +} + +resource "cloudflare_record" "web_distribution_www" { + zone_id = local.zone + name = "www" + value = "192.0.2.1" + type = "A" + proxied = "true" +} + +resource "cloudflare_record" "web_distribution_naked_spencer" { + zone_id = local.zone + name = "spencer" + value = "192.0.2.1" + type = "A" + proxied = "true" +} + +resource "cloudflare_record" "web_distribution_cn" { + zone_id = local.zone + name = "www.spencer" + value = aws_cloudfront_distribution.web_distribution.domain_name + type = "CNAME" + proxied = "false" +} + +resource "cloudflare_ruleset" "redirect_rules" { + zone_id = local.zone + kind = "zone" + phase = "http_request_dynamic_redirect" + name = "Redirect rules" + + rules { + description = "Redirect Non-CNAME" + action = "redirect" + expression = "(http.host eq \"imbleau.com\") or (http.host eq \"spencer.imbleau.com\") or (http.host eq \"www.imbleau.com\")" + action_parameters { + from_value { + status_code = 301 + target_url { + expression = "concat(\"https://www.spencer.imbleau.com\", http.request.uri.path)" + } + preserve_query_string = true + } + } + enabled = true + } + + rules { + description = "Redirect AWS" + action = "redirect" + expression = "(http.host eq \"aws.imbleau.com\") or (http.host eq \"www.aws.imbleau.com\")" + action_parameters { + from_value { + status_code = 301 + target_url { + value = "https://804184581672.signin.aws.amazon.com/console" + } + preserve_query_string = false + } + } + enabled = true + } +} + diff --git a/terraform/variables.tf b/terraform/variables.tf new file mode 100644 index 0000000..1842982 --- /dev/null +++ b/terraform/variables.tf @@ -0,0 +1,19 @@ +variable "cloudflare_api_token" { + type = string + description = "The Cloudflare API token with access for the imbleau.com zone" +} + +variable "aws_region" { + type = string + description = "The AWS region" +} + +variable "aws_access_key_id" { + type = string + description = "The AWS Access Key ID" +} + +variable "aws_secret_access_key" { + type = string + description = "The AWS Secret Access Key" +}