بِسْمِ ٱللَّٰهِ ٱلرَّحْمَٰنِ ٱلرَّحِيمِ

Author: Script47

.github/workflows/master.yaml

@@ -0,0 +1,24 @@
+name: Test & Tag
+
+on:
+  push:
+    branches:
+      - master
+
+permissions:
+  id-token: write
+  contents: write
+
+jobs:
+  tag:
+    name: Tag
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Tag release
+        uses: Klemensas/action-autotag@stable
+        with:
+          GITHUB_TOKEN: '${{ secrets.GITHUB_TOKEN }}'
+          tag_prefix: 'v'

CHANGELOG.md

@@ -0,0 +1,3 @@
+{
+  "version": "0.0.1"
+}

package.json

@@ -0,0 +1,6 @@
+resource "aws_acm_certificate" "cloudfront_cert" {
+  domain_name       = var.domain_name
+  validation_method = "DNS"
+  tags              = var.tags
+  provider          = aws.useast1
+}

static-site/acm.tf

@@ -0,0 +1,90 @@
+resource "aws_cloudfront_distribution" "static_site" {
+  comment             = "Distribution for ${var.domain_name}"
+  aliases             = [var.domain_name]
+  enabled             = true
+  is_ipv6_enabled     = true
+  default_root_object = "index.html"
+
+  origin {
+    domain_name              = aws_s3_bucket.static_site.bucket_regional_domain_name
+    origin_id                = "S3-${aws_s3_bucket.static_site.bucket}"
+    origin_access_control_id = aws_cloudfront_origin_access_control.oac.id
+  }
+
+  restrictions {
+    geo_restriction {
+      restriction_type = "none"
+      locations        = []
+    }
+  }
+
+  default_cache_behavior {
+    target_origin_id           = "S3-${aws_s3_bucket.static_site.bucket}"
+    response_headers_policy_id = aws_cloudfront_response_headers_policy.cloudfront.id
+
+    allowed_methods = ["GET", "HEAD"]
+    cached_methods  = ["GET", "HEAD"]
+
+    forwarded_values {
+      query_string = false
+
+      cookies {
+        forward = "none"
+      }
+    }
+
+    viewer_protocol_policy = "redirect-to-https"
+  }
+
+  viewer_certificate {
+    acm_certificate_arn            = aws_acm_certificate.cloudfront_cert.arn
+    ssl_support_method             = "sni-only"
+    minimum_protocol_version       = var.minimum_protocol_version
+    cloudfront_default_certificate = false
+  }
+
+  # For SPAs this is needed for hard refresh on dynamic routes
+  custom_error_response {
+    response_page_path    = "/index.html"
+    response_code         = 404
+    error_code            = 403
+    error_caching_min_ttl = 0
+  }
+
+  tags = var.tags
+}
+
+resource "aws_cloudfront_origin_access_control" "oac" {
+  name                              = "oac-for-${aws_s3_bucket.static_site.bucket}"
+  description                       = "OAC for ${aws_s3_bucket.static_site.bucket}"
+  origin_access_control_origin_type = "s3"
+  signing_behavior                  = "always"
+  signing_protocol                  = "sigv4"
+}
+
+resource "aws_cloudfront_response_headers_policy" "cloudfront" {
+  name    = "cloudfront-response-headers-policy"
+  comment = "Response headers policy for ${var.domain_name}"
+
+  security_headers_config {
+    frame_options {
+      frame_option = "DENY"
+      override     = true
+    }
+
+    referrer_policy {
+      referrer_policy = "strict-origin"
+      override        = true
+    }
+
+    content_type_options {
+      override = true
+    }
+
+    strict_transport_security {
+      access_control_max_age_sec = 15768000
+      preload                    = false
+      override                   = true
+    }
+  }
+}

static-site/cloudfront.tf

@@ -0,0 +1,69 @@
+data "aws_iam_policy_document" "oidc" {
+  statement {
+    actions = ["sts:AssumeRoleWithWebIdentity"]
+
+    principals {
+      type        = "Federated"
+      identifiers = [data.aws_iam_openid_connect_provider.github.arn]
+    }
+
+    condition {
+      test     = "StringEquals"
+      variable = "token.actions.githubusercontent.com:aud"
+      values   = ["sts.amazonaws.com"]
+    }
+
+    condition {
+      test     = "StringLike"
+      variable = "token.actions.githubusercontent.com:sub"
+      values   = ["repo:team-sufra/web:ref:refs/heads/master"]
+    }
+  }
+}
+
+
+data "aws_iam_policy_document" "static_site" {
+  statement {
+    actions   = ["s3:GetObject"]
+    resources = ["${aws_s3_bucket.static_site.arn}/*"]
+
+    principals {
+      type        = "Service"
+      identifiers = ["cloudfront.amazonaws.com"]
+    }
+
+    condition {
+      test     = "StringEquals"
+      variable = "AWS:SourceArn"
+      values = [
+        aws_cloudfront_distribution.static_site.arn
+      ]
+    }
+  }
+}
+
+data "aws_iam_policy_document" "deploy_web" {
+  statement {
+    actions = [
+      "s3:ListBucket",
+      "s3:GetBucketLocation",
+      "s3:GetObject",
+      "s3:PutObject",
+      "s3:DeleteObject",
+      "cloudfront:CreateInvalidation"
+    ]
+    resources = [
+      aws_s3_bucket.static_site.arn,
+      "${aws_s3_bucket.static_site.arn}/*",
+      aws_cloudfront_distribution.static_site.arn
+    ]
+  }
+}
+
+data "aws_route53_zone" "sufra_co_uk_hosted_zone" {
+  name = "sufra.co.uk"
+}
+
+data "aws_iam_openid_connect_provider" "github" {
+  url = "https://token.actions.githubusercontent.com"
+}

static-site/data.tf

@@ -0,0 +1,21 @@
+###############################################
+# Sets up an IAM role which will allow deploying
+# your site via pipelines.
+###############################################
+
+resource "aws_iam_role" "deploy_web" {
+  name               = var.role_name
+  assume_role_policy = data.aws_iam_policy_document.oidc.json
+  tags               = var.tags
+}
+
+resource "aws_iam_policy" "deploy_web" {
+  name   = var.role_name
+  policy = data.aws_iam_policy_document.deploy_web.json
+  tags   = var.tags
+}
+
+resource "aws_iam_role_policy_attachment" "deploy_web" {
+  role       = aws_iam_role.deploy_web.name
+  policy_arn = aws_iam_policy.deploy_web.arn
+}

static-site/iam.tf

@@ -0,0 +1,11 @@
+output "bucket_name" {
+  value = aws_s3_bucket.static_site.bucket
+}
+
+output "cloudfront_dist_id" {
+  value = aws_cloudfront_distribution.static_site.id
+}
+
+output "cloudfront_dist_domain_name" {
+  value = aws_cloudfront_distribution.static_site.domain_name
+}

static-site/outputs.tf

@@ -0,0 +1,15 @@
+#############################################
+# Setup the A record for your custom domain
+#############################################
+
+resource "aws_route53_record" "static_site_a_record" {
+  zone_id = var.hosted_zone_id
+  name    = var.domain_name
+  type    = "A"
+
+  alias {
+    name                   = aws_cloudfront_distribution.static_site.domain_name
+    zone_id                = aws_cloudfront_distribution.static_site.hosted_zone_id
+    evaluate_target_health = false
+  }
+}

static-site/route53.tf

@@ -0,0 +1,10 @@
+resource "aws_s3_bucket" "static_site" {
+  bucket        = var.bucket_name
+  force_destroy = true
+  tags          = var.tags
+}
+
+resource "aws_s3_bucket_policy" "static_site_policy" {
+  bucket = aws_s3_bucket.static_site.bucket
+  policy = data.aws_iam_policy_document.static_site.json
+}

static-site/s3.tf

@@ -0,0 +1,31 @@
+variable "bucket_name" {
+  type        = string
+  description = "The name of the bucket which will hold your static site"
+}
+
+variable "hosted_zone_id" {
+  type        = string
+  description = "The hosted zone ID to attach the A record for your custom domain"
+}
+
+variable "domain_name" {
+  type        = string
+  description = "The custom domain for your CloudFront distribution"
+}
+
+variable "minimum_protocol_version" {
+  type        = string
+  description = "Set the minimum viewer certificate version for the CloudFront distribution"
+  default     = "TLSv1.2_2021"
+}
+
+variable "role_name" {
+  type = string
+  description = "The name of the role and policy with the ability to deploy"
+  default = "deploy-static-site"
+}
+
+variable "tags" {
+  type        = map(string)
+  description = "The tags to apply to all resources created"
+}