Infra/rb website

apps/railgunbreaker/usw2dev/cloudfront.tf

@@ -0,0 +1,108 @@
+# DNS alias record to route domain to CloudFront distribution
+resource "aws_route53_record" "rb_website_alias" {
+  zone_id = data.terraform_remote_state.dns.outputs.domain_hosted_zone_id
+  name    = "${var.subdomain}.${data.terraform_remote_state.dns.outputs.domain_name}"
+  type    = "A"
+
+  alias {
+    name                   = aws_cloudfront_distribution.rb_website.domain_name
+    zone_id                = aws_cloudfront_distribution.rb_website.hosted_zone_id
+    evaluate_target_health = false
+  }
+}
+
+# IPv6 AAAA record
+resource "aws_route53_record" "rb_website_alias_ipv6" {
+  zone_id = data.terraform_remote_state.dns.outputs.domain_hosted_zone_id
+  name    = "${var.subdomain}.${data.terraform_remote_state.dns.outputs.domain_name}"
+  type    = "AAAA"
+
+  alias {
+    name                   = aws_cloudfront_distribution.rb_website.domain_name
+    zone_id                = aws_cloudfront_distribution.rb_website.hosted_zone_id
+    evaluate_target_health = false
+  }
+}
+
+# # DNS alias record to route www subdomain to CloudFront distribution
+# resource "aws_route53_record" "rb_website_www_alias" {
+#   zone_id = data.terraform_remote_state.dns.outputs.domain_hosted_zone_id
+#   name    = "www.${data.terraform_remote_state.dns.outputs.domain_name}"
+#   type    = "A"
+
+#   alias {
+#     name                   = aws_cloudfront_distribution.rb_website.domain_name
+#     zone_id                = aws_cloudfront_distribution.rb_website.hosted_zone_id
+#     evaluate_target_health = false
+#   }
+# }
+
+# # IPv6 AAAA record for www subdomain
+# resource "aws_route53_record" "rb_website_www_alias_ipv6" {
+#   zone_id = data.terraform_remote_state.dns.outputs.domain_hosted_zone_id
+#   name    = "www.${data.terraform_remote_state.dns.outputs.domain_name}"
+#   type    = "AAAA"
+
+#   alias {
+#     name                   = aws_cloudfront_distribution.rb_website.domain_name
+#     zone_id                = aws_cloudfront_distribution.rb_website.hosted_zone_id
+#     evaluate_target_health = false
+#   }
+# }
+
+# Origin Access Control to allow CloudFront to access private S3 bucket
+resource "aws_cloudfront_origin_access_control" "rb_website_oac" {
+  name                              = "rbWebsiteOAC"
+  description                       = "Origin Access Control for rb website S3 bucket"
+  origin_access_control_origin_type = "s3"
+  signing_behavior                  = "always"
+  signing_protocol                  = "sigv4"
+}
+
+data "aws_cloudfront_cache_policy" "caching_optimized" {
+  name = "Managed-CachingOptimized"
+}
+
+resource "aws_cloudfront_distribution" "rb_website" {
+  enabled             = true
+  is_ipv6_enabled     = true
+  comment             = "rb website distribution"
+  default_root_object = "index.html"
+  aliases             = [data.terraform_remote_state.dns.outputs.domain_name, "${var.subdomain}.${data.terraform_remote_state.dns.outputs.domain_name}"]
+
+  origin {
+    domain_name              = aws_s3_bucket.rb_website_bucket.bucket_regional_domain_name
+    origin_id                = "S3-${aws_s3_bucket.rb_website_bucket.bucket}"
+    origin_access_control_id = aws_cloudfront_origin_access_control.rb_website_oac.id
+    origin_path              = "/${var.s3_website_prefix}"
+  }
+
+  default_cache_behavior {
+    allowed_methods        = ["GET", "HEAD", "OPTIONS"]
+    cached_methods         = ["GET", "HEAD"]
+    target_origin_id       = "S3-${aws_s3_bucket.rb_website_bucket.bucket}"
+    viewer_protocol_policy = "redirect-to-https"
+    compress               = true
+    cache_policy_id        = data.aws_cloudfront_cache_policy.caching_optimized.id
+  }
+
+  restrictions {
+    geo_restriction {
+      restriction_type = "none"
+    }
+  }
+
+  viewer_certificate {
+    acm_certificate_arn      = data.terraform_remote_state.dns.outputs.wildcard_certificate_arn_us_east_1
+    ssl_support_method       = "sni-only"
+    minimum_protocol_version = "TLSv1.2_2021"
+  }
+
+  tags = {
+    Name = "rbWebsite-CloudFront-${var.env_name}"
+  }
+
+  lifecycle {
+    create_before_destroy = true
+  }
+}

apps/railgunbreaker/usw2dev/iam.tf

@@ -0,0 +1,163 @@
+# allow website GHA to push build artifacts to S3
+resource "aws_iam_role" "rb_gha_s3_ecr" {
+  name = "rb-GHA-S3-ECR-ReadWrite"
+
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Effect = "Allow"
+        Principal = {
+          Federated = data.terraform_remote_state.iam.outputs.github_oidc_provider_arn
+        }
+        Action = "sts:AssumeRoleWithWebIdentity"
+        Condition = {
+          StringLike = {
+            "token.actions.githubusercontent.com:sub" = "repo:${var.github_repo}:*"
+          }
+        }
+      }
+    ]
+  })
+}
+
+resource "aws_iam_policy" "rb_gha" {
+  name        = "ReadWrite-rbWebsite-S3-ECR"
+  description = "Allow the rb website GitHub Actions to update the latest build artifacts in S3 and ECR"
+
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Sid    = "AllowS3List"
+        Effect = "Allow"
+        Action = [
+          "s3:ListBucket"
+        ]
+        Resource = [
+          aws_s3_bucket.rb_website_bucket.arn
+        ]
+      },
+      {
+        Sid    = "AllowS3ReadWrite"
+        Effect = "Allow"
+        Action = [
+          "s3:GetObject",
+          "s3:PutObject",
+          "s3:DeleteObject"
+        ]
+        Resource = [
+          "${aws_s3_bucket.rb_website_bucket.arn}/*"
+        ]
+      },
+      {
+        Sid    = "AllowCloudFrontInvalidation"
+        Effect = "Allow"
+        Action = [
+          "cloudfront:CreateInvalidation",
+          "cloudfront:GetInvalidation"
+        ]
+        Resource = [
+          aws_cloudfront_distribution.rb_website.arn
+        ]
+      },
+      {
+        Sid    = "AllowTagGetting"
+        Effect = "Allow"
+        Action = [
+          "tag:GetResources"
+        ]
+        Resource = [
+          "*"
+        ]
+      },
+      {
+        Sid    = "AllowECRGetToken"
+        Effect = "Allow"
+        Action = [
+          "ecr:GetAuthorizationToken"
+        ],
+        Resource = ["*"]
+      },
+      # {
+      #   Sid    = "AllowECRPush"
+      #   Effect = "Allow"
+      #   Action = [
+      #     "ecr:BatchCheckLayerAvailability",
+      #     "ecr:CompleteLayerUpload",
+      #     "ecr:InitiateLayerUpload",
+      #     "ecr:PutImage",
+      #     "ecr:UploadLayerPart"
+      #   ]
+      #   Resource = [aws_ecr_repository.lambda_container_repo.arn]
+      # }
+    ]
+  })
+
+  lifecycle {
+    create_before_destroy = true
+  }
+}
+
+resource "aws_iam_role_policy_attachment" "github_actions_s3" {
+  role       = aws_iam_role.rb_gha_s3_ecr.name
+  policy_arn = aws_iam_policy.rb_gha.arn
+}
+
+resource "aws_iam_role" "pexels_image_scraper_lambda_exec" {
+  name = "rb_pexels_image_scraper_lambda_exec"
+
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17",
+    Statement = [{
+      Action = "sts:AssumeRole",
+      Effect = "Allow",
+      Principal = {
+        Service = "lambda.amazonaws.com"
+      }
+    }]
+  })
+}
+
+resource "aws_iam_policy" "pexels_image_scraper_lambda_custom" {
+  name        = "rbPexelsImageScraperLambdaCustomPolicy"
+  description = "Custom policy for the Pexels Image Scraper Lambda function"
+
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Sid    = "AllowS3ReadWrite"
+        Effect = "Allow"
+        Action = [
+          "s3:PutObject",
+        ]
+        Resource = [
+          "${aws_s3_bucket.rb_website_bucket.arn}/${var.s3_website_prefix}/data/*"
+        ]
+      },
+      {
+        Sid    = "AllowCloudFrontInvalidation"
+        Effect = "Allow"
+        Action = [
+          "cloudfront:CreateInvalidation",
+          "cloudfront:GetInvalidation"
+        ]
+        Resource = [
+          aws_cloudfront_distribution.rb_website.arn
+        ]
+      },
+    ]
+  })
+}
+
+
+resource "aws_iam_role_policy_attachment" "lambda_basic_execution" {
+  role       = aws_iam_role.pexels_image_scraper_lambda_exec.name
+  policy_arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
+}
+
+resource "aws_iam_role_policy_attachment" "pexels_image_scraper_lambda_custom_attach" {
+  role       = aws_iam_role.pexels_image_scraper_lambda_exec.name
+  policy_arn = aws_iam_policy.pexels_image_scraper_lambda_custom.arn
+}

apps/railgunbreaker/usw2dev/outputs.tf

@@ -0,0 +1,59 @@
+output "s3_bucket_name" {
+  description = "Name of the S3 bucket for the rb website"
+  value       = aws_s3_bucket.rb_website_bucket.bucket
+}
+
+output "s3_bucket_arn" {
+  description = "ARN of the S3 bucket for the rb website"
+  value       = aws_s3_bucket.rb_website_bucket.arn
+}
+
+output "s3_bucket_domain_name" {
+  description = "Domain name of the S3 bucket"
+  value       = aws_s3_bucket.rb_website_bucket.bucket_regional_domain_name
+}
+
+output "rb_website_github_actions_role_arn" {
+  description = "ARN of the IAM role for GitHub Actions with S3 read/write access to the rb bucket and ECR access"
+  value       = aws_iam_role.rb_gha_s3_ecr.arn
+}
+
+output "cloudfront_distribution_id" {
+  description = "ID of the CloudFront distribution"
+  value       = aws_cloudfront_distribution.rb_website.id
+}
+
+output "cloudfront_domain_name" {
+  description = "Domain name of the CloudFront distribution to access the website"
+  value       = aws_cloudfront_distribution.rb_website.domain_name
+}
+
+output "acm_certificate_arn" {
+  description = "ARN of the ACM certificate for the custom domain (shared wildcard cert - us-east-1)"
+  value       = data.terraform_remote_state.dns.outputs.wildcard_certificate_arn_us_east_1
+}
+
+output "acm_certificate_domain_name" {
+  description = "Domain name covered by the ACM certificate (shared wildcard cert)"
+  value       = data.terraform_remote_state.dns.outputs.wildcard_certificate_domain
+}
+
+output "acm_certificate_subject_alternative_names" {
+  description = "Subject alternative names covered by the ACM certificate (shared wildcard cert)"
+  value       = [data.terraform_remote_state.dns.outputs.wildcard_certificate_domain]
+}
+
+# output "lambda_ecr_repository_url" {
+#   description = "URL of the ECR repository for the lambda container image"
+#   value       = aws_ecr_repository.lambda_container_repo.repository_url
+# }
+
+# output "lambda_ecr_repository_arn" {
+#   description = "ARN of the ECR repository for the lambda container image"
+#   value       = aws_ecr_repository.lambda_container_repo.arn
+# }
+
+# output "event_bridge_rule_name" {
+#   description = "Name of the EventBridge rule that triggers the Pexels image scraper lambda"
+#   value       = aws_cloudwatch_event_rule.pexels_scraper_periodic.name
+# }

apps/railgunbreaker/usw2dev/providers.tf

@@ -0,0 +1,20 @@
+provider "aws" {
+  region = var.aws_region
+  default_tags {
+    tags = {
+      Project = "rb-website"
+      Env     = var.env_name
+    }
+  }
+}
+
+provider "aws" {
+  alias  = "us-east-1"
+  region = "us-east-1"
+  default_tags {
+    tags = {
+      Project = "rb-website"
+      Env     = var.env_name
+    }
+  }
+}

apps/railgunbreaker/usw2dev/remote_backend.tf

@@ -0,0 +1,19 @@
+terraform {
+  required_version = ">= 1.9.0"
+
+  cloud {
+    organization = "perry-zhu-aws"
+
+    workspaces {
+      project = "aws"
+      name    = "railgunbreaker-usw2dev"
+    }
+  }
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 6.0"
+    }
+  }
+}

apps/railgunbreaker/usw2dev/remote_states.tf

@@ -0,0 +1,21 @@
+data "terraform_remote_state" "iam" {
+  backend = "remote"
+
+  config = {
+    organization = "perry-zhu-aws"
+    workspaces = {
+      name = "common-iam"
+    }
+  }
+}
+
+data "terraform_remote_state" "dns" {
+  backend = "remote"
+
+  config = {
+    organization = "perry-zhu-aws"
+    workspaces = {
+      name = "common-dns"
+    }
+  }
+}