From 5cb11a773570700e9006082dd77b0877b5ed5190 Mon Sep 17 00:00:00 2001 From: Mihai PLESA Date: Wed, 21 Apr 2021 17:54:08 -0500 Subject: [PATCH] fixes for website bucket deployment --- .build-harness | 2 +- README.md | 19 +++++++++++++++++-- README.yaml | 11 +++++++++++ docs/terraform.md | 2 ++ main.tf | 29 +++++++++++++++++++++++++++-- variables.tf | 6 ++++++ 6 files changed, 64 insertions(+), 5 deletions(-) diff --git a/.build-harness b/.build-harness index d68b5d2..a03eff8 100644 --- a/.build-harness +++ b/.build-harness @@ -120,7 +120,7 @@ build-harness/shell-slim builder-slim: build-harness/runner pr/auto-format pr/readme pr/pre-commit tf14-upgrade : ENTRYPOINT := /usr/bin/make pr/auto-format pr/auto-format/host: ARGS := terraform/fmt readme -pr/readme pr/readme/host: ARGS := readme +pr/readme pr/readme/host: ARGS := readme/deps readme pr/auto-format pr/readme: build-harness/runner pr/auto-format/host pr/readme/host: $(MAKE) $(ARGS) diff --git a/README.md b/README.md index 5812db1..c696cda 100644 --- a/README.md +++ b/README.md @@ -1,3 +1,4 @@ + # terraform-aws-cicd [![Latest Release](https://img.shields.io/github/release/cloudposse/terraform-aws-cicd.svg)](https://github.com/cloudposse/terraform-aws-cicd/releases/latest) [![Slack Community](https://slack.cloudposse.com/badge.svg)](https://slack.cloudposse.com) @@ -51,7 +52,6 @@ and pushes the ``Docker`` image to an ``ECR`` repository. This is used when we w To activate this mode, don't specify the ``app`` and ``env`` attributes for the module. - http://docs.aws.amazon.com/codebuild/latest/userguide/sample-docker.html - --- This project is part of our comprehensive ["SweetOps"](https://cpco.io/sweetops) approach towards DevOps. @@ -82,7 +82,6 @@ We literally have [*hundreds of terraform modules*][terraform_modules] that are - ## Security & Compliance [](https://bridgecrew.io/) Security scanning is graciously provided by Bridgecrew. Bridgecrew is the leading fully hosted, cloud-native solution providing continuous Terraform security and compliance. @@ -315,6 +314,7 @@ Available targets: | [aws_iam_policy_document.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_iam_policy_document.s3](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_region.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source | +| [aws_s3_bucket.website](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/s3_bucket) | data source | ## Inputs @@ -364,6 +364,7 @@ Available targets: | [webhook\_filter\_json\_path](#input\_webhook\_filter\_json\_path) | The JSON path to filter on | `string` | `"$.ref"` | no | | [webhook\_filter\_match\_equals](#input\_webhook\_filter\_match\_equals) | The value to match on (e.g. refs/heads/{Branch}) | `string` | `"refs/heads/{Branch}"` | no | | [webhook\_target\_action](#input\_webhook\_target\_action) | The name of the action in a pipeline you want to connect to the webhook. The action must be from the source (first) stage of the pipeline | `string` | `"Source"` | no | +| [website\_bucket\_acl](#input\_website\_bucket\_acl) | Canned ACL of the S3 bucket objects that get served as a website, can be private if using CloudFront with OAI | `string` | `"public-read"` | no | | [website\_bucket\_name](#input\_website\_bucket\_name) | Name of the S3 bucket where the website will be deployed | `string` | `""` | no | ## Outputs @@ -383,6 +384,20 @@ Available targets: +## Share the Love + +Like this project? Please give it a ★ on [our GitHub](https://github.com/cloudposse/terraform-aws-cicd)! (it helps us **a lot**) + +Are you using this project or any of our other projects? Consider [leaving a testimonial][testimonial]. =) + + +## Related Projects + +Check out these related projects. + + + + ## Help **Got a question?** We got answers. diff --git a/README.yaml b/README.yaml index a4a8d3d..71a13fd 100644 --- a/README.yaml +++ b/README.yaml @@ -5,6 +5,7 @@ # Name of this project name: terraform-aws-cicd + # Tags of this project tags: - aws @@ -15,16 +16,20 @@ tags: - codebuild - continuous-integration - continuous-delivery + # Categories of this project categories: - terraform-modules/cicd + # Logo for this project #logo: docs/logo.png # License of this project license: "APACHE2" + # Canonical GitHub repo github_repo: cloudposse/terraform-aws-cicd + # Badges to display badges: - name: "Latest Release" @@ -33,6 +38,9 @@ badges: - name: "Slack Community" image: "https://slack.cloudposse.com/badge.svg" url: "https://slack.cloudposse.com" + +related: + # Short description of this project description: |- Terraform module to create AWS [`CodePipeline`](https://aws.amazon.com/codepipeline/) with [`CodeBuild`](https://aws.amazon.com/codebuild/) for [`CI/CD`](https://en.wikipedia.org/wiki/CI/CD) @@ -58,6 +66,7 @@ description: |- and pushes the ``Docker`` image to an ``ECR`` repository. This is used when we want to build a ``Docker`` image from the code and push it to ``ECR`` without deploying to ``Elastic Beanstalk``. To activate this mode, don't specify the ``app`` and ``env`` attributes for the module. - http://docs.aws.amazon.com/codebuild/latest/userguide/sample-docker.html + # How to use this project usage: |- Include this repository as a module in your existing terraform code: @@ -114,6 +123,7 @@ usage: |- }] } ``` + # Example usage examples: |- ### Example: GitHub, NodeJS, S3 and EB @@ -202,6 +212,7 @@ examples: |- include: - "docs/targets.md" - "docs/terraform.md" + # Contributors to this project contributors: - name: "Erik Osterman" diff --git a/docs/terraform.md b/docs/terraform.md index af32ea1..b5dcdab 100644 --- a/docs/terraform.md +++ b/docs/terraform.md @@ -44,6 +44,7 @@ | [aws_iam_policy_document.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_iam_policy_document.s3](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_region.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source | +| [aws_s3_bucket.website](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/s3_bucket) | data source | ## Inputs @@ -93,6 +94,7 @@ | [webhook\_filter\_json\_path](#input\_webhook\_filter\_json\_path) | The JSON path to filter on | `string` | `"$.ref"` | no | | [webhook\_filter\_match\_equals](#input\_webhook\_filter\_match\_equals) | The value to match on (e.g. refs/heads/{Branch}) | `string` | `"refs/heads/{Branch}"` | no | | [webhook\_target\_action](#input\_webhook\_target\_action) | The name of the action in a pipeline you want to connect to the webhook. The action must be from the source (first) stage of the pipeline | `string` | `"Source"` | no | +| [website\_bucket\_acl](#input\_website\_bucket\_acl) | Canned ACL of the S3 bucket objects that get served as a website, can be private if using CloudFront with OAI | `string` | `"public-read"` | no | | [website\_bucket\_name](#input\_website\_bucket\_name) | Name of the S3 bucket where the website will be deployed | `string` | `""` | no | ## Outputs diff --git a/main.tf b/main.tf index 50fd665..2b4c1d3 100644 --- a/main.tf +++ b/main.tf @@ -125,6 +125,11 @@ resource "aws_iam_policy" "s3" { policy = join("", data.aws_iam_policy_document.s3.*.json) } +data "aws_s3_bucket" "website" { + count = local.enabled && var.website_bucket_name != "" ? 1 : 0 + bucket = var.website_bucket_name +} + data "aws_iam_policy_document" "s3" { count = local.enabled ? 1 : 0 @@ -139,13 +144,33 @@ data "aws_iam_policy_document" "s3" { ] resources = [ - join("", aws_s3_bucket.default.*.arn), "${join("", aws_s3_bucket.default.*.arn)}/*", + join("", aws_s3_bucket.default.*.arn), "arn:aws:s3:::elasticbeanstalk*" ] effect = "Allow" } + + dynamic "statement" { + for_each = var.website_bucket_name != "" ? ["true"] : [] + sid = "" + + actions = [ + "s3:GetObject", + "s3:GetObjectVersion", + "s3:GetBucketVersioning", + "s3:PutObject", + "s3:PutObjectAcl", + ] + + resources = [ + "${join("", data.aws_s3_bucket.website.*.arn)}/*", + join("", data.aws_s3_bucket.website.*.arn) + ] + + effect = "Allow" + } } resource "aws_iam_role_policy_attachment" "codebuild" { @@ -306,7 +331,7 @@ resource "aws_codepipeline" "default" { configuration = { BucketName = var.website_bucket_name Extract = "true" - CannedACL = "public-read" + CannedACL = var.website_bucket_acl } } } diff --git a/variables.tf b/variables.tf index 2819a55..f9c5654 100644 --- a/variables.tf +++ b/variables.tf @@ -183,3 +183,9 @@ variable "website_bucket_name" { default = "" description = "Name of the S3 bucket where the website will be deployed" } + +variable "website_bucket_acl" { + type = string + default = "public-read" + description = "Canned ACL of the S3 bucket objects that get served as a website, can be private if using CloudFront with OAI" +}