From 804a3469b0a42d1dc867a3792d06f1025fbcf5b5 Mon Sep 17 00:00:00 2001 From: Kharec Date: Sun, 30 Nov 2025 11:42:00 +0100 Subject: [PATCH] feat: add terraform infra --- aws-infra/main.tf | 163 ++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 163 insertions(+) create mode 100644 aws-infra/main.tf diff --git a/aws-infra/main.tf b/aws-infra/main.tf new file mode 100644 index 0000000..34c1151 --- /dev/null +++ b/aws-infra/main.tf @@ -0,0 +1,163 @@ +provider "aws" { + region = "eu-central-1" +} + +resource "aws_amplify_app" "hugo_pages" { + name = "hugo-pages" + platform = "WEB" +} + +resource "aws_amplify_branch" "prod" { + app_id = aws_amplify_app.hugo_pages.id + branch_name = "prod" + stage = "PRODUCTION" +} + +resource "aws_amplify_domain_association" "hugo_pages_domain" { + app_id = aws_amplify_app.hugo_pages.id + domain_name = "pages.kharec.info" + + sub_domain { + branch_name = aws_amplify_branch.prod.branch_name + prefix = "" + } + + wait_for_verification = true +} + +resource "aws_s3_bucket" "amplify_deployments" { + bucket = "hugo-pages-amplify-deployments" +} + +resource "aws_s3_bucket_lifecycle_configuration" "amplify_deployments" { + bucket = aws_s3_bucket.amplify_deployments.id + + rule { + id = "delete-old-deployments" + status = "Enabled" + + expiration { + days = 7 + } + } +} + +resource "aws_s3_bucket_versioning" "amplify_deployments" { + bucket = aws_s3_bucket.amplify_deployments.id + versioning_configuration { + status = "Disabled" + } +} + +resource "aws_s3_bucket_policy" "amplify_deployments" { + bucket = aws_s3_bucket.amplify_deployments.id + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Sid = "AllowAmplifyReadAccess" + Effect = "Allow" + Principal = { + Service = "amplify.amazonaws.com" + } + Action = [ + "s3:GetObject", + "s3:GetObjectAcl" + ] + Resource = "${aws_s3_bucket.amplify_deployments.arn}/*" + Condition = { + StringEquals = { + "aws:SourceAccount" = data.aws_caller_identity.current.account_id + } + } + } + ] + }) +} + +data "aws_caller_identity" "current" {} + +resource "aws_iam_policy" "amplify_deployment" { + name = "HugoAmplifyDeploymentPolicy" + description = "Policy for Gitea CI to deploy Hugo site to AWS Amplify" + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Sid = "S3DeploymentBucketAccess" + Effect = "Allow" + Action = [ + "s3:PutObject", + "s3:PutObjectAcl", + "s3:GetObject", + "s3:GetObjectAcl" + ] + Resource = "${aws_s3_bucket.amplify_deployments.arn}/*" + }, + { + Sid = "S3ListDeploymentBucket" + Effect = "Allow" + Action = [ + "s3:ListBucket" + ] + Resource = aws_s3_bucket.amplify_deployments.arn + }, + { + Sid = "AmplifyAppAndBranchAccess" + Effect = "Allow" + Action = [ + "amplify:GetApp", + "amplify:GetBranch" + ] + Resource = [ + aws_amplify_app.hugo_pages.arn, + "${aws_amplify_app.hugo_pages.arn}/branches/${aws_amplify_branch.prod.branch_name}" + ] + }, + { + Sid = "AmplifyDeploymentAccess" + Effect = "Allow" + Action = [ + "amplify:StartDeployment", + "amplify:CreateDeployment" + ] + Resource = [ + "${aws_amplify_app.hugo_pages.arn}/branches/${aws_amplify_branch.prod.branch_name}/deployments/*", + "${aws_amplify_app.hugo_pages.arn}/branches/${aws_amplify_branch.prod.branch_name}/deployments/start" + ] + } + ] + }) +} + +resource "aws_iam_user" "amplify_deployment" { + name = "hugo-amplify-deployment" +} + +resource "aws_iam_user_policy_attachment" "amplify_deployment" { + user = aws_iam_user.amplify_deployment.name + policy_arn = aws_iam_policy.amplify_deployment.arn +} + +resource "aws_iam_access_key" "amplify_deployment" { + user = aws_iam_user.amplify_deployment.name +} + +output "deployment_access_key_id" { + value = aws_iam_access_key.amplify_deployment.id + description = "AWS Access Key ID for Gitea CI deployment" + sensitive = false +} + +output "deployment_secret_access_key" { + value = aws_iam_access_key.amplify_deployment.secret + description = "AWS Secret Access Key for Gitea CI deployment" + sensitive = true +} + +output "s3_bucket_name" { + value = aws_s3_bucket.amplify_deployments.bucket + description = "S3 bucket name for deployment artifacts" +}