provider "aws" { region = "eu-central-1" } resource "aws_amplify_app" "hugo_pages" { name = "hugo-pages" platform = "WEB" } resource "aws_amplify_branch" "prod" { app_id = aws_amplify_app.hugo_pages.id branch_name = "prod" stage = "PRODUCTION" } resource "aws_amplify_domain_association" "hugo_pages_domain" { app_id = aws_amplify_app.hugo_pages.id domain_name = "pages.kharec.info" sub_domain { branch_name = aws_amplify_branch.prod.branch_name prefix = "" } wait_for_verification = true } resource "aws_s3_bucket" "amplify_deployments" { bucket = "hugo-pages-amplify-deployments" } resource "aws_s3_bucket_lifecycle_configuration" "amplify_deployments" { bucket = aws_s3_bucket.amplify_deployments.id rule { id = "delete-old-deployments" status = "Enabled" expiration { days = 7 } } } resource "aws_s3_bucket_versioning" "amplify_deployments" { bucket = aws_s3_bucket.amplify_deployments.id versioning_configuration { status = "Disabled" } } resource "aws_s3_bucket_policy" "amplify_deployments" { bucket = aws_s3_bucket.amplify_deployments.id policy = jsonencode({ Version = "2012-10-17" Statement = [ { Sid = "AllowAmplifyReadAccess" Effect = "Allow" Principal = { Service = "amplify.amazonaws.com" } Action = [ "s3:GetObject", "s3:GetObjectAcl" ] Resource = "${aws_s3_bucket.amplify_deployments.arn}/*" Condition = { StringEquals = { "aws:SourceAccount" = data.aws_caller_identity.current.account_id } } } ] }) } data "aws_caller_identity" "current" {} resource "aws_iam_policy" "amplify_deployment" { name = "HugoAmplifyDeploymentPolicy" description = "Policy for Gitea CI to deploy Hugo site to AWS Amplify" policy = jsonencode({ Version = "2012-10-17" Statement = [ { Sid = "S3DeploymentBucketAccess" Effect = "Allow" Action = [ "s3:PutObject", "s3:PutObjectAcl", "s3:GetObject", "s3:GetObjectAcl" ] Resource = "${aws_s3_bucket.amplify_deployments.arn}/*" }, { Sid = "S3ListDeploymentBucket" Effect = "Allow" Action = [ "s3:ListBucket" ] Resource = aws_s3_bucket.amplify_deployments.arn }, { Sid = "AmplifyAppAndBranchAccess" Effect = "Allow" Action = [ "amplify:GetApp", "amplify:GetBranch" ] Resource = [ aws_amplify_app.hugo_pages.arn, "${aws_amplify_app.hugo_pages.arn}/branches/${aws_amplify_branch.prod.branch_name}" ] }, { Sid = "AmplifyDeploymentAccess" Effect = "Allow" Action = [ "amplify:StartDeployment", "amplify:CreateDeployment" ] Resource = [ "${aws_amplify_app.hugo_pages.arn}/branches/${aws_amplify_branch.prod.branch_name}/deployments/*", "${aws_amplify_app.hugo_pages.arn}/branches/${aws_amplify_branch.prod.branch_name}/deployments/start" ] } ] }) } resource "aws_iam_user" "amplify_deployment" { name = "hugo-amplify-deployment" } resource "aws_iam_user_policy_attachment" "amplify_deployment" { user = aws_iam_user.amplify_deployment.name policy_arn = aws_iam_policy.amplify_deployment.arn } resource "aws_iam_access_key" "amplify_deployment" { user = aws_iam_user.amplify_deployment.name } output "deployment_access_key_id" { value = aws_iam_access_key.amplify_deployment.id description = "AWS Access Key ID for Gitea CI deployment" sensitive = false } output "deployment_secret_access_key" { value = aws_iam_access_key.amplify_deployment.secret description = "AWS Secret Access Key for Gitea CI deployment" sensitive = true } output "s3_bucket_name" { value = aws_s3_bucket.amplify_deployments.bucket description = "S3 bucket name for deployment artifacts" }