Re-add OAI

bcgov · Nov 27, 2024 · fd7b880 · fd7b880
1 parent 599234d
commit fd7b880
Show file tree

Hide file tree

Showing 2 changed files with 44 additions and 1 deletion.
diff --git a/terraform/iam.tf b/terraform/iam.tf
@@ -129,7 +129,7 @@ resource "aws_iam_role" "github_actions_role" {
       {
         Effect = "Allow"
         Principal = {
-          Federated = data.aws_iam_openid_connect_provider.github_actions.arn
+          Federated = aws_iam_openid_connect_provider.github_actions.arn
         }
         Action = "sts:AssumeRoleWithWebIdentity"
         Condition = {

diff --git a/terraform/s3.tf b/terraform/s3.tf
@@ -38,6 +38,49 @@ resource "aws_s3_bucket_policy" "wfprev_site_bucket_policy" {
   })
 }
 
+resource "aws_cloudfront_origin_access_identity" "oai" {
+  comment = "OAI for WFPREV site."
+}
+resource "aws_cloudfront_distribution" "s3_distribution" {
+  enabled             = true
+  is_ipv6_enabled     = true
+  comment             = "Distribution for WFPREV site."
+  default_root_object = "index.html"
+  origin {
+    domain_name = aws_s3_bucket.wfprev_site_bucket.bucket_regional_domain_name
+    origin_id   = aws_s3_bucket.wfprev_site_bucket.bucket
+    s3_origin_config {
+      origin_access_identity = aws_cloudfront_origin_access_identity.oai.cloudfront_access_identity_path
+    }
+  }
+  default_cache_behavior {
+    allowed_methods  = ["GET", "HEAD"]
+    cached_methods   = ["GET", "HEAD"]
+    target_origin_id = aws_s3_bucket.wfprev_site_bucket.bucket
+    forwarded_values {
+      query_string = false
+      cookies {
+        forward = "none"
+      }
+    }
+    viewer_protocol_policy = "redirect-to-https"
+    min_ttl                = 0
+    default_ttl            = 3600
+    max_ttl                = 86400
+  }
+  restrictions {
+    geo_restriction {
+      restriction_type = "none"
+    }
+  }
+  viewer_certificate {
+    cloudfront_default_certificate = true
+  }
+  tags = {
+    Name = "wfprev-distribution"
+  }
+}
+
 output "s3_bucket_name" {
   value = aws_s3_bucket.wfprev_site_bucket.bucket
 }