From cddf21c9d0b4b36b49ca7476690380867f26e25b Mon Sep 17 00:00:00 2001 From: Jonathan Wright Date: Sun, 12 Nov 2017 18:29:38 +0000 Subject: [PATCH 1/3] Clarify description of the content bucket output of the module --- outputs.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/outputs.tf b/outputs.tf index 1fe384d..f6b5288 100644 --- a/outputs.tf +++ b/outputs.tf @@ -4,7 +4,7 @@ output "hostname" { } output "s3_bucket_name" { - description = "The name of the S3 bucket to upload the website content to." + description = "The name of the S3 content bucket to upload the website content to." value = "${aws_s3_bucket.content.id}" } From 37d06914f4b4c7f192babee5655d4d26958ced18 Mon Sep 17 00:00:00 2001 From: Jonathan Wright Date: Sun, 12 Nov 2017 19:13:55 +0000 Subject: [PATCH 2/3] Add additional output for S3 logging bucket name --- outputs.tf | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/outputs.tf b/outputs.tf index f6b5288..0d11d16 100644 --- a/outputs.tf +++ b/outputs.tf @@ -8,6 +8,11 @@ output "s3_bucket_name" { value = "${aws_s3_bucket.content.id}" } +output "s3_logging_name" { + description = "The name of the S3 logging bucket that access logs will be saved to." + value = "${aws_s3_bucket.logs.id}" +} + output "cloudfront_distribution_id" { description = "The ID of the CloudFront Distribution." value = "${aws_cloudfront_distribution.website.id}" From c6a9caa3c2098be5b9ccb8759ed3d0215efa9c15 Mon Sep 17 00:00:00 2001 From: Jonathan Wright Date: Sun, 12 Nov 2017 19:16:34 +0000 Subject: [PATCH 3/3] Add new example to show how to manage access policies This new example provides an example showing how to create a group to grant write access to the content bucket which could be used for the developers to manage the content. --- examples/policies/README.md | 29 ++++++++++++++++++++ examples/policies/aws.tf | 2 ++ examples/policies/groups.tf | 10 +++++++ examples/policies/main.tf | 15 +++++++++++ examples/policies/outputs.tf | 15 +++++++++++ examples/policies/policies.tf | 50 +++++++++++++++++++++++++++++++++++ 6 files changed, 121 insertions(+) create mode 100644 examples/policies/README.md create mode 100644 examples/policies/aws.tf create mode 100644 examples/policies/groups.tf create mode 100644 examples/policies/main.tf create mode 100644 examples/policies/outputs.tf create mode 100644 examples/policies/policies.tf diff --git a/examples/policies/README.md b/examples/policies/README.md new file mode 100644 index 0000000..ff3ad29 --- /dev/null +++ b/examples/policies/README.md @@ -0,0 +1,29 @@ +# Example Usage + +The example in this directory is the recommended minimum needed to setup this +module (i.e. `name` and `hostname`). + +## Important + +This module will create an encrypted (i.e. HTTPS) endpoint in CloudFront using +[Amazon Certificate Manager](https://aws.amazon.com/certificate-manager/). ACM +cannot be automated at this time as it requires manual steps in the approval +of the domain name before it can be added into the account. Please therefore +setup the certificate for the domain name you require (and any aliases you may +include as well) by following the +[Getting Started](http://docs.aws.amazon.com/acm/latest/userguide/gs.html) guide +in the AWS Documentation. + +## Usage + +To run this example you need to execute: + +```bash +$ terraform init +$ terraform plan +$ terraform apply +``` + +Note that this example may create resources which can cost money (logs stored +within S3, for example). Run `terraform destroy` when you don't need these +resources. diff --git a/examples/policies/aws.tf b/examples/policies/aws.tf new file mode 100644 index 0000000..1bd5ac4 --- /dev/null +++ b/examples/policies/aws.tf @@ -0,0 +1,2 @@ +/* Pull out useful data resources for later processing */ +data "aws_caller_identity" "current" {} diff --git a/examples/policies/groups.tf b/examples/policies/groups.tf new file mode 100644 index 0000000..6192783 --- /dev/null +++ b/examples/policies/groups.tf @@ -0,0 +1,10 @@ +resource "aws_iam_group" "content_upload" { + name = "WebsiteDevelopers" +} + +resource "aws_iam_group_policy" "content_upload" { + name = "WebsiteDeveloperAccess" + group = "${aws_iam_group.content_upload.id}" + + policy = "${data.aws_iam_policy_document.content_upload.json}" +} diff --git a/examples/policies/main.tf b/examples/policies/main.tf new file mode 100644 index 0000000..be00e1d --- /dev/null +++ b/examples/policies/main.tf @@ -0,0 +1,15 @@ +provider "aws" { + region = "eu-west-2" +} + +module "website" { + source = "../../" + + name = "my-first-website" + hostname = "example.com" + + tags { + Domain = "example.com" + Owner = "webmaster@example.com" + } +} diff --git a/examples/policies/outputs.tf b/examples/policies/outputs.tf new file mode 100644 index 0000000..13e7e3b --- /dev/null +++ b/examples/policies/outputs.tf @@ -0,0 +1,15 @@ +output "hostname" { + value = "${module.website.hostname}" +} + +output "s3_bucket_name" { + value = "${module.website.s3_bucket_name}" +} + +output "cloudfront_distribution_id" { + value = "${module.website.cloudfront_distribution_id}" +} + +output "cloudfront_distribution_hostname" { + value = "${module.website.cloudfront_distribution_hostname}" +} diff --git a/examples/policies/policies.tf b/examples/policies/policies.tf new file mode 100644 index 0000000..76eda7b --- /dev/null +++ b/examples/policies/policies.tf @@ -0,0 +1,50 @@ +data "aws_iam_policy_document" "content_upload" { + statement { + sid = "AllowS3WebsiteWriteAccessCurrentUser" + effect = "Allow" + + principals { + type = "AWS" + + identifiers = [ + "arn:aws:iam::${data.aws_caller_identity.current.account_id}:user/$${aws:username}", + ] + } + + actions = [ + "s3:DeleteObject", + "s3:DeleteObjectTagging", + "s3:Get*", + "s3:PutObject", + "s3:PutObjectAcl", + "s3:PutObjectTagging", + "s3:RestoreObject", + ] + + resources = [ + "arn:aws:s3:::${module.website.s3_bucket_name}/*", + ] + } + + statement { + sid = "AllowS3WebsiteBucketAccessCurrentUser" + effect = "Allow" + + principals { + type = "AWS" + + identifiers = [ + "arn:aws:iam::${data.aws_caller_identity.current.account_id}:user/$${aws:username}", + ] + } + + actions = [ + "s3:ListBucket", + "s3:ListBucketVersions", + ] + + resources = [ + "arn:aws:s3:::${module.website.s3_bucket_name}", + ] + } +}