initial commit [WIP]

2020-03-17 03:54:15 +00:00
commit 42786bdd92
35 changed files with 1555 additions and 0 deletions
--- a/deploy/clear-cache.sh
+++ b/deploy/clear-cache.sh
@ -0,0 +1,9 @@
+#!/usr/bin/env bash
+set -e
+
+# shellcheck disable=SC1090
+. "$( dirname "${BASH_SOURCE[0]}" )/shared-functions"
+
+DISTRIBUTION=$(get-output site CloudfrontDistribution)
+INVALIDATION=$(aws cloudfront create-invalidation --paths '/*' --distribution-id "$DISTRIBUTION" --query Invalidation.Id --output text)
+aws cloudfront wait invalidation-completed --distribution-id "$DISTRIBUTION" --id "$INVALIDATION"
--- a/deploy/cloudformation/certificate.yaml
+++ b/deploy/cloudformation/certificate.yaml
@ -0,0 +1,22 @@
+AWSTemplateFormatVersion: '2010-09-09'
+Description: Template for an SSL certificate (must be deployed in us-east-1 for cloudfront)
+Metadata:
+  License: magnet:?xt=urn:btih:1f739d935676111cfff4b4693e3816e664797050&dn=gpl-3.0.txt GPL-v3-or-Later
+
+Parameters:
+  SiteName:
+    Type: String
+    Description: Name for the site
+    AllowedPattern: '[a-zA-Z0-9-.]{1,63}'
+    ConstraintDescription: must be a valid DNS name.
+
+Resources:
+  Certificate:
+    Type: AWS::CertificateManager::Certificate
+    Properties:
+      DomainName: !Ref SiteName
+      ValidationMethod: DNS
+
+Outputs:
+  CertificateARN:
+    Value: !Ref Certificate
--- a/deploy/cloudformation/roles.yaml
+++ b/deploy/cloudformation/roles.yaml
@ -0,0 +1,94 @@
+AWSTemplateFormatVersion: '2010-09-09'
+Description: Iam Roles for account running a static S3 website with cloudfront (IAMAdmin, Admin, S3Admin/User)
+Metadata:
+  License: magnet:?xt=urn:btih:1f739d935676111cfff4b4693e3816e664797050&dn=gpl-3.0.txt GPL-v3-or-Later
+
+Resources:
+  IAMAdmin:
+    Type: AWS::IAM::Role
+    Properties:
+      RoleName: IAMAdmin
+      ManagedPolicyArns:
+        - arn:aws:iam::aws:policy/AWSCloudFormationFullAccess
+        - arn:aws:iam::aws:policy/IAMFullAccess
+        - arn:aws:iam::aws:policy/ReadOnlyAccess
+      AssumeRolePolicyDocument:
+        Version: '2012-10-17'
+        Statement:
+          - Effect: Allow
+            Principal:
+              AWS: arn:aws:iam::212707113393:root
+            Action: sts:AssumeRole
+          - Effect: Allow
+            Principal:
+              Federated:
+                - !Sub arn:aws:iam::${AWS::AccountId}:saml-provider/Google
+            Action: sts:AssumeRoleWithSAML
+            Condition:
+              StringEquals:
+                SAML:aud: https://signin.aws.amazon.com/saml
+  Admin:
+    Type: AWS::IAM::Role
+    Properties:
+      RoleName: Admin
+      ManagedPolicyArns:
+        - arn:aws:iam::aws:policy/ReadOnlyAccess
+        - arn:aws:iam::aws:policy/AWSCloudFormationFullAccess
+        - arn:aws:iam::aws:policy/AmazonS3FullAccess
+        - arn:aws:iam::aws:policy/AmazonRoute53FullAccess
+        - arn:aws:iam::aws:policy/CloudFrontFullAccess
+        - arn:aws:iam::aws:policy/AWSCertificateManagerFullAccess
+      AssumeRolePolicyDocument:
+        Version: '2012-10-17'
+        Statement:
+          - Effect: Allow
+            Principal:
+              AWS: arn:aws:iam::212707113393:root
+            Action: sts:AssumeRole
+          - Effect: Allow
+            Principal:
+              Federated:
+                - !Sub arn:aws:iam::${AWS::AccountId}:saml-provider/Google
+            Action: sts:AssumeRoleWithSAML
+            Condition:
+              StringEquals:
+                SAML:aud: https://signin.aws.amazon.com/saml
+  User:
+    Type: AWS::IAM::Role
+    Properties:
+      RoleName: User
+      ManagedPolicyArns:
+        - arn:aws:iam::aws:policy/ReadOnlyAccess
+        - !Ref UserPolicy
+      AssumeRolePolicyDocument:
+        Version: '2012-10-17'
+        Statement:
+          - Effect: Allow
+            Principal:
+              AWS: arn:aws:iam::212707113393:root
+            Action: sts:AssumeRole
+          - Effect: Allow
+            Principal:
+              Federated:
+                - !Sub arn:aws:iam::${AWS::AccountId}:saml-provider/Google
+            Action: sts:AssumeRoleWithSAML
+            Condition:
+              StringEquals:
+                SAML:aud: https://signin.aws.amazon.com/saml
+
+  UserPolicy:
+    Type: AWS::IAM::ManagedPolicy
+    Properties:
+      Description: Grants Access to Created/Update/Delete S3 Objects & Clear Cloudfront caches
+      PolicyDocument:
+        Version: 2012-10-17
+        Statement:
+          - Effect: Allow
+            Action:
+              - s3:DeleteObject
+              - s3:PutObject
+            Resource: 'arn:aws:s3:::*/*'
+
+          - Effect: Allow
+            Action: cloudfront:CreateInvalidation
+            Resource: '*'
--- a/deploy/cloudformation/site.yaml
+++ b/deploy/cloudformation/site.yaml
@ -0,0 +1,99 @@
+AWSTemplateFormatVersion: '2010-09-09'
+Description: Template will deploy an s3 bucket, Route53Zone & SSL certificate to host a static website
+Metadata:
+  License: magnet:?xt=urn:btih:1f739d935676111cfff4b4693e3816e664797050&dn=gpl-3.0.txt GPL-v3-or-Later
+
+Parameters:
+  SiteName:
+    Type: String
+    Description: Name for the site
+    AllowedPattern: '[a-zA-Z0-9-.]{1,63}'
+    ConstraintDescription: must be a valid DNS name.
+  CertificateARN:
+    Type: String
+
+Resources:
+  Bucket:
+    Type: AWS::S3::Bucket
+    Properties:
+      BucketName: !Join [-, !Split [., !Ref SiteName]]
+      AccessControl: PublicRead
+      WebsiteConfiguration:
+        ErrorDocument: resume.html
+        IndexDocument: resume.html
+
+  BucketPolicy:
+    Type: AWS::S3::BucketPolicy
+    Properties:
+      Bucket: !Ref Bucket
+      PolicyDocument:
+        Version: 2012-10-17
+        Statement:
+          - Sid: PublicReadGetObject
+            Effect: Allow
+            Principal: '*'
+            Action: s3:GetObject
+            Resource:
+              - !Sub ${Bucket.Arn}/*
+
+  Route53Zone:
+    Type: AWS::Route53::HostedZone
+    Properties:
+      HostedZoneConfig:
+        Comment: !Sub 'hosted zone for ${SiteName}'
+      Name: !Ref SiteName
+
+  Route53RecordIPv4:
+    Type: AWS::Route53::RecordSet
+    Properties:
+      AliasTarget:
+        DNSName: !GetAtt CloudfrontDistribution.DomainName
+        HostedZoneId: Z2FDTNDATAQYW2
+      HostedZoneId: !Ref Route53Zone
+      Name: !Ref SiteName
+      Type: A
+
+  Route53RecordIPv6:
+    Type: AWS::Route53::RecordSet
+    Properties:
+      AliasTarget:
+        DNSName: !GetAtt CloudfrontDistribution.DomainName
+        HostedZoneId: Z2FDTNDATAQYW2
+      HostedZoneId: !Ref Route53Zone
+      Name: !Ref SiteName
+      Type: AAAA
+
+  CloudfrontDistribution:
+    Type: AWS::CloudFront::Distribution
+    Properties:
+      DistributionConfig:
+        Aliases:
+          - !Ref SiteName
+        Enabled: true
+        HttpVersion: http2
+        IPV6Enabled: true
+        PriceClass: PriceClass_100
+        DefaultRootObject: resume.html
+        ViewerCertificate:
+          AcmCertificateArn: !Ref CertificateARN
+          SslSupportMethod: sni-only
+        Origins:
+          - Id: bucket
+            DomainName: !GetAtt Bucket.RegionalDomainName
+            S3OriginConfig:
+              OriginAccessIdentity: ''
+        DefaultCacheBehavior:
+          DefaultTTL: 3600
+          TargetOriginId: bucket
+          ViewerProtocolPolicy: allow-all
+          Compress: true
+          ForwardedValues:
+            QueryString: false
+
+Outputs:
+  HostedZoneId:
+    Value: !Ref Route53Zone
+  HostedZoneRecords:
+    Value: !Join [",", !GetAtt Route53Zone.NameServers]
+  CloudfrontDistribution:
+    Value: !Ref CloudfrontDistribution
--- a/deploy/deploy-cloudformation.sh
+++ b/deploy/deploy-cloudformation.sh
@ -0,0 +1,14 @@
+#!/usr/bin/env bash
+set -e
+
+# shellcheck disable=SC1090
+. "$( dirname "${BASH_SOURCE[0]}" )/shared-functions"
+
+export AWS_DEFAULT_REGION=us-east-1
+deploy certificate SiteName="$SITENAME"
+CERT=$(get-output certificate CertificateARN)
+unset AWS_DEFAULT_REGION
+
+deploy site SiteName="$SITENAME" CertificateARN="$CERT"
+
+
--- a/deploy/shared-functions
+++ b/deploy/shared-functions
@ -0,0 +1,18 @@
+#!/usr/bin/env bash
+SITENAME=$1
+PROJECT=${SITENAME//./}
+
+CFN_DIR="$( dirname "${BASH_SOURCE[0]}" )/cloudformation"
+DEPLOY_CMD="aws cloudformation deploy --no-fail-on-empty-changeset --tags Classification=Public Site=$SITENAME"
+
+deploy() {
+  # shellcheck disable=SC2145
+  echo "deploying $1 [${@:2}]"
+  # shellcheck disable=SC2068
+  $DEPLOY_CMD --stack-name "${PROJECT}-$1" --template-file "${CFN_DIR}/$1.yaml" --parameter-overrides ${@:2}
+  aws cloudformation wait stack-exists --stack-name "${PROJECT}-$1"
+}
+
+get-output() {
+  aws cloudformation describe-stacks --stack-name "${PROJECT}-$1" --query "Stacks[0].Outputs[?OutputKey==\`$2\`].OutputValue" --output text
+}