From f3e5844251c1c37b8c7b59cf29c6034c18abf7cf Mon Sep 17 00:00:00 2001
From: Amey Parulekar <ameyzing@amazon.com>
Date: Sun, 19 May 2019 20:18:55 -0700
Subject: [PATCH] Add terraform configuration.

---
 .gitignore    |   2 +
 cloudflare.tf | 125 ++++++++++++++++++++++++++++++++++++++++++++++++++
 codebuild.tf  |  22 +++++++++
 pipeline.tf   |  65 ++++++++++++++++++++++++++
 policy.tf     |  69 ++++++++++++++++++++++++++++
 providers.tf  |  16 +++++++
 s3.tf         |  64 ++++++++++++++++++++++++++
 variables.tf  |  27 +++++++++++
 webhooks.tf   |  29 ++++++++++++
 9 files changed, 419 insertions(+)
 create mode 100644 .gitignore
 create mode 100644 cloudflare.tf
 create mode 100644 codebuild.tf
 create mode 100644 pipeline.tf
 create mode 100644 policy.tf
 create mode 100644 providers.tf
 create mode 100644 s3.tf
 create mode 100644 variables.tf
 create mode 100644 webhooks.tf

diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..59d0a88
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,2 @@
+*.tfvars
+.terraform
\ No newline at end of file
diff --git a/cloudflare.tf b/cloudflare.tf
new file mode 100644
index 0000000..bfafadc
--- /dev/null
+++ b/cloudflare.tf
@@ -0,0 +1,125 @@
+// Zone overrides
+
+resource "cloudflare_zone_settings_override" "root" {
+  name = "${var.root_domain_name}"
+  settings {
+    always_online = "on"
+    always_use_https = "on"
+    automatic_https_rewrites = "on"
+    brotli = "on"
+    http2 = "on"
+    ip_geolocation = "on"
+    ipv6 = "on"
+    opportunistic_encryption = "on"
+    opportunistic_onion = "on"
+    ssl = "flexible"
+    tls_1_3 = "on"
+    websockets = "on"
+  }
+}
+
+// DNS records
+
+resource "cloudflare_record" "cname-mail" {
+  domain  = "${var.root_domain_name}"
+  name    = "mail.${var.root_domain_name}"
+  value   = "ghs.googlehosted.com"
+  proxied = true
+  type    = "CNAME"
+}
+
+resource "cloudflare_record" "cname-root" {
+  domain  = "${var.root_domain_name}"
+  name    = "${var.root_domain_name}"
+  value   = "${var.root_domain_name}.s3-website-${var.region}.amazonaws.com"
+  proxied = true
+  type    = "CNAME"
+}
+
+resource "cloudflare_record" "cname-www" {
+  domain  = "${var.root_domain_name}"
+  name    = "${var.www_domain_name}"
+  value   = "${var.www_domain_name}.s3-website-${var.region}.amazonaws.com"
+  proxied = true
+  type    = "CNAME"
+}
+
+resource "cloudflare_record" "txt-google" {
+  count    = "${var.use_google_apps_email}"
+  domain   = "${var.root_domain_name}"
+  name     = "${var.root_domain_name}"
+  value    = "google-site-verification=${var.google_txt_verification}"
+  proxied  = false
+  priority = 10
+  type     = "TXT"
+}
+
+resource "cloudflare_record" "mx-aspmx-l" {
+  count    = "${var.use_google_apps_email}"
+  domain   = "${var.root_domain_name}"
+  name     = "${var.root_domain_name}"
+  value    = "aspmx.l.google.com"
+  proxied  = false
+  priority = 10
+  type     = "MX"
+}
+
+resource "cloudflare_record" "mx-alt1" {
+  count    = "${var.use_google_apps_email}"
+  domain   = "${var.root_domain_name}"
+  name     = "${var.root_domain_name}"
+  value    = "alt1.aspmx.l.google.com"
+  proxied  = false
+  priority = 20
+  type     = "MX"
+}
+
+resource "cloudflare_record" "mx-alt2" {
+  count    = "${var.use_google_apps_email}"
+  domain   = "${var.root_domain_name}"
+  name     = "${var.root_domain_name}"
+  value    = "alt2.aspmx.l.google.com"
+  proxied  = false
+  priority = 20
+  type     = "MX"
+}
+
+resource "cloudflare_record" "mx-aspmx2" {
+  count    = "${var.use_google_apps_email}"
+  domain   = "${var.root_domain_name}"
+  name     = "${var.root_domain_name}"
+  value    = "aspmx2.googlemail.com"
+  proxied  = false
+  priority = 30
+  type     = "MX"
+}
+
+resource "cloudflare_record" "mx-aspmx3" {
+  count    = "${var.use_google_apps_email}"
+  domain   = "${var.root_domain_name}"
+  name     = "${var.root_domain_name}"
+  value    = "aspmx3.googlemail.com"
+  proxied  = false
+  priority = 30
+  type     = "MX"
+}
+
+resource "cloudflare_record" "mx-aspmx4" {
+  count    = "${var.use_google_apps_email}"
+  domain   = "${var.root_domain_name}"
+  name     = "${var.root_domain_name}"
+  value    = "aspmx4.googlemail.com"
+  proxied  = false
+  priority = 30
+  type     = "MX"
+}
+
+resource "cloudflare_record" "mx-aspmx5" {
+  count    = "${var.use_google_apps_email}"
+  domain   = "${var.root_domain_name}"
+  name     = "${var.root_domain_name}"
+  value    = "aspmx5.googlemail.com"
+  proxied  = false
+  priority = 30
+  type     = "MX"
+}
diff --git a/codebuild.tf b/codebuild.tf
new file mode 100644
index 0000000..f4f741e
--- /dev/null
+++ b/codebuild.tf
@@ -0,0 +1,22 @@
+resource "aws_codebuild_project" "hugo" {
+  name          = "${var.project_name}_codebuild"
+  description   = "CodeBuild project to build a hugo site."
+  build_timeout = "5"
+  service_role  = "${aws_iam_role.hugo.arn}"
+
+  artifacts {
+    type = "CODEPIPELINE"
+  }
+
+  source {
+    type      = "CODEPIPELINE"
+    buildspec = "buildspec.yml"
+  }
+
+  environment {
+    compute_type                = "BUILD_GENERAL1_SMALL"
+    image                       = "${var.codebuild_docker_image}"
+    image_pull_credentials_type = "SERVICE_ROLE"
+    type                        = "LINUX_CONTAINER"
+  }
+}
diff --git a/pipeline.tf b/pipeline.tf
new file mode 100644
index 0000000..ca53a67
--- /dev/null
+++ b/pipeline.tf
@@ -0,0 +1,65 @@
+resource "aws_codepipeline" "hugo" {
+  name     = "${var.project_name}_codepipeline"
+  role_arn = "${aws_iam_role.hugo.arn}"
+
+  artifact_store {
+    location = "${aws_s3_bucket.hugo.bucket}"
+    type     = "S3"
+  }
+
+  stage {
+    name = "Source"
+
+    action {
+      name             = "Source"
+      category         = "Source"
+      owner            = "ThirdParty"
+      provider         = "GitHub"
+      version          = "1"
+      output_artifacts = ["source_output"]
+
+      configuration {
+        Owner          = "${var.github_organization}"
+        Repo           = "${var.github_source_repo_name}"
+        Branch         = "${var.github_source_repo_branch}"
+        OAuthToken     = "${var.github_oauth_secret}"
+      }
+    }
+  }
+
+  stage {
+    name = "Build"
+
+    action {
+      name             = "Build"
+      category         = "Build"
+      owner            = "AWS"
+      provider         = "CodeBuild"
+      input_artifacts  = ["source_output"]
+      output_artifacts = ["build_output"]
+      version          = "1"
+
+      configuration {
+        ProjectName    = "${aws_codebuild_project.hugo.name}"
+      }
+    }
+  }
+
+  stage {
+    name = "Deploy"
+
+    action {
+      name             = "Deploy"
+      category         = "Deploy"
+      owner            = "AWS"
+      provider         = "S3"
+      input_artifacts  = ["build_output"]
+      version          = "1"
+
+      configuration {
+        BucketName     = "${aws_s3_bucket.hugo_root.bucket}"
+        Extract        = "true"
+      }
+    }
+  }
+}
diff --git a/policy.tf b/policy.tf
new file mode 100644
index 0000000..9bba895
--- /dev/null
+++ b/policy.tf
@@ -0,0 +1,69 @@
+resource "aws_iam_role" "hugo" {
+  name = "${var.project_name}_role"
+
+  assume_role_policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Principal": {
+        "Service": "codepipeline.amazonaws.com"
+      },
+      "Action": "sts:AssumeRole"
+    },
+    {
+      "Effect": "Allow",
+      "Principal": {
+        "Service": "codebuild.amazonaws.com"
+      },
+      "Action": "sts:AssumeRole"
+    }
+  ]
+}
+EOF
+}
+
+resource "aws_iam_role_policy" "hugo" {
+  name = "${var.project_name}_policy"
+  role = "${aws_iam_role.hugo.id}"
+
+  policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect":"Allow",
+      "Action": [
+        "s3:*"
+      ],
+      "Resource": [
+        "${aws_s3_bucket.hugo.arn}",
+        "${aws_s3_bucket.hugo.arn}/*",
+        "${aws_s3_bucket.hugo_root.arn}",
+        "${aws_s3_bucket.hugo_root.arn}/*"
+      ]
+    },
+    {
+      "Effect": "Allow",
+      "Action": [
+        "codebuild:BatchGetBuilds",
+        "codebuild:StartBuild"
+      ],
+      "Resource": "*"
+    },
+    {
+      "Effect": "Allow",
+      "Action": [
+        "logs:CreateLogGroup",
+        "logs:CreateLogStream",
+        "logs:PutLogEvents"
+      ],
+      "Resource": [
+        "*"
+      ]
+    }
+  ]
+}
+EOF
+}
diff --git a/providers.tf b/providers.tf
new file mode 100644
index 0000000..b47ba87
--- /dev/null
+++ b/providers.tf
@@ -0,0 +1,16 @@
+provider "aws" {
+  version = "~> 2.10"
+  region  = "${var.region}"
+}
+
+provider "github" {
+  version      = "~> 2.0"
+  token        = "${var.github_oauth_secret}"
+  organization = "${var.github_organization}"
+}
+
+provider "cloudflare" {
+  version = "~> 1.14"
+  email   = "${var.cloudflare_email}"
+  token   = "${var.cloudflare_api_token}"
+}
diff --git a/s3.tf b/s3.tf
new file mode 100644
index 0000000..0579ce4
--- /dev/null
+++ b/s3.tf
@@ -0,0 +1,64 @@
+resource "aws_s3_bucket" "hugo" {
+  bucket = "${var.project_name}-intermediate"
+  acl    = "private"
+}
+
+// For the www domain, redirects to the root domain.
+resource "aws_s3_bucket" "hugo_final" {
+  bucket = "${var.www_domain_name}"
+  acl    = "public-read"
+  policy = <<EOF
+{
+  "Version":"2012-10-17",
+  "Statement":[
+    {
+      "Effect": "Allow",
+      "Principal": "*",
+      "Action": [
+        "s3:GetObject"
+      ],
+      "Resource": [
+        "arn:aws:s3:::${var.www_domain_name}/*"
+      ]
+    }
+  ]
+}
+EOF
+
+  website {
+    redirect_all_requests_to = "https://${var.root_domain_name}"
+  }
+
+}
+
+// For the root domain
+resource "aws_s3_bucket" "hugo_root" {
+  bucket = "${var.root_domain_name}"
+  acl    = "public-read"
+  policy = <<POLICY
+{
+  "Version":"2012-10-17",
+  "Statement":[
+    {
+      "Effect":"Allow",
+      "Principal": "*",
+      "Action":[
+        "s3:GetObject"
+      ],
+      "Resource":[
+        "arn:aws:s3:::${var.root_domain_name}/*"
+      ]
+    }
+  ]
+}
+POLICY
+
+  website {
+    // Here we tell S3 what to use when a request comes in to the root
+    // ex. https://www.runatlantis.io
+    index_document = "index.html"
+    // The page to serve up if a request results in an error or a non-existing
+    // page.
+    error_document = "404.html"
+  }
+}
diff --git a/variables.tf b/variables.tf
new file mode 100644
index 0000000..9f6e1d2
--- /dev/null
+++ b/variables.tf
@@ -0,0 +1,27 @@
+variable "region" {
+  default = "us-east-1"
+}
+
+variable "project_name" {}
+
+variable "www_domain_name" {}
+variable "root_domain_name" {}
+
+variable "codebuild_docker_image" {
+  default = "ameypar/hugo-alpine:latest"
+}
+
+variable "github_webhook_secret" {}
+variable "github_oauth_secret" {}
+variable "github_source_repo_name" {}
+variable "github_source_repo_branch" {}
+variable "github_organization" {}
+
+variable "cloudflare_api_token" {}
+variable "cloudflare_email" {}
+variable "cloudflare_zone" {}
+
+variable "use_google_apps_email" {
+  default = false
+}
+variable "google_txt_verification" {}
diff --git a/webhooks.tf b/webhooks.tf
new file mode 100644
index 0000000..61f47a4
--- /dev/null
+++ b/webhooks.tf
@@ -0,0 +1,29 @@
+resource "aws_codepipeline_webhook" "hugo" {
+  name            = "${var.project_name}_codepipeline"
+  authentication  = "GITHUB_HMAC"
+  target_action   = "Source"
+  target_pipeline = "${aws_codepipeline.hugo.name}"
+
+  authentication_configuration {
+    secret_token  = "${var.github_webhook_secret}"
+  }
+
+  filter {
+    json_path     = "$.ref"
+    match_equals  = "refs/heads/{Branch}"
+  }
+}
+
+# Wire the CodePipeline webhook into a GitHub repository.
+resource "github_repository_webhook" "hugo" {
+  repository     = "${var.github_source_repo_name}"
+
+  configuration {
+    url          = "${aws_codepipeline_webhook.hugo.url}"
+    content_type = "form"
+    insecure_ssl = true
+    secret       = "${var.github_webhook_secret}"
+  }
+
+  events = ["push"]
+}