[#18] AWS: Cloudfront configuration #22
Conversation
cld-vasconcelos
changed the base branch from
aws-bastion-host
to
cv/17/aws-key-management
| # ----------------------------------------------------------------------------- | ||
| # AWS autoscaling group | ||
| # ----------------------------------------------------------------------------- | ||
| resource "aws_autoscaling_group" "bastion" { | ||
| name = "${var.solution_name}-bastion" | ||
|
|
||
| desired_capacity = 1 | ||
| max_size = 1 | ||
| min_size = 1 | ||
|
|
||
| vpc_zone_identifier = var.subnets_ids | ||
|
|
||
| launch_template { | ||
| id = aws_launch_template.bastion.id | ||
| version = aws_launch_template.bastion.latest_version | ||
| } | ||
|
|
||
| instance_refresh { | ||
| strategy = "Rolling" | ||
| preferences { | ||
| min_healthy_percentage = 50 | ||
| } | ||
| } | ||
| } |
There was a problem hiding this comment.
do we need an autoscaling group if it's just 1 instance? Is it for auto recovery in case of a crash?
There was a problem hiding this comment.
Yes, it is for availability purposes.
| actions = ["s3:GetObject"] | ||
| resources = ["${module.static_website_bucket.bucket.arn}/*"] | ||
| actions = ["s3:*"] |
There was a problem hiding this comment.
why the change from GetObject to * ? Shouldn't Cloudfront only read the bucket?
There was a problem hiding this comment.
There are two S3 buckets: One for the static website and other for Cloudfront to write logs. This policy is for the latter, while the policy for the former is in ´modules/aws/data.tf´ and only allows reading from it.
| @@ -1,66 +1,142 @@ | |||
| resource "aws_cloudfront_origin_access_identity" "origin_access_identity" {} | |||
There was a problem hiding this comment.
No, it is automatically generated. See: https://registry.terraform.io/providers/hashicorp/aws/3.49.0/docs/resources/cloudfront_origin_access_identity
| secret_string = <<EOF | ||
| { | ||
| "username": "${aws_db_instance.instance[count.index].username}", | ||
| "password": "${aws_db_instance.instance[count.index].password}" | ||
| } | ||
| EOF |
There was a problem hiding this comment.
There was a problem hiding this comment.
Done. Thanks!
Setup Cloudfront so that it can connect to both S3 Bucket hosting the static website and/or the application load balancer:
Before this change Cloudfront was only connecting to the S3 Bucket, forcing to access to the application load balancer directly or through its Route 53 entry (removed in this PR)