-
Notifications
You must be signed in to change notification settings - Fork 1
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[#18] AWS: Cloudfront configuration #22
Conversation
# ----------------------------------------------------------------------------- | ||
# AWS autoscaling group | ||
# ----------------------------------------------------------------------------- | ||
resource "aws_autoscaling_group" "bastion" { | ||
name = "${var.solution_name}-bastion" | ||
|
||
desired_capacity = 1 | ||
max_size = 1 | ||
min_size = 1 | ||
|
||
vpc_zone_identifier = var.subnets_ids | ||
|
||
launch_template { | ||
id = aws_launch_template.bastion.id | ||
version = aws_launch_template.bastion.latest_version | ||
} | ||
|
||
instance_refresh { | ||
strategy = "Rolling" | ||
preferences { | ||
min_healthy_percentage = 50 | ||
} | ||
} | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
do we need an autoscaling group if it's just 1 instance? Is it for auto recovery in case of a crash?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, it is for availability purposes.
actions = ["s3:GetObject"] | ||
resources = ["${module.static_website_bucket.bucket.arn}/*"] | ||
actions = ["s3:*"] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
why the change from GetObject
to *
? Shouldn't Cloudfront only read the bucket?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There are two S3 buckets: One for the static website and other for Cloudfront to write logs. This policy is for the latter, while the policy for the former is in ´modules/aws/data.tf´ and only allows reading from it.
@@ -1,66 +1,142 @@ | |||
resource "aws_cloudfront_origin_access_identity" "origin_access_identity" {} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
don't you need an id?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No, it is automatically generated. See: https://registry.terraform.io/providers/hashicorp/aws/3.49.0/docs/resources/cloudfront_origin_access_identity
secret_string = <<EOF | ||
{ | ||
"username": "${aws_db_instance.instance[count.index].username}", | ||
"password": "${aws_db_instance.instance[count.index].password}" | ||
} | ||
EOF |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done. Thanks!
Setup Cloudfront so that it can connect to both S3 Bucket hosting the static website and/or the application load balancer:
Before this change Cloudfront was only connecting to the S3 Bucket, forcing to access to the application load balancer directly or through its Route 53 entry (removed in this PR)