Merge pull request #15 from ImDevinC/update-resume

Update cloudfront distro

.github/workflows/publish.yaml

@@ -26,10 +26,12 @@ jobs:
         id: generate
         run: docker run -v $PWD/static:/usr/src/app ${{ steps.build.outputs.digest }} export resume.html --theme jsonresume-theme-rocketspacer
       - name: Upload to S3
-        uses: shallwefootball/s3-upload-action@master
+        uses: jakejarvis/s3-sync-action@master
         with:
-          aws_key_id: ${{ secrets.AWS_KEY_ID }}
-          aws_secret_access_key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
-          aws_bucket: imdevinc-site
-          source_dir: static
-          destination_dir: ''
+          args: --acl public-read --follow-symlinks --delete
+        env:
+          AWS_S3_BUCKET: imdevinc-site
+          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_KEY_ID }}
+          AWS_SECRET_ACCESS_KEY:  ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          AWS_REGION: 'us-west-2'
+          SOURCE_DIR: ./static

terraform/bucket.tf

@@ -14,28 +14,17 @@ module "bucket" {
 
 data "aws_iam_policy_document" "s3_policy" {
   statement {
-    actions   = ["s3:GetObject"]
-    resources = ["${module.bucket.s3_bucket_arn}/*"]
-    effect    = "Allow"
-
+    effect = "Allow"
     principals {
-      type        = "AWS"
-      identifiers = module.cloudfront.cloudfront_origin_access_identity_iam_arns
+      identifiers = ["cloudfront.amazonaws.com"]
+      type        = "Service"
     }
-  }
-
-  statement {
-    actions   = ["s3:*"]
-    resources = ["${module.bucket.s3_bucket_arn}", "${module.bucket.s3_bucket_arn}/*"]
-    effect    = "Deny"
+    actions   = ["s3:GetObject"]
+    resources = ["arn:aws:s3:::${module.bucket.s3_bucket_id}/*"]
     condition {
-      test     = "Bool"
-      variable = "aws:SecureTransport"
-      values   = [false]
-    }
-    principals {
-      type        = "*"
-      identifiers = ["*"]
+      test     = "StringEquals"
+      variable = "AWS:SourceArn"
+      values   = [module.cloudfront.cloudfront_distribution_arn]
     }
   }
 }

terraform/cloudfront.tf

@@ -2,23 +2,27 @@ module "cloudfront" {
   depends_on = [
     aws_acm_certificate.public
   ]
-  source = "terraform-aws-modules/cloudfront/aws"
+  source  = "terraform-aws-modules/cloudfront/aws"
+  version = "3.2.1"
   aliases = [
     local.domain_name,
     "www.${local.domain_name}"
   ]
-  price_class                   = "PriceClass_100"
-  create_origin_access_identity = true
-  default_root_object           = "index.html"
-  origin_access_identities = {
-    imdevinc_site_bucket = "cf to s3"
+  price_class                  = "PriceClass_100"
+  default_root_object          = "index.html"
+  create_origin_access_control = true
+  origin_access_control = {
+    site_oac = {
+      description      = "Cloudfront access to S3"
+      origin_type      = "s3"
+      signing_behavior = "always"
+      signing_protocol = "sigv4"
+    }
   }
   origin = {
     imdevinc_site_bucket = {
-      domain_name = module.bucket.s3_bucket_bucket_regional_domain_name
-      s3_origin_config = {
-        origin_access_identity = "imdevinc_site_bucket"
-      }
+      domain_name           = module.bucket.s3_bucket_bucket_regional_domain_name
+      origin_access_control = "site_oac"
     }
   }
   default_cache_behavior = {
@@ -52,7 +56,8 @@ module "blog_cloudfront" {
   depends_on = [
     aws_acm_certificate.public
   ]
-  source = "terraform-aws-modules/cloudfront/aws"
+  source  = "terraform-aws-modules/cloudfront/aws"
+  version = "3.2.1"
   aliases = [
     "blog.${local.domain_name}"
   ]