Skip to content

Commit

Permalink
add a separate code bucket to segregate code static sites
Browse files Browse the repository at this point in the history
  • Loading branch information
@twrichards
twrichards committed Apr 17, 2023
1 parent 20b6b50 commit 78892d7
Show file tree
Hide file tree
Showing 8 changed files with 198 additions and 104 deletions.
9 changes: 6 additions & 3 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -48,17 +48,20 @@ jobs:
## Inputs
### **app** `string` (required):

The app name. Used for the Riffraff deployment name and also to tag AWS
resources. Typically this would be the first part of your domain name - e.g.
'example' for 'example.gutools.co.uk'.
### **domain** `string` (required):

### **domain** `string` (required):
The domain should be a Guardian-owned domain. For internal tools,
`[app].gutools.co.uk` is recommended but check it is free first!

### **artifact** `string` (optional - default='artifact')
### **codeDomain** `string` (optional):
The domain should be a Guardian-owned domain. For internal tools,
`[name].code.dev-gutools.co.uk` is recommended but check it is free first!
Only use this option if your project really needs a lower envionment.

### **artifact** `string` (optional - default='artifact')
Name of the artifact containing the static resources. Should be uploaded in
an earlier workflow step.

Expand Down
14 changes: 12 additions & 2 deletions action.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,9 @@ inputs:
domain:
description: A Guardian-owned domain. [name].gutools.co.uk is recommended.
required: true
codeDomain:
description: OPTIONAL Guardian-owned domain for CODE environment. [name].code.dev-gutools.co.uk is recommended.
required: false
artifact:
description: 'Name of artifact containing the static site. Should be uploaded in an earlier workflow step.'
required: false
Expand All @@ -31,6 +34,7 @@ runs:
env:
INPUT_APP: ${{ inputs.app }}
INPUT_DOMAIN: ${{ inputs.domain }}
INPUT_CODE_DOMAIN: ${{ inputs.codeDomain }}
INPUT_ARTIFACT: ${{ inputs.artifact }}
INPUT_DRYRUN: ${{ inputs.dryRun}}
INPUT_ACTIONS_RUNTIME_TOKEN: ${ github.token }
Expand Down Expand Up @@ -64,19 +68,25 @@ runs:
- eu-west-1
allowedStages:
- PROD
${{ inputs.codeDomain && '- CODE' || '' }}
deployments:
cfn:
type: cloud-formation
app: ${{ inputs.app }}
parameters:
templatePath: cfn.json
templatePath:
templateStagePaths:
PROD: cfn.json
${{ inputs.codeDomain && 'CODE: cfn-CODE.json' || '' }}
static-site-assets:
type: aws-s3
app: ${{ inputs.domain }} # A hack to prefix uploads with the domain.
parameters:
cacheControl: private
publicReadAcl: false
bucket: deploy-infra-actions-static-site-i-staticd8c87b36-jyufgyb0llkj # TODO replace with SSM param once possible.
bucketSsmKeyStageParam:
PROD: /INFRA/deploy/actions-static-site-infra/bucket
CODE: /INFRA/deploy/actions-static-site-infra/codeBucket
prefixApp: true # See comment on `app` above.
prefixStack: false
prefixStage: false
Expand Down
217 changes: 128 additions & 89 deletions cdk/__snapshots__/infra.test.ts.snap
View file
Original file line number Diff line number Diff line change
Expand Up @@ -203,6 +203,11 @@ Environment=\\"BUCKET=",
"Ref": "staticD8C87B36",
},
"\\"
Environment=\\"CODE_BUCKET=",
Object {
"Ref": "codestaticB41DF3D7",
},
"\\"
Environment=\\"PORT=9000\\"
ExecStart=/app
Expand Down Expand Up @@ -652,6 +657,36 @@ systemctl start app
},
],
},
Object {
"Action": Array [
"s3:GetObject*",
"s3:GetBucket*",
"s3:List*",
],
"Effect": "Allow",
"Resource": Array [
Object {
"Fn::GetAtt": Array [
"codestaticB41DF3D7",
"Arn",
],
},
Object {
"Fn::Join": Array [
"",
Array [
Object {
"Fn::GetAtt": Array [
"codestaticB41DF3D7",
"Arn",
],
},
"/*",
],
],
},
],
},
],
"Version": "2012-10-17",
},
Expand Down Expand Up @@ -1112,6 +1147,99 @@ systemctl start app
},
"Type": "AWS::EC2::SecurityGroup",
},
"codestaticB41DF3D7": Object {
"DeletionPolicy": "Retain",
"Properties": Object {
"Tags": Array [
Object {
"Key": "gu:cdk:version",
"Value": "48.5.1",
},
Object {
"Key": "gu:repo",
"Value": "guardian/actions-static-site",
},
Object {
"Key": "Stack",
"Value": "stack",
},
Object {
"Key": "Stage",
"Value": "INFRA",
},
],
"WebsiteConfiguration": Object {
"IndexDocument": "index.html",
},
},
"Type": "AWS::S3::Bucket",
"UpdateReplacePolicy": "Retain",
},
"codestaticPolicy56B5E7C1": Object {
"Properties": Object {
"Bucket": Object {
"Ref": "codestaticB41DF3D7",
},
"PolicyDocument": Object {
"Statement": Array [
Object {
"Action": "s3:PutObject",
"Effect": "Allow",
"Principal": Object {
"AWS": Array [
Object {
"Fn::Join": Array [
"",
Array [
"arn:",
Object {
"Ref": "AWS::Partition",
},
":iam::000000000016:root",
],
],
},
"arn:aws:iam::000000000016:role/galaxies-data-refresher-lambda-role-CODE",
],
},
"Resource": Object {
"Fn::Join": Array [
"",
Array [
Object {
"Fn::GetAtt": Array [
"codestaticB41DF3D7",
"Arn",
],
},
"/galaxies.code.dev-gutools.co.uk/data/*",
],
],
},
},
],
"Version": "2012-10-17",
},
},
"Type": "AWS::S3::BucketPolicy",
},
"codestaticsitebucketCDD8A031": Object {
"Properties": Object {
"Description": "Bucket for CODE static sites.",
"Name": "/INFRA/stack/app/codeBucket",
"Tags": Object {
"Stack": "stack",
"Stage": "INFRA",
"gu:cdk:version": "48.5.1",
"gu:repo": "guardian/actions-static-site",
},
"Type": "String",
"Value": Object {
"Ref": "codestaticB41DF3D7",
},
},
"Type": "AWS::SSM::Parameter",
},
"ldpaccess567AC006": Object {
"Properties": Object {
"GroupDescription": "static-site-INFRA/ldp-access",
Expand Down Expand Up @@ -1202,95 +1330,6 @@ systemctl start app
],
},
},
Object {
"Action": "s3:ListBucket",
"Condition": Object {
"StringLike": Object {
"s3:prefix": Array [
"galaxies.gutools.co.uk/data/*",
],
},
},
"Effect": "Allow",
"Principal": Object {
"AWS": "arn:aws:iam::000000000016:role/galaxies-data-refresher-lambda-role-PROD",
},
"Resource": Object {
"Fn::GetAtt": Array [
"staticD8C87B36",
"Arn",
],
},
},
Object {
"Action": "s3:PutObject",
"Effect": "Allow",
"Principal": Object {
"AWS": Array [
Object {
"Fn::Join": Array [
"",
Array [
"arn:",
Object {
"Ref": "AWS::Partition",
},
":iam::000000000016:root",
],
],
},
"arn:aws:iam::000000000016:role/galaxies-data-refresher-lambda-role-CODE",
],
},
"Resource": Object {
"Fn::Join": Array [
"",
Array [
Object {
"Fn::GetAtt": Array [
"staticD8C87B36",
"Arn",
],
},
"/galaxies.code.dev-gutools.co.uk/data/*",
],
],
},
},
Object {
"Action": "s3:ListBucket",
"Condition": Object {
"StringLike": Object {
"s3:prefix": Array [
"galaxies.code.dev-gutools.co.uk/data/*",
],
},
},
"Effect": "Allow",
"Principal": Object {
"AWS": Array [
Object {
"Fn::Join": Array [
"",
Array [
"arn:",
Object {
"Ref": "AWS::Partition",
},
":iam::000000000016:root",
],
],
},
"arn:aws:iam::000000000016:role/galaxies-data-refresher-lambda-role-CODE",
],
},
"Resource": Object {
"Fn::GetAtt": Array [
"staticD8C87B36",
"Arn",
],
},
},
],
"Version": "2012-10-17",
},
Expand Down
22 changes: 17 additions & 5 deletions cdk/infra.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -47,7 +47,10 @@ export class Infra extends GuStack {
constructor(scope: App, id: string, props: InfraProps) {
super(scope, id, props);

const bucket = new Bucket(this, "static", {
const prodBucket = new Bucket(this, "static", {
websiteIndexDocument: 'index.html',
})
const codeBucket = new Bucket(this, "code-static", {
websiteIndexDocument: 'index.html',
})

Expand All @@ -62,7 +65,8 @@ cat << EOF > /etc/systemd/system/${app}.service
Description=Static Site service
[Service]
Environment="BUCKET=${bucket.bucketName}"
Environment="BUCKET=${prodBucket.bucketName}"
Environment="CODE_BUCKET=${codeBucket.bucketName}"
Environment="PORT=${port}"
ExecStart=/${app}
Expand Down Expand Up @@ -106,7 +110,8 @@ systemctl start ${app}

ec2.loadBalancer.addSecurityGroup(sg)

bucket.grantRead(ec2.autoScalingGroup)
prodBucket.grantRead(ec2.autoScalingGroup)
codeBucket.grantRead(ec2.autoScalingGroup)

// Google Auth stuff...

Expand Down Expand Up @@ -155,7 +160,12 @@ systemctl start ${app}
new StringParameter(this, 'static-site-bucket', {
description: 'Bucket for static sites.',
parameterName: `${configPrefix}/bucket`,
stringValue: bucket.bucketName,
stringValue: prodBucket.bucketName,
});
new StringParameter(this, 'code-static-site-bucket', {
description: 'Bucket for CODE static sites.',
parameterName: `${configPrefix}/codeBucket`,
stringValue: codeBucket.bucketName,
});

// Used by static site Cloudformations to attach certs.
Expand All @@ -175,20 +185,22 @@ systemctl start ${app}
// https://github.com/guardian/galaxies
Object.values({
PROD: {
bucket: prodBucket,
prefix: "galaxies.gutools.co.uk/data/*",
principals: [new ArnPrincipal(
`arn:aws:iam::${GuardianAwsAccounts.DeveloperPlayground}:role/galaxies-data-refresher-lambda-role-PROD`
)]
},
CODE: {
bucket: codeBucket,
prefix: "galaxies.code.dev-gutools.co.uk/data/*",
principals: [
new AccountPrincipal(GuardianAwsAccounts.DeveloperPlayground), // for local development
new ArnPrincipal(
`arn:aws:iam::${GuardianAwsAccounts.DeveloperPlayground}:role/galaxies-data-refresher-lambda-role-CODE`
)]
}
}).forEach(({ principals, prefix }) => {
}).forEach(({ bucket, principals, prefix }) => {
bucket.addToResourcePolicy(
new PolicyStatement({
resources: [bucket.arnForObjects(prefix)],
Expand Down
1 change: 0 additions & 1 deletion cdk/static-site.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,6 @@ import {
import { GuCname } from "@guardian/cdk/lib/constructs/dns/";
import type { App} from "aws-cdk-lib";
import { Duration } from "aws-cdk-lib";
import { Certificate } from "aws-cdk-lib/aws-certificatemanager";
import {
CfnListenerCertificate,
} from "aws-cdk-lib/aws-elasticloadbalancingv2";
Expand Down
Loading

0 comments on commit 78892d7

Please sign in to comment.