outright updates (#15)

bcheidemann · Dec 7, 2023 · 0dcc833 · 0dcc833
1 parent 2a9aea5
commit 0dcc833
Show file tree

Hide file tree

Showing 4 changed files with 150 additions and 40 deletions.
diff --git a/src/pages/outright.astro b/src/pages/outright.astro
@@ -16,7 +16,7 @@
         <h2>Server Details</h2>
         <p>
           The Outright server is available at <a href="#"
-            >outright.catlord.co.uk</a
+            >srv1.outright.catlord.co.uk</a
           >. The server is running a Minecraft 1.20.1 Fabric instance. You will
           need to install the mods to connect.
         </p>
@@ -30,10 +30,8 @@
         <ol>
           <li>
             Copy the following link: <br />
-            <a
-              href="https://d108e7q8l7s6gv.cloudfront.net/downloads/modpacks/Outright.zip"
-              target="_blank"
-              >https://d108e7q8l7s6gv.cloudfront.net/downloads/modpacks/Outright.zip</a
+            <a href="https://files.catlord.co.uk/Outright.zip" target="_blank"
+              >https://files.catlord.co.uk/Outright.zip</a
             >
           </li>
           <li>Open MultiMC and click "Add Instance" in the top left.</li>
@@ -47,10 +45,8 @@
         <ol>
           <li>
             Copy the following link: <br />
-            <a
-              href="https://d108e7q8l7s6gv.cloudfront.net/downloads/modpacks/Outright.zip"
-              target="_blank"
-              >https://d108e7q8l7s6gv.cloudfront.net/downloads/modpacks/Outright.zip</a
+            <a href="https://files.catlord.co.uk/Outright.zip" target="_blank"
+              >https://files.catlord.co.uk/Outright.zip</a
             >
           </li>
           <li>
@@ -63,7 +59,7 @@
         <h3>Modrinth</h3>
         <p>
           The modrinth modpack is available <a
-            href="https://d108e7q8l7s6gv.cloudfront.net/downloads/modpacks/Outright.mrpack"
+            href="https://files.catlord.co.uk/Outright.mrpack"
             target="_blank">here</a
           >.
         </p>
@@ -74,7 +70,7 @@
           <li>
             Download the mods from: <br />
             <a
-              href="https://d108e7q8l7s6gv.cloudfront.net/downloads/modpacks/OutrightMods.zip"
+              href="https://files.catlord.co.uk/OutrightMods.zip"
               target="_blank"
               >https://d108e7q8l7s6gv.cloudfront.net/downloads/modpacks/OutrightMods.zip</a
             >

diff --git a/terraform/cloudfront.tf b/terraform/cloudfront.tf
@@ -68,53 +68,70 @@ resource "aws_cloudfront_distribution" "catlord_static_site_distribution" {
   }
 }
 
-# ===================== Outright Server =====================
-
-resource "aws_cloudfront_distribution" "outright_production_server_distribution" {
+# ===================== Static Site =====================
+resource "aws_cloudfront_distribution" "catlord_files_distribution" {
   origin {
-    connection_attempts      = 3
-    connection_timeout       = 10
-    domain_name              = "outright.catlord.co.uk"
-    origin_id                = "outright.catlord.co.uk"
+    domain_name = aws_s3_bucket_website_configuration.catlord_files_website_configuration.website_endpoint
+    origin_id   = "S3-catlord-files"
 
     custom_origin_config {
-      http_port                = 80
-      https_port               = 443
-      origin_protocol_policy   = "http-only"
-      origin_ssl_protocols     = ["TLSv1", "TLSv1.1", "TLSv1.2"]
-      origin_keepalive_timeout = 5
-      origin_read_timeout      = 30
+      http_port              = 80
+      https_port             = 443
+      origin_protocol_policy = "http-only"
+      origin_ssl_protocols   = ["TLSv1", "TLSv1.1", "TLSv1.2"]
     }
   }
 
   enabled             = true
   is_ipv6_enabled     = true
   web_acl_id          = aws_wafv2_web_acl.catlord.arn
-  http_version        = "http2"
+
+  aliases = [
+    "files.catlord.co.uk"
+  ]
+
+  custom_error_response {
+    error_caching_min_ttl = 0
+    error_code            = 404
+    response_code         = 200
+    response_page_path    = "/404.html"
+  }
 
   default_cache_behavior {
-    allowed_methods            = ["GET", "HEAD"]
-    cached_methods             = ["GET", "HEAD"]
-    # Using the CachingDisabled managed policy ID
-    cache_policy_id            = "4135ea2d-6df8-44a3-9df3-4b5a84be39ad"
-    # Using the Managed-AllViewer managed policy ID
-    origin_request_policy_id   = "216adef6-5c7f-47e4-b989-5492eafa07d3"
-    # Using the Managed-CORS-with-preflight-and-SecurityHeadersPolicy managed policy ID
-    response_headers_policy_id = "eaab4381-ed33-4a86-88ca-d9558dc6cd63"
-    compress                   = true
-    target_origin_id           = "outright.catlord.co.uk"
-    viewer_protocol_policy     = "redirect-to-https"
+    allowed_methods  = ["GET", "HEAD"]
+    cached_methods   = ["GET", "HEAD"]
+    target_origin_id = "S3-catlord-files"
+
+    forwarded_values {
+      query_string = false
+
+      cookies {
+        forward = "none"
+      }
+    }
+
+    viewer_protocol_policy = "redirect-to-https"
+    min_ttl                = 31536000
+    default_ttl            = 31536000
+    max_ttl                = 31536000
+    compress               = true
   }
 
   restrictions {
     geo_restriction {
       restriction_type = "none"
     }
   }
-  
+
   viewer_certificate {
-    acm_certificate_arn            = aws_acm_certificate_validation.catlord_static_site_cert_validation.certificate_arn
-    ssl_support_method             = "sni-only"
-    minimum_protocol_version       = "TLSv1.2_2021"
+    acm_certificate_arn      = aws_acm_certificate_validation.catlord_static_site_cert_validation.certificate_arn
+    ssl_support_method       = "sni-only"
+    minimum_protocol_version = "TLSv1.2_2021"
+  }
+
+  logging_config {
+    include_cookies = false
+    bucket          = "${aws_s3_bucket.logging_bucket.bucket}.s3.amazonaws.com"
+    prefix          = "aws_cloudfront_distribution/catlord_files_distribution/"
   }
 }
diff --git a/terraform/r53.tf b/terraform/r53.tf
@@ -101,3 +101,15 @@ resource "aws_route53_record" "outright_servers" {
   ttl     = 300
   records = ["149.202.89.159"]
 }
+
+resource "aws_route53_record" "catlord_files" {
+  zone_id = aws_route53_zone.catlord.zone_id
+  name    = "files.catlord.co.uk"
+  type    = "A"
+
+  alias {
+    name                   = aws_cloudfront_distribution.catlord_files_distribution.domain_name
+    zone_id                = aws_cloudfront_distribution.catlord_files_distribution.hosted_zone_id
+    evaluate_target_health = true
+  }
+}
diff --git a/terraform/s3.tf b/terraform/s3.tf
@@ -201,3 +201,88 @@ resource "aws_s3_bucket_website_configuration" "catlord_static_site_website_conf
     key = "404.html"
   }
 }
+
+# ===================== Files =====================
+# TODO: See "aws_s3_bucket_server_side_encryption_configuration" below
+# tfsec:ignore:aws-s3-enable-bucket-encryption tfsec:ignore:aws-s3-encryption-customer-key
+resource "aws_s3_bucket" "catlord_files" {
+  bucket = "catlord-files"
+
+  tags = {
+    Name        = "Files"
+    Environment = "production"
+  }
+}
+
+resource "aws_s3_bucket_acl" "catlord_files_site_acl" {
+  bucket = aws_s3_bucket.catlord_static_site.id
+  acl    = "private"
+}
+
+# TODO: Configure cloudfront to use the KMS key
+# resource "aws_s3_bucket_server_side_encryption_configuration" "catlord_files_server_side_encryption_configuration" {
+#   bucket = aws_s3_bucket.catlord_files.id
+
+#   rule {
+#     apply_server_side_encryption_by_default {
+#       kms_master_key_id = aws_kms_key.static_site_bucket_key.arn
+#       sse_algorithm     = "aws:kms"
+#     }
+#   }
+# }
+
+resource "aws_s3_bucket_public_access_block" "catlord_files_public_access_block" {
+  bucket                  = aws_s3_bucket.catlord_files.id
+  block_public_acls       = true
+  block_public_policy     = true
+  ignore_public_acls      = true
+  # TODO: Use aws_s3_bucket_policy to restrict access to the bucket to only CloudFront
+  restrict_public_buckets = false # tfsec:ignore:aws-s3-no-public-buckets
+}
+
+resource "aws_s3_bucket_logging" "catlord_files_logging" {
+  bucket = aws_s3_bucket.catlord_files.id
+
+  target_bucket = aws_s3_bucket.logging_bucket.id
+  target_prefix = "aws_s3_bucket/catlord_files_logging/"
+}
+
+resource "aws_s3_bucket_versioning" "catlord_files_versioning" {
+  bucket = aws_s3_bucket.catlord_files.id
+  versioning_configuration {
+    status = "Enabled"
+  }
+}
+
+resource "aws_s3_bucket_policy" "catlord_files_policy" {
+  bucket = aws_s3_bucket.catlord_files.id
+  policy = templatefile(
+    "templates/s3-static-site-policy.json",
+    { bucket = aws_s3_bucket.catlord_files.bucket }
+  )
+}
+
+resource "aws_s3_bucket_cors_configuration" "catlord_files_cors_configuration" {
+  bucket = aws_s3_bucket.catlord_files.id
+
+  cors_rule {
+    allowed_headers = ["Authorization", "Content-Length"]
+    allowed_methods = ["GET"]
+    allowed_origins = [
+      "https://files.catlord.co.uk"
+    ]
+    max_age_seconds = 3000
+  }
+}
+
+resource "aws_s3_bucket_website_configuration" "catlord_files_website_configuration" {
+  bucket = aws_s3_bucket.catlord_files.id
+
+  index_document {
+    suffix = "index.html"
+  }
+
+  error_document {
+    key = "404.html"
+  }
+}