2021-08-05 01:01:56 +03:00
|
|
|
import * as pulumi from '@pulumi/pulumi'
|
|
|
|
import * as aws from '@pulumi/aws'
|
|
|
|
import * as cloud from '@pulumi/cloud'
|
|
|
|
|
|
|
|
import { getType } from 'mime'
|
|
|
|
|
|
|
|
import { readdirSync, lstatSync } from 'fs'
|
|
|
|
import { join } from 'path'
|
|
|
|
|
|
|
|
const siteBucket = new aws.s3.Bucket('anticrm-app', {
|
|
|
|
acl: "public-read",
|
|
|
|
website: {
|
|
|
|
indexDocument: 'index.html'
|
|
|
|
}
|
|
|
|
})
|
|
|
|
|
|
|
|
const buildDir = "../../dev/prod"
|
|
|
|
|
|
|
|
function createObjects(root: string, path: string): void {
|
|
|
|
const dir = join(root, path)
|
|
|
|
for (const file of readdirSync(dir)) {
|
|
|
|
const relative = join(path, file)
|
|
|
|
const absolute = join(root, relative)
|
|
|
|
if (lstatSync(absolute).isDirectory()) {
|
|
|
|
createObjects(root, relative)
|
|
|
|
} else {
|
|
|
|
new aws.s3.BucketObject(relative, {
|
|
|
|
acl: 'public-read',
|
|
|
|
bucket: siteBucket,
|
|
|
|
source: new pulumi.asset.FileAsset(absolute), // use FileAsset to point to a file
|
|
|
|
contentType: getType(absolute) || undefined, // set the MIME type of the file
|
|
|
|
})
|
|
|
|
}
|
|
|
|
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2021-08-07 20:44:29 +03:00
|
|
|
createObjects(buildDir + '/public', '')
|
|
|
|
createObjects(buildDir + '/dist', '')
|
2021-08-05 01:01:56 +03:00
|
|
|
|
|
|
|
export const bucketName = siteBucket.bucket // create a stack export for bucket name
|
|
|
|
export const websiteUrl = siteBucket.websiteEndpoint
|
|
|
|
|
|
|
|
// D O C K E R
|
|
|
|
|
|
|
|
const service = new cloud.Service("dev-server", {
|
|
|
|
containers: {
|
|
|
|
server: {
|
|
|
|
build: "./dev-server",
|
|
|
|
memory: 128,
|
|
|
|
ports: [{ port: 3333 }],
|
|
|
|
},
|
|
|
|
},
|
|
|
|
replicas: 1,
|
|
|
|
})
|
|
|
|
|
|
|
|
export const serverEndpoint = service.defaultEndpoint.hostname
|
|
|
|
|
|
|
|
// // Create an S3 Bucket Policy to allow public read of all objects in bucket
|
|
|
|
// // This reusable function can be pulled out into its own module
|
|
|
|
// function publicReadPolicyForBucket(bucketName: string) {
|
|
|
|
// return JSON.stringify({
|
|
|
|
// Version: "2012-10-17",
|
|
|
|
// Statement: [{
|
|
|
|
// Effect: "Allow",
|
|
|
|
// Principal: "*",
|
|
|
|
// Action: [
|
|
|
|
// "s3:GetObject"
|
|
|
|
// ],
|
|
|
|
// Resource: [
|
|
|
|
// `arn:aws:s3:::${bucketName}/*` // policy refers to bucket name explicitly
|
|
|
|
// ]
|
|
|
|
// }]
|
|
|
|
// })
|
|
|
|
// }
|
|
|
|
|
|
|
|
// // Set the access policy for the bucket so all objects are readable
|
|
|
|
// new aws.s3.BucketPolicy('bucketPolicy', {
|
|
|
|
// bucket: siteBucket.bucket, // depends on siteBucket -- see explanation below
|
|
|
|
// policy: siteBucket.bucket.apply(publicReadPolicyForBucket)
|
|
|
|
// // transform the siteBucket.bucket output property -- see explanation below
|
|
|
|
// });
|
|
|
|
|
|
|
|
// Get the hosted zone by domain name
|
|
|
|
const zoneId = aws.route53.getZone({ name: "hc.engineering." }).then(zone => zone.zoneId)
|
|
|
|
|
|
|
|
const tenMinutes = 60 * 10
|
|
|
|
|
|
|
|
// Per AWS, ACM certificate must be in the us-east-1 region.
|
|
|
|
const eastRegion = new aws.Provider("east", {
|
|
|
|
profile: aws.config.profile,
|
|
|
|
region: "us-east-1",
|
|
|
|
})
|
|
|
|
|
|
|
|
const certificate = new aws.acm.Certificate(
|
|
|
|
"certificate",
|
|
|
|
{
|
|
|
|
domainName: "app.hc.engineering",
|
|
|
|
validationMethod: "DNS",
|
|
|
|
},
|
|
|
|
{ provider: eastRegion }
|
|
|
|
);
|
|
|
|
|
|
|
|
const certificateValidationDomain = new aws.route53.Record(
|
|
|
|
"app.hc.engineering-validation",
|
|
|
|
{
|
|
|
|
name: certificate.domainValidationOptions[0].resourceRecordName,
|
|
|
|
zoneId: zoneId,
|
|
|
|
type: certificate.domainValidationOptions[0].resourceRecordType,
|
|
|
|
records: [certificate.domainValidationOptions[0].resourceRecordValue],
|
|
|
|
ttl: tenMinutes,
|
|
|
|
}
|
|
|
|
);
|
|
|
|
|
|
|
|
const certificateValidation = new aws.acm.CertificateValidation(
|
|
|
|
"certificateValidation",
|
|
|
|
{
|
|
|
|
certificateArn: certificate.arn,
|
|
|
|
validationRecordFqdns: [certificateValidationDomain.fqdn],
|
|
|
|
},
|
|
|
|
{ provider: eastRegion }
|
|
|
|
)
|
|
|
|
|
|
|
|
// distributionArgs configures the CloudFront distribution. Relevant documentation:
|
|
|
|
// https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/distribution-web-values-specify.html
|
|
|
|
// https://www.terraform.io/docs/providers/aws/r/cloudfront_distribution.html
|
|
|
|
const distributionArgs: aws.cloudfront.DistributionArgs = {
|
|
|
|
enabled: true,
|
|
|
|
// Alternate aliases the CloudFront distribution can be reached at, in addition to https://xxxx.cloudfront.net.
|
|
|
|
// Required if you want to access the distribution via config.targetDomain as well.
|
|
|
|
aliases: ["app.hc.engineering"],
|
|
|
|
|
|
|
|
// We only specify one origin for this distribution, the S3 content bucket.
|
|
|
|
origins: [
|
|
|
|
{
|
|
|
|
originId: siteBucket.arn,
|
|
|
|
domainName: siteBucket.websiteEndpoint,
|
|
|
|
customOriginConfig: {
|
|
|
|
// Amazon S3 doesn't support HTTPS connections when using an S3 bucket configured as a website endpoint.
|
|
|
|
// https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/distribution-web-values-specify.html#DownloadDistValuesOriginProtocolPolicy
|
|
|
|
originProtocolPolicy: "http-only",
|
|
|
|
httpPort: 80,
|
|
|
|
httpsPort: 443,
|
|
|
|
originSslProtocols: ["TLSv1.2"],
|
|
|
|
},
|
|
|
|
},
|
|
|
|
],
|
|
|
|
|
|
|
|
defaultRootObject: "index.html",
|
|
|
|
|
|
|
|
// A CloudFront distribution can configure different cache behaviors based on the request path.
|
|
|
|
// Here we just specify a single, default cache behavior which is just read-only requests to S3.
|
|
|
|
defaultCacheBehavior: {
|
|
|
|
targetOriginId: siteBucket.arn,
|
|
|
|
|
|
|
|
viewerProtocolPolicy: "redirect-to-https",
|
|
|
|
allowedMethods: ["GET", "HEAD", "OPTIONS"],
|
|
|
|
cachedMethods: ["GET", "HEAD", "OPTIONS"],
|
|
|
|
|
|
|
|
forwardedValues: {
|
|
|
|
cookies: { forward: "none" },
|
|
|
|
queryString: false,
|
|
|
|
},
|
|
|
|
|
|
|
|
minTtl: 0,
|
|
|
|
defaultTtl: tenMinutes,
|
|
|
|
maxTtl: tenMinutes,
|
|
|
|
},
|
|
|
|
|
|
|
|
// "All" is the most broad distribution, and also the most expensive.
|
|
|
|
// "100" is the least broad, and also the least expensive.
|
|
|
|
priceClass: "PriceClass_100",
|
|
|
|
|
|
|
|
// You can customize error responses. When CloudFront receives an error from the origin (e.g. S3 or some other
|
|
|
|
// web service) it can return a different error code, and return the response for a different resource.
|
|
|
|
customErrorResponses: [
|
|
|
|
{ errorCode: 404, responseCode: 200, responsePagePath: "/index.html" },
|
|
|
|
],
|
|
|
|
|
|
|
|
restrictions: {
|
|
|
|
geoRestriction: {
|
|
|
|
restrictionType: "none",
|
|
|
|
},
|
|
|
|
},
|
|
|
|
|
|
|
|
viewerCertificate: {
|
|
|
|
acmCertificateArn: certificateValidation.certificateArn, // Per AWS, ACM certificate must be in the us-east-1 region.
|
|
|
|
sslSupportMethod: "sni-only",
|
|
|
|
},
|
|
|
|
}
|
|
|
|
|
|
|
|
const cdn = new aws.cloudfront.Distribution("cdn", distributionArgs)
|
|
|
|
|
|
|
|
// Create a Route53 A-record
|
|
|
|
new aws.route53.Record("targetDomain", {
|
|
|
|
name: "app.hc.engineering",
|
|
|
|
zoneId: zoneId,
|
|
|
|
type: "A",
|
|
|
|
aliases: [{
|
|
|
|
zoneId: cdn.hostedZoneId,
|
|
|
|
name: cdn.domainName,
|
|
|
|
evaluateTargetHealth: true,
|
|
|
|
}],
|
|
|
|
})
|