This repo is used to create a CI/CD pipeline (using AWS CodeBuild and CodePipeline) for hosting a static website on AWS S3, paired with AWS Cloudfront for caching. Terraform is used to provision these resource, and the Terraform configuration uses an S3 bucket as a remote backend and a DynamoDB table for state-locking.
This configurations uses an AWS S3 bucket as a remote backend and an AWS DynamoDB table for state-locking. Users will need to create these resources independently and pass the names of those resources into theTerraform configuration's main.tf file. Example:
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "5.36.0"
}
}
backend "s3" {
encrypt = true
bucket = "<BUCKET-NAME>"
key = "backend/tfstate"
#dynamodb_table = "<DYNAMODB-TABLE-NAME>"
region = "us-east-1"
}
}
variables_s3.tf
- "dev_website_bucket_name"
- "prod_website_bucket_name"
- "artifact_bucket_name"
pipeline_variables.tf
- "github_repo"
- "pipeline_name"
codebuild_variables.tf
- "codebuild_project_name"
varaible_cf.tf (Cloudfront)
- "oac_name"
- "cloudfront_location_restrictions"
For this execution of the CI/CD pipeline, AWS CodeBuild needs some permissions that are not included in the standard Codebuild IAM access policies. At minimum, a CodeBuild Service Role will need S3 permissions to:
- "s3:GetObject"
- "s3:GetObjectVersion" (if verisoning is enabled in S3)
- "S3:PutObject" (the CodePipelineServiceRole will need this permission as well)
Additionally, this role should be able to access CloudWatchLogs:
- "logs:FilterLogEvents"
- "logs:GetLogEvents"
Users of this configuration will need to ensure that the client's administrative unit in control of IAM access has enabled these permissions.
In order to avoid committing potentially sensitive resource information to version control, "${path.root}/PATH-TO-YOUR-FILE" is used to pass Amazon Resource Numbers (ARN) in both the codebuild_main.tf and pipeline_main.tf configuration files. These files contain the ARNs for the CodePipelineServiceRole, CodeBuildServiceRole, and codestar-connections:connection to GitHub.
These IAM roles and policies were already established in the client's AWS account. These roles and policies can alternatively be created in Terraform as part of the configuration.
- Outside of Terraform, create an S3 bucket and DynamoDB table to be used for the remote backend.
- Create service roles for CodeBuild and CodePipeline that have the additional permissions mentioned above.
- In AWS, create a Codestar connection to the Github repo being used. Save the ARN for that connection to a .txt file stored locally.
- Ensure that .txt files for the codestar_connections:connection, CodePipelineServiceRole, and CodeBuildServiceRole are stored locally.
- Ensure that the path to those files are set correctly in the "${path.root}/" method (i.e., relative to the "root" directory).
- Name the specific variables mentioned in the above section.
- Follow the Terraform workflow to deploy the infrastructure.
- Test the pipeline by altering the index.html file in some recognizable way, or alter the <title/> tag to trigger a build failure.
It is important to note that although the "${path.root}/" method will keep sensitive information from being uploaded to version control, that information will still be present in the /tfstate file.