diff --git a/.gitea/workflows/sec-lint-s3.yaml b/.gitea/workflows/sec-lint-s3.yaml deleted file mode 100644 index 6add42f..0000000 --- a/.gitea/workflows/sec-lint-s3.yaml +++ /dev/null @@ -1,19 +0,0 @@ -name: Secops Linting and Safety Checks -on: - push: - branches: - - master - - - -jobs: - checkov-scan-s3: - runs-on: ubuntu-latest - steps: - - name: Checkout repo code - uses: actions/checkout@v4 - - name: Scan S3 Terraform with Checkov - uses: bridgecrewio/checkov-action@master - with: - directory: infra/s3/ - framework: terraform diff --git a/infra/s3/Makefile b/infra/s3/Makefile deleted file mode 100644 index adab9c5..0000000 --- a/infra/s3/Makefile +++ /dev/null @@ -1,24 +0,0 @@ -plan=out.plan - -SHELL := /bin/bash - -$(plan): - source ../secrets/set-env.sh && terraform plan -input=false -out $(plan) - -push: build - source ../secrets/set-env.sh && terraform apply $(plan) - -refresh: - source ../secrets/set-env.sh && terraform apply -refresh-only - -test: - terraform validate - - -rip: - source ../secrets/set-env.sh && terraform destroy - -clean: - rm -f $(plan) - -.PHONY: test build clean push rip diff --git a/infra/s3/backend.tf b/infra/s3/backend.tf deleted file mode 100644 index 8aeadec..0000000 --- a/infra/s3/backend.tf +++ /dev/null @@ -1,24 +0,0 @@ -terraform { - required_version = ">= 0.13" - backend "s3" { - bucket = "project-athens" - key = "infra/s3/state/build.tfstate" - region = "us-west-1" - encrypt = true - } - required_providers { - aws = { - source = "hashicorp/aws" - version = "4.13.0" - } - } -} - -# Base config for using AWS features w/ Terraform -provider "aws" { - access_key = var.aws_key - secret_key = var.aws_secret - region = var.aws_region - max_retries = 1 -} - diff --git a/infra/s3/input-vars.tf b/infra/s3/input-vars.tf deleted file mode 100644 index 6b45ce5..0000000 --- a/infra/s3/input-vars.tf +++ /dev/null @@ -1,93 +0,0 @@ -# All variables that are used in various places go here - -######################### General provider specific values - -variable "aws_key" { - description = "Access Key for AWS operations" - type = string - sensitive = true -} - -variable "aws_secret" { - description = "Secret Key for AWS operations" - type = string - sensitive = true -} - -variable "aws_region" { - description = "Region where the VPC is located" - type = string - sensitive = true -} - -variable "vpc_id" { - description = "Project Athens VPC ID" - type = string -} - -######################### Alpha Cluster variables - -variable "athens_prefix" { - description = "Prefix for all things in alpha cluster" - type = string - default = "athens" -} - -######################### Nginx reverse proxy vars - - -# Yes these buckets _could_ be public but where's the fun in that :x -variable "shockrah_xyz_s3_access_key_id" { - description = "Acess key for reading public s3 buckets" - type = string - sensitive = true -} - -variable "shockrah_xyz_s3_secret_key" { - description = "Secret key for reading public s3 buckets" - type = string - sensitive = true -} - -variable "nginx_port" { - description = "Port for shockrah.xyz" - type = number - default = 80 -} - -######################### Nginx reverse proxy vars - -variable "shockrah_xyz_bucket" { - description = "S3 bucket name" - type = string - default = "shockrah_xyz" -} - -variable "resume_shockrah_xyz_bucket" { - description = "S3 bucket name" - type = string - default = "resume_shockrah_xyz" -} - -variable "temper" { - type = object({ - cert_arn = string - }) -} - -variable "sg" { - type = object({ - base_ecs = string - ecs_web_ingress = string - lb_health_check = string - }) -} - -variable "alpha" { - type = object({ - dns = string - zone = string - }) -} - - diff --git a/infra/s3/local.tf b/infra/s3/local.tf deleted file mode 100644 index b446cdf..0000000 --- a/infra/s3/local.tf +++ /dev/null @@ -1,8 +0,0 @@ -locals { - buckets = [ - "shockrah.xyz", - "resume.shockrah.xyz", - "temper.tv" - ] -} - diff --git a/infra/s3/s3.tf b/infra/s3/s3.tf deleted file mode 100644 index e27eeb1..0000000 --- a/infra/s3/s3.tf +++ /dev/null @@ -1,17 +0,0 @@ -resource "aws_s3_bucket" "static-content" { - for_each = { - for idx, record in local.buckets: - idx => record - } - - bucket = each.value - - tags = { - Name = each.value - Description = "Static content" - } -} - - - - diff --git a/infra/s3/website-config.tf b/infra/s3/website-config.tf deleted file mode 100644 index 8999f2d..0000000 --- a/infra/s3/website-config.tf +++ /dev/null @@ -1,53 +0,0 @@ -################################################################## -# Below are the acl components for each bucket to make them public -################################################################## - -# TODO: ensure proper dependency chaining to the buckets that these -# blocks require to be in place _before_ they come up - -# Enables website configuration -resource "aws_s3_bucket_website_configuration" "site" { - for_each = aws_s3_bucket.static-content - bucket = each.value.bucket - index_document { - suffix = "index.html" - } - - error_document { - key = "404.html" - } -} - -# Set block public access to false -resource "aws_s3_bucket_public_access_block" "site" { - for_each = aws_s3_bucket.static-content - bucket = each.value.bucket - - block_public_acls = false - block_public_policy = false - ignore_public_acls = false - restrict_public_buckets = false -} -# Set a policy on the bucket to allow reads from anywhere -resource "aws_s3_bucket_policy" "site" { - for_each = aws_s3_bucket.static-content - bucket = each.value.bucket - policy = jsonencode({ - Version = "2012-10-17" - Statement = [ - { - Sid = "PublicReadGetObject" - Effect = "Allow" - Principal = "*" - Action = "s3:GetObject" - Resource = [ - "arn:aws:s3:::${each.value.bucket}", - "arn:aws:s3:::${each.value.bucket}/*", - ] - } - ] - }) -} - - -