S3 infra cleanup

2026-04-26 01:53:14 -07:00
parent 074139e0dd
commit 62d4129b73
7 changed files with 0 additions and 238 deletions
--- a/.gitea/workflows/sec-lint-s3.yaml
+++ b/.gitea/workflows/sec-lint-s3.yaml
@@ -1,19 +0,0 @@
 name: Secops Linting and Safety Checks
 on:
  push:
    branches:
      - master
 jobs:
  checkov-scan-s3:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repo code
        uses: actions/checkout@v4
      - name: Scan S3 Terraform with Checkov
        uses: bridgecrewio/checkov-action@master
        with:
          directory: infra/s3/
          framework: terraform
--- a/infra/s3/Makefile
+++ b/infra/s3/Makefile
@@ -1,24 +0,0 @@
 plan=out.plan
 SHELL := /bin/bash
 $(plan):
 	source ../secrets/set-env.sh && terraform plan -input=false -out $(plan)
 push: build
 	source ../secrets/set-env.sh && terraform apply $(plan)
 refresh:
 	source ../secrets/set-env.sh && terraform apply -refresh-only
 test:
 	terraform validate
 rip:
 	source ../secrets/set-env.sh && terraform destroy
 clean:
 	rm -f $(plan)
 .PHONY: test build clean push rip
--- a/infra/s3/backend.tf
+++ b/infra/s3/backend.tf
@@ -1,24 +0,0 @@
 terraform {
  required_version = ">= 0.13"
  backend "s3" {
      bucket  = "project-athens"
      key     = "infra/s3/state/build.tfstate"
      region  = "us-west-1"
      encrypt = true
  }
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "4.13.0"
    }
  }
 }
 # Base config for using AWS features w/ Terraform
 provider "aws" {
  access_key = var.aws_key
  secret_key = var.aws_secret
  region = var.aws_region
  max_retries = 1
 }
--- a/infra/s3/input-vars.tf
+++ b/infra/s3/input-vars.tf
@@ -1,93 +0,0 @@
 # All variables that are used in various places go here
 ######################### General provider specific values
 variable "aws_key" {
 	description = "Access Key for AWS operations"
 	type = string
 	sensitive = true
 }
 variable "aws_secret" {
 	description = "Secret Key for AWS operations"
 	type = string
 	sensitive = true
 }
 variable "aws_region" {
 	description = "Region where the VPC is located"
 	type = string
 	sensitive = true
 }
 variable "vpc_id" {
  description = "Project Athens VPC ID"
  type = string
 }
 ######################### Alpha Cluster variables
 variable "athens_prefix" {
 	description = "Prefix for all things in alpha cluster"
 	type = string
 	default = "athens"
 }
 ######################### Nginx reverse proxy vars
 # Yes these buckets _could_ be public but where's the fun in that :x
 variable "shockrah_xyz_s3_access_key_id" {
  description = "Acess key for reading public s3 buckets"
  type        = string
  sensitive   = true
 }
 variable "shockrah_xyz_s3_secret_key" {
  description = "Secret key for reading public s3 buckets"
  type        = string
  sensitive   = true
 }
 variable "nginx_port" {
  description = "Port for shockrah.xyz"
  type        = number
  default     = 80
 }
 ######################### Nginx reverse proxy vars
 variable "shockrah_xyz_bucket" {
  description = "S3 bucket name"
  type        = string
  default     = "shockrah_xyz"
 }
 variable "resume_shockrah_xyz_bucket" {
  description = "S3 bucket name"
  type        = string
  default     = "resume_shockrah_xyz"
 }
 variable "temper" {
  type = object({
    cert_arn = string
  })
 }
 variable "sg" {
  type = object({
    base_ecs        = string
    ecs_web_ingress = string
    lb_health_check = string
  })
 }
 variable "alpha" {
  type = object({
    dns  = string
    zone = string
  })
 }
--- a/infra/s3/local.tf
+++ b/infra/s3/local.tf
@@ -1,8 +0,0 @@
 locals {
  buckets = [
    "shockrah.xyz",
    "resume.shockrah.xyz",
    "temper.tv"
  ]
 }
--- a/infra/s3/s3.tf
+++ b/infra/s3/s3.tf
@@ -1,17 +0,0 @@
 resource "aws_s3_bucket" "static-content" {
  for_each = {
    for idx, record in local.buckets:
      idx => record
  }
  bucket = each.value
  tags = {
    Name = each.value
    Description = "Static content"
  }
 }
--- a/infra/s3/website-config.tf
+++ b/infra/s3/website-config.tf
@@ -1,53 +0,0 @@
 ##################################################################
 # Below are the acl components for each bucket to make them public
 ##################################################################
 # TODO: ensure proper dependency chaining to the buckets that these
 # blocks require to be in place _before_ they come up
 # Enables website configuration
 resource "aws_s3_bucket_website_configuration" "site" {
  for_each = aws_s3_bucket.static-content
  bucket = each.value.bucket
  index_document {
    suffix = "index.html"
  }
  error_document {
    key = "404.html"
  }
 }
 # Set block public access to false
 resource "aws_s3_bucket_public_access_block" "site" {
  for_each = aws_s3_bucket.static-content
  bucket = each.value.bucket
  block_public_acls   = false
  block_public_policy = false
  ignore_public_acls  = false
  restrict_public_buckets = false
 }
 # Set a policy on the bucket to allow reads from anywhere
 resource "aws_s3_bucket_policy" "site" {
  for_each = aws_s3_bucket.static-content
  bucket = each.value.bucket
  policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        Sid = "PublicReadGetObject"
        Effect = "Allow"
        Principal = "*"
        Action = "s3:GetObject"
        Resource = [
          "arn:aws:s3:::${each.value.bucket}",
          "arn:aws:s3:::${each.value.bucket}/*",
        ]
      }
    ]
  })
 }