210c454359
- Complete CloudFront distribution setup with origin.servidor.it.com - WAF v2 integration for security protection - S3 backend for Terraform state management - CloudFront logging to S3 - HTTP-only origin protocol configuration (resolves 504 Gateway Timeout) - Comprehensive documentation with deployment guide 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
100 lines
3.4 KiB
Bash
Executable File
100 lines
3.4 KiB
Bash
Executable File
#!/bin/bash
|
|
|
|
# Setup script for S3 backend and CloudFront logging
|
|
# This creates the necessary S3 buckets and DynamoDB table
|
|
|
|
AWS_REGION="us-east-1"
|
|
AWS_ACCOUNT_ID="535294143817"
|
|
STATE_BUCKET="aws-cf-terraform-state-${AWS_ACCOUNT_ID}"
|
|
LOGS_BUCKET="aws-cf-cloudfront-logs-${AWS_ACCOUNT_ID}"
|
|
DYNAMODB_TABLE="terraform-state-lock"
|
|
|
|
echo "Setting up S3 backend and CloudFront logging infrastructure..."
|
|
|
|
# Create S3 bucket for Terraform state
|
|
echo "Creating S3 bucket for Terraform state: ${STATE_BUCKET}"
|
|
aws s3api create-bucket \
|
|
--bucket ${STATE_BUCKET} \
|
|
--region ${AWS_REGION} \
|
|
2>/dev/null || echo "State bucket already exists or error occurred"
|
|
|
|
# Enable versioning on state bucket
|
|
echo "Enabling versioning on state bucket..."
|
|
aws s3api put-bucket-versioning \
|
|
--bucket ${STATE_BUCKET} \
|
|
--versioning-configuration Status=Enabled
|
|
|
|
# Enable encryption on state bucket
|
|
echo "Enabling encryption on state bucket..."
|
|
aws s3api put-bucket-encryption \
|
|
--bucket ${STATE_BUCKET} \
|
|
--server-side-encryption-configuration '{
|
|
"Rules": [
|
|
{
|
|
"ApplyServerSideEncryptionByDefault": {
|
|
"SSEAlgorithm": "AES256"
|
|
}
|
|
}
|
|
]
|
|
}'
|
|
|
|
# Block public access on state bucket
|
|
echo "Blocking public access on state bucket..."
|
|
aws s3api put-public-access-block \
|
|
--bucket ${STATE_BUCKET} \
|
|
--public-access-block-configuration \
|
|
"BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true"
|
|
|
|
# Create S3 bucket for CloudFront logs
|
|
echo "Creating S3 bucket for CloudFront logs: ${LOGS_BUCKET}"
|
|
aws s3api create-bucket \
|
|
--bucket ${LOGS_BUCKET} \
|
|
--region ${AWS_REGION} \
|
|
2>/dev/null || echo "Logs bucket already exists or error occurred"
|
|
|
|
# Set bucket ACL for CloudFront logging
|
|
echo "Setting ACL for CloudFront logs bucket..."
|
|
aws s3api put-bucket-acl \
|
|
--bucket ${LOGS_BUCKET} \
|
|
--grant-write 'URI="http://acs.amazonaws.com/groups/s3/LogDelivery"' \
|
|
--grant-read-acp 'URI="http://acs.amazonaws.com/groups/s3/LogDelivery"'
|
|
|
|
# Add lifecycle policy to logs bucket (optional - delete old logs after 90 days)
|
|
echo "Adding lifecycle policy to logs bucket..."
|
|
aws s3api put-bucket-lifecycle-configuration \
|
|
--bucket ${LOGS_BUCKET} \
|
|
--lifecycle-configuration '{
|
|
"Rules": [
|
|
{
|
|
"Id": "DeleteOldLogs",
|
|
"Status": "Enabled",
|
|
"Expiration": {
|
|
"Days": 90
|
|
},
|
|
"NoncurrentVersionExpiration": {
|
|
"NoncurrentDays": 30
|
|
}
|
|
}
|
|
]
|
|
}'
|
|
|
|
# Create DynamoDB table for state locking
|
|
echo "Creating DynamoDB table for state locking: ${DYNAMODB_TABLE}"
|
|
aws dynamodb create-table \
|
|
--table-name ${DYNAMODB_TABLE} \
|
|
--attribute-definitions AttributeName=LockID,AttributeType=S \
|
|
--key-schema AttributeName=LockID,KeyType=HASH \
|
|
--provisioned-throughput ReadCapacityUnits=1,WriteCapacityUnits=1 \
|
|
--region ${AWS_REGION} \
|
|
2>/dev/null || echo "DynamoDB table already exists or error occurred"
|
|
|
|
echo ""
|
|
echo "✅ Backend setup complete!"
|
|
echo ""
|
|
echo "📦 S3 State Bucket: ${STATE_BUCKET}"
|
|
echo "📊 S3 Logs Bucket: ${LOGS_BUCKET}"
|
|
echo "🔒 DynamoDB Table: ${DYNAMODB_TABLE}"
|
|
echo ""
|
|
echo "Next steps:"
|
|
echo "1. Run: tofu init -migrate-state"
|
|
echo "2. Run: tofu apply to update CloudFront with logging" |