Merge pull request #20 from chris-qa-org/cloudfront-invalidation-on-publii-push

Stretch96 · web-flow · commit 02cc39b61dde · 2022-04-15T17:40:23.000+01:00
CloudFront invalidation on Publii push
diff --git a/.gitignore b/.gitignore
@@ -27,3 +27,6 @@ override.tf.json
 
 # Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan
 # example: *tfplan*
+
+# tfsec
+.tfsec
diff --git a/README.md b/README.md
@@ -35,6 +35,7 @@ Terraform module to host a static site generated by Publii
 | [aws_kms_key.logs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource |
 | [aws_kms_key.s3_bucket_frontend](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource |
 | [aws_kms_key.s3_bucket_frontend_www_redirect](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource |
+| [aws_lambda_permission.cloudfront_invalidation_frontend_alllow_s3](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_permission) | resource |
 | [aws_s3_bucket.frontend](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource |
 | [aws_s3_bucket.frontend_www_redirect](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource |
 | [aws_s3_bucket.logs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource |
@@ -43,6 +44,7 @@ Terraform module to host a static site generated by Publii
 | [aws_s3_bucket_acl.logs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_acl) | resource |
 | [aws_s3_bucket_logging.frontend](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_logging) | resource |
 | [aws_s3_bucket_logging.frontend_www_redirect](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_logging) | resource |
+| [aws_s3_bucket_notification.frontend_cloudfront_invalidation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_notification) | resource |
 | [aws_s3_bucket_policy.frontend](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy) | resource |
 | [aws_s3_bucket_policy.frontend_www_redirect](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy) | resource |
 | [aws_s3_bucket_policy.logs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy) | resource |
@@ -66,6 +68,7 @@ Terraform module to host a static site generated by Publii
 | [template_file.frontend_www_redirect_bucket_cloudfront_read](https://registry.terraform.io/providers/hashicorp/template/latest/docs/data-sources/file) | data source |
 | [template_file.frontend_www_redirect_bucket_enforce_tls_statement](https://registry.terraform.io/providers/hashicorp/template/latest/docs/data-sources/file) | data source |
 | [template_file.frontend_www_redirect_bucket_policy](https://registry.terraform.io/providers/hashicorp/template/latest/docs/data-sources/file) | data source |
+| [template_file.lambda_cloudfront_invalidation_frontend_policy](https://registry.terraform.io/providers/hashicorp/template/latest/docs/data-sources/file) | data source |
 | [template_file.logs_bucket_enforce_tls_statement](https://registry.terraform.io/providers/hashicorp/template/latest/docs/data-sources/file) | data source |
 | [template_file.logs_bucket_policy](https://registry.terraform.io/providers/hashicorp/template/latest/docs/data-sources/file) | data source |
 | [template_file.publii_s3_frontend_policy](https://registry.terraform.io/providers/hashicorp/template/latest/docs/data-sources/file) | data source |
diff --git a/lambda-cloudfront-invalidation-frontend.tf b/lambda-cloudfront-invalidation-frontend.tf
@@ -0,0 +1,42 @@
+data "template_file" "lambda_cloudfront_invalidation_frontend_policy" {
+  template = file("${path.module}/policies/cloudfront-invalidation.json.tpl")
+
+  vars = {
+    cloudfront_arn = aws_cloudfront_distribution.frontend.arn
+  }
+}
+
+module "lambda_cloudfront_invalidation_frontend" {
+  source = "github.com/claranet/terraform-aws-lambda?ref=v1.4.0"
+
+  function_name = "${local.project_name}-cloudfront-invalidation-frontend"
+  description   = "${local.project_name} CloudFront invalidation frontend"
+  handler       = "function.lambda_handler"
+  runtime       = "python3.9"
+  timeout       = 900
+  memory_size   = 128
+
+  source_path = "${path.module}/lambdas/cloudfront-invalidation/function.py"
+
+  policy = {
+    json = data.template_file.lambda_cloudfront_invalidation_frontend_policy.rendered
+  }
+
+  tracing_config = {
+    mode = "Active"
+  }
+
+  environment = {
+    variables = {
+      cloudFrontDistributionId = aws_cloudfront_distribution.frontend.id
+    }
+  }
+}
+
+resource "aws_lambda_permission" "cloudfront_invalidation_frontend_alllow_s3" {
+  statement_id  = "AllowExecutionFromS3Bucket"
+  action        = "lambda:InvokeFunction"
+  function_name = module.lambda_cloudfront_invalidation_frontend.function_name
+  principal     = "s3.amazonaws.com"
+  source_arn    = aws_s3_bucket.frontend.arn
+}
diff --git a/lambdas/cloudfront-invalidation/function.py b/lambdas/cloudfront-invalidation/function.py
@@ -0,0 +1,20 @@
+import boto3
+import time
+import os
+import json
+
+def lambda_handler(event, context):
+    client = boto3.client('cloudfront')
+    response = client.create_invalidation(
+        DistributionId=os.environ['cloudFrontDistributionId'],
+        InvalidationBatch={
+          'Paths': {
+            'Quantity': 1,
+            'Items': [
+              '/*',
+            ]
+          },
+          'CallerReference': str(time.time())
+        },
+    )
+    return json.dumps(response, default=str)
diff --git a/policies/cloudfront-invalidation.json.tpl b/policies/cloudfront-invalidation.json.tpl
@@ -0,0 +1,10 @@
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Action": "cloudfront:CreateInvalidation",
+      "Effect": "Allow",
+      "Resource": "${cloudfront_arn}"
+    }
+  ]
+}
diff --git a/s3-frontend.tf b/s3-frontend.tf
@@ -105,3 +105,15 @@ resource "aws_s3_bucket_policy" "frontend" {
   bucket = aws_s3_bucket.frontend.id
   policy = data.template_file.frontend_bucket_policy.rendered
 }
+
+resource "aws_s3_bucket_notification" "frontend_cloudfront_invalidation" {
+  bucket = aws_s3_bucket.frontend.id
+
+  lambda_function {
+    lambda_function_arn = module.lambda_cloudfront_invalidation_frontend.function_arn
+    events              = ["s3:ObjectCreated:*"]
+    filter_prefix       = "files.publii.json"
+  }
+
+  depends_on = [aws_lambda_permission.cloudfront_invalidation_frontend_alllow_s3]
+}
