diff --git a/.github/workflows/deploy-demo.yml b/.github/workflows/deploy-demo.yml index d4a2424..ead15b8 100644 --- a/.github/workflows/deploy-demo.yml +++ b/.github/workflows/deploy-demo.yml @@ -9,6 +9,7 @@ on: jobs: format-and-test: runs-on: ubuntu-latest + environment: Production permissions: contents: 'read' actions: 'read' @@ -33,6 +34,7 @@ jobs: deploy: runs-on: ubuntu-latest needs: format-and-test + environment: Production permissions: contents: 'read' actions: 'read' @@ -60,9 +62,15 @@ jobs: - name: Setup production env file if: github.ref == 'refs/heads/develop' env: - CERTIFICATE_ARN: ${{ secrets.SIWT_XYZ_SSL_CERTIFICATE_ARN }} ENV: production + CERTIFICATE_ARN: ${{ secrets.SIWT_XYZ_SSL_CERTIFICATE_ARN }} CLOUDFRONT_DISTRIBUTION_ID: ${{ secrets.SIWT_XYZ_DISTRIBUTION_ID }} + NEXT_PUBLIC_DAPP_URL: ${{ vars.SIWT_XYZ_DAPP_URL }} + NEXT_PUBLIC_NEXT_AUTH_CLIENT_ID: ${{ vars.NEXT_PUBLIC_NEXT_AUTH_CLIENT_ID }} + NEXT_AUTH_CLIENT_SECRET: ${{ secrets.NEXT_AUTH_CLIENT_SECRET }} + NEXT_AUTH_OIDC_PUBLIC_URL: ${{ vars.NEXT_AUTH_OIDC_PUBLIC_URL }} + NEXTAUTH_URL: ${{ vars.NEXTAUTH_URL }} + NEXTAUTH_SECRET: ${{ secrets.KuS08kEIMZ68PSo3 }} run: | touch .env echo SSL_CERTIFICATE_ARN=$CERTIFICATE_ARN >> .env diff --git a/.github/workflows/deploy-docs.yml b/.github/workflows/deploy-docs.yml index 4a2b83e..44e61ae 100644 --- a/.github/workflows/deploy-docs.yml +++ b/.github/workflows/deploy-docs.yml @@ -14,6 +14,7 @@ env: jobs: format-and-test: runs-on: ubuntu-latest + environment: Production permissions: contents: 'read' actions: 'read' @@ -39,6 +40,7 @@ jobs: deploy: runs-on: ubuntu-latest needs: format-and-test + environment: Production permissions: contents: 'read' actions: 'read' diff --git a/packages/docs.siwt.xyz/cdk.json b/packages/docs.siwt.xyz/cdk.json new file mode 100644 index 0000000..0e192a4 --- /dev/null +++ b/packages/docs.siwt.xyz/cdk.json @@ -0,0 +1,32 @@ +{ + "app": "npx ts-node cdk/bin/cdk.ts", + "output": "../../dist/packages/docs.siwt.xyz/cdk", + "requireApproval": "never", + "watch": { + "include": ["**"], + "exclude": [ + "README.md", + "cdk*.json", + "**/*.d.ts", + "**/*.js", + "tsconfig.json", + "package*.json", + "yarn.lock", + "node_modules", + "test" + ] + }, + "context": { + "@aws-cdk/aws-apigateway:usagePlanKeyOrderInsensitiveId": true, + "@aws-cdk/core:stackRelativeExports": true, + "@aws-cdk/aws-rds:lowercaseDbIdentifier": true, + "@aws-cdk/aws-lambda:recognizeVersionProps": true, + "@aws-cdk/aws-cloudfront:defaultSecurityPolicyTLSv1.2_2021": true, + "@aws-cdk-containers/ecs-service-extensions:enableDefaultLogDriver": true, + "@aws-cdk/aws-ec2:uniqueImdsv2TemplateName": true, + "@aws-cdk/core:checkSecretUsage": true, + "@aws-cdk/aws-iam:minimizePolicies": true, + "@aws-cdk/core:target-partitions": ["aws", "aws-cn"], + "@aws-cdk/customresources:installLatestAwsSdkDefault": false + } +} diff --git a/packages/docs.siwt.xyz/cdk/bin/cdk.ts b/packages/docs.siwt.xyz/cdk/bin/cdk.ts new file mode 100644 index 0000000..2fd9062 --- /dev/null +++ b/packages/docs.siwt.xyz/cdk/bin/cdk.ts @@ -0,0 +1,12 @@ +import { App } from 'aws-cdk-lib' + +import { AppStack } from '../lib/stack' + +const environment = process.env.ENV || 'staging' + +const app = new App() +new AppStack(app, `docs-siwt-xyz-${environment}`, { + env: { + region: 'eu-central-1', + }, +}) diff --git a/packages/docs.siwt.xyz/cdk/lib/stack.ts b/packages/docs.siwt.xyz/cdk/lib/stack.ts new file mode 100644 index 0000000..d7e755f --- /dev/null +++ b/packages/docs.siwt.xyz/cdk/lib/stack.ts @@ -0,0 +1,64 @@ +import { + aws_certificatemanager as ACM, + App, + aws_cloudfront as Cloudfront, + aws_cloudfront_origins as CloudfrontOrigins, + Duration, + RemovalPolicy, + aws_s3 as S3, + aws_s3_deployment as S3Deployment, + Stack, + StackProps, +} from 'aws-cdk-lib' + +const environment = process.env.ENV || 'staging' + +export class AppStack extends Stack { + constructor(scope: App, id: string, props?: StackProps) { + super(scope, id, props) + + const bucket = new S3.Bucket(this, `docs-siwt-xyz-ui-bucket-${environment}`, { + blockPublicAccess: S3.BlockPublicAccess.BLOCK_ALL, + removalPolicy: RemovalPolicy.DESTROY, + }) + + new S3Deployment.BucketDeployment(this, `docs-siwt-xyz-ui-bucket-deployment-${environment}`, { + sources: [S3Deployment.Source.asset('../../dist/packages/docs.siwt.xyz', { exclude: ['cdk/**/*'] })], + destinationBucket: bucket, + }) + + const originAccessIdentity = new Cloudfront.OriginAccessIdentity(this, `docs-siwt-xyz-ui-oai-${environment}`) + bucket.grantRead(originAccessIdentity) + + const certificate = ACM.Certificate.fromCertificateArn( + this, + `siwt-xyz-certificate-${environment}`, + process.env.SSL_CERTIFICATE_ARN || '', + ) + + let distributionConfig: Cloudfront.DistributionProps = { + defaultRootObject: 'index.html', + defaultBehavior: { + origin: new CloudfrontOrigins.S3Origin(bucket, { + originAccessIdentity: originAccessIdentity, + }), + compress: true, + allowedMethods: Cloudfront.AllowedMethods.ALLOW_GET_HEAD_OPTIONS, + viewerProtocolPolicy: Cloudfront.ViewerProtocolPolicy.REDIRECT_TO_HTTPS, + cachePolicy: Cloudfront.CachePolicy.CACHING_OPTIMIZED, + edgeLambdas: [], + }, + errorResponses: [ + { + httpStatus: 404, + responsePagePath: '/404.html', + ttl: Duration.seconds(10), + }, + ], + domainNames: ['docs.siwt.xyz'], + certificate, + } + + new Cloudfront.Distribution(this, `siwt-xyz-ui-distribution-${environment}`, distributionConfig) + } +}