adds terraform and github pipeline

.github/workflows/github-pipeline.yml

@@ -0,0 +1,59 @@
+name: Deploy Frontend
+
+on:
+  push:
+    branches:
+      - develop
+      - main
+
+jobs:
+  deploy:
+    runs-on: ubuntu-latest
+
+    strategy:
+      matrix:
+        include:
+          - branch: develop
+            environment: dev
+            bucket: catbytes-frontend-app-dev
+            distribution: E3R0HUJOSQPR1E
+            build_mode: development
+          - branch: main
+            environment: prod
+            bucket: catbytes-frontend-app-prod
+            distribution: PROD_DISTRIBUTION_ID_HERE
+            build_mode: production
+
+    if: github.ref_name == matrix.branch
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Setup Node
+        uses: actions/setup-node@v4
+        with:
+          node-version: 20
+
+      - name: Install dependencies
+        run: npm ci
+
+      - name: Build Vite app
+        run: npm run build -- --mode ${{ matrix.build_mode }}
+
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
+          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          aws-region: ${{ secrets.AWS_REGION }}
+
+      - name: Upload to S3
+        run: |
+          aws s3 sync dist/ s3://${{ matrix.bucket }} --delete
+
+      - name: Invalidate CloudFront
+        run: |
+          aws cloudfront create-invalidation \
+            --distribution-id ${{ matrix.distribution }} \
+            --paths "/*"

.gitignore

@@ -13,6 +13,7 @@ dist-ssr
 *.local
 *.env
 .env
+.env.*
 
 .vite/
 
@@ -27,4 +28,16 @@ dist-ssr
 *.sln
 *.sw?
 .vite
-*.tsbuildinfo
+*.tsbuildinfo
+
+# Terraform
+**/.terraform/*
+**/.terraform.lock.hcl
+**/terraform.tfstate
+**/terraform.tfstate.*
+**/.terraform.tfstate.lock.info
+**/crash.log
+
+# Sensitive variables
+**/terraform.tfvars
+**/*.auto.tfvars

infrastructure/dev/backend.tf

@@ -0,0 +1,9 @@
+terraform {
+  backend "s3" {
+    bucket         = "catbytes-terraform-state-463470984434"
+    key            = "dev/terraform.tfstate"
+    region         = "eu-west-2"
+    dynamodb_table = "catbytes-terraform-locks"
+    encrypt        = true
+  }
+}

infrastructure/dev/main.tf

@@ -0,0 +1,126 @@
+resource "aws_s3_bucket" "frontend" {
+    bucket = "catbytes-frontend-app-dev"
+
+    tags = {
+        Environment = "dev"
+        Project = "catbytes"
+    }
+}
+
+resource "aws_s3_bucket_public_access_block" "frontend" {
+    bucket = aws_s3_bucket.frontend.id
+
+    block_public_acls           = true
+    block_public_policy         = true
+    ignore_public_acls          = true
+    restrict_public_buckets     = true
+}
+
+resource "aws_s3_bucket_versioning" "frontend" {
+  bucket = aws_s3_bucket.frontend.id
+
+  versioning_configuration {
+    status = "Enabled"
+  }
+}
+
+resource "aws_s3_bucket_server_side_encryption_configuration" "frontend" {
+  bucket = aws_s3_bucket.frontend.id
+
+  rule {
+    apply_server_side_encryption_by_default {
+      sse_algorithm = "AES256"
+    }
+  }
+}
+
+resource "aws_cloudfront_origin_access_control" "frontend" {
+  name                              = "catbytes-dev-oac"
+  description                       = "OAC for dev frontend"
+  origin_access_control_origin_type = "s3"
+  signing_behavior                  = "always"
+  signing_protocol                  = "sigv4"
+}
+
+resource "aws_cloudfront_distribution" "frontend" {
+  aliases = ["app.dev.catbytes.io"]
+  enabled             = true
+  default_root_object = "index.html"
+
+  origin {
+    domain_name              = aws_s3_bucket.frontend.bucket_regional_domain_name
+    origin_id                = "s3-frontend"
+    origin_access_control_id = aws_cloudfront_origin_access_control.frontend.id
+  }
+
+  default_cache_behavior {
+    target_origin_id       = "s3-frontend"
+    viewer_protocol_policy = "redirect-to-https"
+
+    allowed_methods = ["GET", "HEAD"]
+    cached_methods  = ["GET", "HEAD"]
+
+    forwarded_values {
+      query_string = false
+      cookies {
+        forward = "none"
+      }
+    }
+  }
+
+  restrictions {
+    geo_restriction {
+      restriction_type = "none"
+    }
+  }
+
+  viewer_certificate {
+    acm_certificate_arn            = aws_acm_certificate.dev_cert.arn
+    ssl_support_method             = "sni-only"
+    minimum_protocol_version       = "TLSv1.2_2021"
+  }
+  custom_error_response {
+    error_code         = 403
+    response_code      = 200
+    response_page_path = "/index.html"
+  }
+
+  custom_error_response {
+    error_code         = 404
+    response_code      = 200
+    response_page_path = "/index.html"
+  }
+}
+
+resource "aws_s3_bucket_policy" "frontend" {
+  bucket = aws_s3_bucket.frontend.id
+
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Effect = "Allow"
+        Principal = {
+          Service = "cloudfront.amazonaws.com"
+        }
+        Action   = "s3:GetObject"
+        Resource = "${aws_s3_bucket.frontend.arn}/*"
+        Condition = {
+          StringEquals = {
+            "AWS:SourceArn" = aws_cloudfront_distribution.frontend.arn
+          }
+        }
+      }
+    ]
+  })
+}
+
+resource "aws_acm_certificate" "dev_cert" {
+  provider          = aws.us_east_1
+  domain_name       = "app.dev.catbytes.io"
+  validation_method = "DNS"
+
+  lifecycle {
+    create_before_destroy = true
+  }
+}

infrastructure/dev/outputs.tf

@@ -0,0 +1,3 @@
+output "cloudfront_domain_name" {
+  value = aws_cloudfront_distribution.frontend.domain_name
+}

infrastructure/dev/providers.tf

@@ -0,0 +1,10 @@
+provider "aws" {
+  region  = "eu-west-2"
+  profile = "terraform-catbytes-dev"
+}
+
+provider "aws" {
+  alias   = "us_east_1"
+  region  = "us-east-1"
+  profile = "terraform-catbytes-dev"
+}