nathany / hugo-deploy Goto Github PK

https://circleci.com/docs/2.0/custom-images/
https://circleci.com/blog/build-test-deploy-hugo-sites/
https://github.com/felicianotech/docker-hugo
https://github.com/felicianotech/docker-hugo
edmontongo/edmontongo.org#16

Right now I'm using CloudFlare with Flexible SSL. I would like to do better, especially if I ever have any user forms on a site.

Flexible SSL: There is an encrypted connection between your website visitors and CloudFlare, but not from CloudFlare to your server.

S3 supports HTTPS, but only for subdomains without dots in them (eg. hugo-deploy but not nathany.com).

However, S3's static website hosting doesn't appear to support HTTPS.

https://hugo-deploy.s3.amazonaws.com/index.html works
https://hugo-deploy.s3-website-us-east-1.amazonaws.com doesn't resolve

I've mentioned my approach on this issue: gohugoio/hugo#1543 (comment)

This repo just contains files to include with "hugo new", whereas s3up could be a hugo deploy command that runs from CI or a local machine.

The challenge is that everyone has different preferences for preprocessors, CI providers, and deployment locations.

It's unclear from the README where you configure the s3 bucket and AWS credentials. I assume it's via the CircleCI UI, but it would be nice to be explicit!

I stumbled across this repo and found it very useful, thank you for making this available. I do have one comment. I work a lot around AWS and I can see that when you run the hugo deploy it is using AWS credentials of a specific user. I do not know what user you are using in your example so forgive my assumptions, however its always best to follow the principle of least privilege. This is why I have created a github-build user in my AWS account with its credentials provided as secrets for my GitHub action build pipeline.

I thought you might want to know the inline policies I have for that github-build user in order to deploy the website under the least privilege rule. The below policies contain action permissions for what is required as a minimum to deploy the site and invalidate its caches in the CloudFront distribution. This enforces the github-build user to ONLY have the permissions it needs to do the build. You could add this to this repo for anyone who is interested in setting up a github-build user in order to follow security best practises as I know many people will just give the standard admin access keys to Github which is definitely not recommended.

Let me know what you think, I thought it would be handy to share as it took me a few hours to figure out what permissions it needed as a minimum as the hugo deploy code doesn't use the standard aws-sdk-go for all of its interactions with AWS which makes it hard to reverse engineer the permissions needed. :)

Here is the inline policy actions permissions:
CloudFront (for cache invalidations - ignore if you do not use)

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "cloudfront:CreateInvalidation",
            "Resource": "[MY CLOUDFRONT DISTRIBUTION]"
        }
    ]
}

S3 (upload site to S3)

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:PutBucketPolicy",
                "s3:ListBucket",
                "s3:GetBucketPolicy"
            ],
            "Resource": [BUCKET RESOURCES]
        }
    ]
}

Ideally, you could just put the above json in one policy named GithubActionsPolicy that will contain all the permissions it needs and then just attach it to the github-build user :). That's what I will end up doing.

If you don't find this useful, feel free to close the issue, otherwise, I think it would be cool and handy for others to include. For the AWS example obviously :)

@yogitea wrote a post here http://www.treutler.cc/post/a-blog-using-hugo/