nathany / hugo-deploy Goto Github PK
View Code? Open in Web Editor NEWExample deployment to S3 for Hugo blogs.
Home Page: http://hugo-deploy-example.s3-website.ca-central-1.amazonaws.com/
License: BSD 2-Clause "Simplified" License
Example deployment to S3 for Hugo blogs.
Home Page: http://hugo-deploy-example.s3-website.ca-central-1.amazonaws.com/
License: BSD 2-Clause "Simplified" License
Right now I'm using CloudFlare with Flexible SSL. I would like to do better, especially if I ever have any user forms on a site.
Flexible SSL: There is an encrypted connection between your website visitors and CloudFlare, but not from CloudFlare to your server.
S3 supports HTTPS, but only for subdomains without dots in them (eg. hugo-deploy but not nathany.com).
However, S3's static website hosting doesn't appear to support HTTPS.
https://hugo-deploy.s3.amazonaws.com/index.html works
https://hugo-deploy.s3-website-us-east-1.amazonaws.com doesn't resolve
I've mentioned my approach on this issue: gohugoio/hugo#1543 (comment)
This repo just contains files to include with "hugo new", whereas s3up could be a hugo deploy
command that runs from CI or a local machine.
The challenge is that everyone has different preferences for preprocessors, CI providers, and deployment locations.
It's unclear from the README where you configure the s3 bucket and AWS credentials. I assume it's via the CircleCI UI, but it would be nice to be explicit!
I stumbled across this repo and found it very useful, thank you for making this available. I do have one comment. I work a lot around AWS and I can see that when you run the hugo deploy
it is using AWS credentials of a specific user. I do not know what user you are using in your example so forgive my assumptions, however its always best to follow the principle of least privilege. This is why I have created a github-build
user in my AWS account with its credentials provided as secrets for my GitHub action build pipeline.
I thought you might want to know the inline policies I have for that github-build
user in order to deploy the website under the least privilege rule. The below policies contain action permissions for what is required as a minimum to deploy the site and invalidate its caches in the CloudFront distribution. This enforces the github-build
user to ONLY have the permissions it needs to do the build. You could add this to this repo for anyone who is interested in setting up a github-build
user in order to follow security best practises as I know many people will just give the standard admin access keys to Github which is definitely not recommended.
Let me know what you think, I thought it would be handy to share as it took me a few hours to figure out what permissions it needed as a minimum as the hugo deploy
code doesn't use the standard aws-sdk-go
for all of its interactions with AWS which makes it hard to reverse engineer the permissions needed. :)
Here is the inline policy actions permissions:
CloudFront (for cache invalidations - ignore if you do not use)
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "cloudfront:CreateInvalidation",
"Resource": "[MY CLOUDFRONT DISTRIBUTION]"
}
]
}
S3 (upload site to S3)
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:PutBucketPolicy",
"s3:ListBucket",
"s3:GetBucketPolicy"
],
"Resource": [BUCKET RESOURCES]
}
]
}
Ideally, you could just put the above json in one policy named GithubActionsPolicy
that will contain all the permissions it needs and then just attach it to the github-build
user :). That's what I will end up doing.
If you don't find this useful, feel free to close the issue, otherwise, I think it would be cool and handy for others to include. For the AWS example obviously :)
@yogitea wrote a post here http://www.treutler.cc/post/a-blog-using-hugo/
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.