- AWS Account
- IAM Root user Credentials or IAM role or IAM user with sufficient right , If not then we need to create new AWS Account , pls follow below
The following resources are currently used by the project:
an AWS S3 bucket to store build output files
an AWS CloudFront distribution to access the AWS S3 bucket
a new AWS Public hosted Zone for Storing the DNS Endpoint and also for Registering the ACMs
a new DNS Validated ACM
Steps need to do on AWS Account
- Create a new AWS Account
- Login with Root user , create IAM SAML Roles if OIDC or SAML Provider is there otherwise just create a IAM user with Administrator policy
- Need to create a local IAM User/profile locally/CLI with ( Secret key and access key ) from above step
- Create a new AWS Route 53 Hosted Zone., for that need to register the domain name in Route 53 , for eg if we want to create bolt.com zone , we need to register the domain first ( In my case I have create a sub hosted zone under parent zone ) , by name blt.searchmetrics.com
- If we are creating a new sub zone under parent zone like myself , we need to register its NS records in Parent zone
- Once the Zone ( either parent or child ) is created, we need to create Public ACM certificate in us-east-1 ( Virginia) Region as a mandatory requirement for Cloud front . ( ACM certificate should be in virginia region if we need to setup https connection between viewers and cloudfront)
Steps Need to do on CLI with Ansible Playbook
- we have create ansible playbook for creating a Cloudfront distribtion , AWS S3 and route 53 CNAME record
- Attached Ansible Playbook in the github Repositry does the following
- Create Bucket and Bucket Policy adding CLoud front Origin Identity as trust
- CFN Distribution , Cache policy
- Route 53 Alias Record
How to run
- Folt the entire bolt-project repositry or clone
- use the same structure and modify the aws_all.yml global vairbales as per your environment , ( Bukcet name , region etc )
- In the template , aws_bolt_cloudfront_s3.yml.j2 modify ACM certificate from the above steps ( done on AWS Account )
Once above steps are done , need to run the Ansible playbook , needless to mention need to install Ansible first
CloudFront Distribution + S3 Bucket
ansible-playbook -i env/inventory bolt-aws-cloudfront-s3.yml -l shared
- Assignment is done in a single account only , requirement was to create S3 and Cloudfront in separate account
- I focussed to work on the solution initially and it is working perfectly fine for me in single account
- Tried to look for the ways where we can separate S3 ( in one account ) and distribution in another account as per the requirement but in the favor of time thought to submit like this ( Ideally solved the problem with the working solution so did not wanted to invest time on separating the workflows on separate accounts )
It can be possible however with some more investigation below -
-
We can create separate playbooks or lets say separate Terraform configuration for separate account provisioning S3 and Cloud front in separate account
-
Since Cloud formation do not work with Cross account Exports , we can create a dummy S3 parameter in the master account ( where the cloud front is) and using that dummy parameter we can import S3 in the ansible template ( which is submitted )
As per the assignment requirement , We can sucessfully browse the files with the additional domain name ( bolt-frontend-shared.blt.searchmetrics.com) , In my case I browsed and access the pdf file https://bolt-frontend-shared.blt.searchmetrics.com/AWS%20Certified%20Solutions%20Architect%20-%20Professional%20certificate.pdf
Please note this AWS Certificate PDF file I uploaded on S3 bucket first
Also see the working screenshot sent in the email , Architecture Diagram PDF attached in the email .
Attached in email Assuming the real problem ( multi account solution )
- Ingress account for Cloud front
- Internal account having s3 bucket