chore: 🚀 updated deploy file and terraform information

Author: aleph

.github/workflows/deploy-staging.yml

@@ -3,26 +3,19 @@ name: Deploy to Staging (AWS S3 + CloudFront)
 on:
   push:
     branches: [ develop, staging ]
-  pull_request:
-    branches: [ main ]
   workflow_dispatch: # Allow manual trigger
 
 permissions:
   contents: read
   id-token: write # Required for AWS OIDC authentication
 
-env:
-  AWS_REGION: us-east-1
-  S3_BUCKET: pythoncdmx-website-staging
-  CLOUDFRONT_DISTRIBUTION_ID: ${{ secrets.CLOUDFRONT_DISTRIBUTION_ID_STAGING }}
 
 jobs:
   build-and-deploy-staging:
     name: Build and Deploy to Staging
     runs-on: ubuntu-latest
     environment:
-      name: staging
-      url: https://staging.pythoncdmx.org
+      name: aws-stag
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4
@@ -59,40 +52,40 @@ jobs:
         uses: aws-actions/configure-aws-credentials@v4
         with:
           role-to-assume: ${{ secrets.AWS_ROLE_ARN }}
-          aws-region: ${{ env.AWS_REGION }}
+          aws-region: ${{ secrets.AWS_REGION }}
 
       - name: Sync to S3 (Staging)
         run: |
-          aws s3 sync site/ s3://${{ env.S3_BUCKET }}/ \
+          aws s3 sync site/ s3://${{ secrets.AWS_S3_BUCKET }}/ \
             --delete \
             --cache-control "public, max-age=300" \
             --exclude "*.html" \
             --exclude "sitemap.xml"
 
           # Upload HTML files with shorter cache for staging
-          aws s3 sync site/ s3://${{ env.S3_BUCKET }}/ \
+          aws s3 sync site/ s3://${{ secrets.AWS_S3_BUCKET }}/ \
             --cache-control "public, max-age=60, must-revalidate" \
             --content-type "text/html; charset=utf-8" \
             --exclude "*" \
             --include "*.html"
 
           # Upload sitemap with no cache
-          aws s3 sync site/ s3://${{ env.S3_BUCKET }}/ \
+          aws s3 sync site/ s3://${{ secrets.AWS_S3_BUCKET }}/ \
             --cache-control "public, max-age=0, must-revalidate" \
             --exclude "*" \
             --include "sitemap.xml"
 
       - name: Invalidate CloudFront cache
         run: |
           aws cloudfront create-invalidation \
-            --distribution-id ${{ env.CLOUDFRONT_DISTRIBUTION_ID }} \
+            --distribution-id ${{ secrets.CLOUDFRONT_DISTRIBUTION }} \
             --paths "/*"
 
       - name: Deployment summary
         run: |
           echo "✅ Staging website deployed successfully!"
           echo "🌐 URL: https://staging.pythoncdmx.org"
-          echo "📦 S3 Bucket: ${{ env.S3_BUCKET }}"
-          echo "🚀 CloudFront Distribution: ${{ env.CLOUDFRONT_DISTRIBUTION_ID }}"
+          echo "📦 S3 Bucket: ${{ secrets.AWS_S3_BUCKET }}"
+          echo "🚀 CloudFront Distribution: ${{ secrets.CLOUDFRONT_DISTRIBUTION }}"
           echo ""
           echo "ℹ️  This is a STAGING environment for testing purposes."

terraform/.terraform.lock.hcl

@@ -9,11 +9,10 @@ terraform {
   }
 
   backend "s3" {
-    bucket         = "pythoncdmx-terraform-state"
-    key            = "website/terraform.tfstate"
-    region         = "us-east-1"
-    encrypt        = true
-    dynamodb_table = "pythoncdmx-terraform-locks"
+    bucket  = "bucket-terraform-a8ab"
+    key     = "pythoncdmx/terraform.tfstate"
+    region  = "us-east-1"
+    encrypt = true
   }
 }
 

terraform/main.tf

@@ -0,0 +1,113 @@
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Sid": "ACMCertificateManagement",
+      "Effect": "Allow",
+      "Action": [
+        "acm:RequestCertificate",
+        "acm:DescribeCertificate",
+        "acm:ListCertificates",
+        "acm:DeleteCertificate",
+        "acm:AddTagsToCertificate",
+        "acm:ListTagsForCertificate"
+      ],
+      "Resource": "*"
+    },
+    {
+      "Sid": "CloudFrontManagement",
+      "Effect": "Allow",
+      "Action": [
+        "cloudfront:CreateDistribution",
+        "cloudfront:GetDistribution",
+        "cloudfront:GetDistributionConfig",
+        "cloudfront:UpdateDistribution",
+        "cloudfront:DeleteDistribution",
+        "cloudfront:TagResource",
+        "cloudfront:CreateOriginAccessControl",
+        "cloudfront:GetOriginAccessControl",
+        "cloudfront:UpdateOriginAccessControl",
+        "cloudfront:DeleteOriginAccessControl",
+        "cloudfront:CreateInvalidation",
+        "cloudfront:GetInvalidation",
+        "cloudfront:ListInvalidations"
+      ],
+      "Resource": "*"
+    },
+    {
+      "Sid": "Route53DNSManagement",
+      "Effect": "Allow",
+      "Action": [
+        "route53:GetHostedZone",
+        "route53:ListHostedZones",
+        "route53:ListResourceRecordSets",
+        "route53:ChangeResourceRecordSets",
+        "route53:GetChange",
+        "route53:ListTagsForResource"
+      ],
+      "Resource": "*"
+    },
+    {
+      "Sid": "S3BucketManagement",
+      "Effect": "Allow",
+      "Action": [
+        "s3:CreateBucket",
+        "s3:DeleteBucket",
+        "s3:ListBucket",
+        "s3:GetBucketLocation",
+        "s3:GetBucketPolicy",
+        "s3:PutBucketPolicy",
+        "s3:DeleteBucketPolicy",
+        "s3:GetBucketVersioning",
+        "s3:PutBucketVersioning",
+        "s3:GetBucketPublicAccessBlock",
+        "s3:PutBucketPublicAccessBlock",
+        "s3:GetBucketCORS",
+        "s3:PutBucketCORS",
+        "s3:GetEncryptionConfiguration",
+        "s3:PutEncryptionConfiguration",
+        "s3:GetLifecycleConfiguration",
+        "s3:PutLifecycleConfiguration",
+        "s3:GetBucketTagging",
+        "s3:PutBucketTagging",
+        "s3:GetObject",
+        "s3:PutObject",
+        "s3:DeleteObject",
+        "s3:PutObjectAcl"
+      ],
+      "Resource": [
+        "arn:aws:s3:::pythoncdmx-website",
+        "arn:aws:s3:::pythoncdmx-website/*",
+        "arn:aws:s3:::pythoncdmx-website-staging",
+        "arn:aws:s3:::pythoncdmx-website-staging/*"
+      ]
+    },
+    {
+      "Sid": "IAMRoleManagement",
+      "Effect": "Allow",
+      "Action": [
+        "iam:CreateOpenIDConnectProvider",
+        "iam:GetOpenIDConnectProvider",
+        "iam:DeleteOpenIDConnectProvider",
+        "iam:TagOpenIDConnectProvider",
+        "iam:CreateRole",
+        "iam:GetRole",
+        "iam:DeleteRole",
+        "iam:UpdateAssumeRolePolicy",
+        "iam:AttachRolePolicy",
+        "iam:DetachRolePolicy",
+        "iam:PutRolePolicy",
+        "iam:GetRolePolicy",
+        "iam:DeleteRolePolicy",
+        "iam:ListRolePolicies",
+        "iam:ListAttachedRolePolicies",
+        "iam:TagRole",
+        "iam:ListRoleTags"
+      ],
+      "Resource": [
+        "arn:aws:iam::700463753979:oidc-provider/token.actions.githubusercontent.com",
+        "arn:aws:iam::700463753979:role/GitHubActionsDeployRole"
+      ]
+    }
+  ]
+}

terraform/required-permissions.json

@@ -76,6 +76,8 @@ resource "aws_s3_bucket_lifecycle_configuration" "website_staging" {
     id     = "delete-old-versions"
     status = "Enabled"
 
+    filter {}
+
     noncurrent_version_expiration {
       noncurrent_days = 30 # Shorter retention for staging
     }
@@ -85,6 +87,8 @@ resource "aws_s3_bucket_lifecycle_configuration" "website_staging" {
     id     = "delete-incomplete-uploads"
     status = "Enabled"
 
+    filter {}
+
     abort_incomplete_multipart_upload {
       days_after_initiation = 3
     }

terraform/s3-staging.tf

@@ -75,6 +75,8 @@ resource "aws_s3_bucket_lifecycle_configuration" "website" {
     id     = "delete-old-versions"
     status = "Enabled"
 
+    filter {}
+
     noncurrent_version_expiration {
       noncurrent_days = 90
     }
@@ -84,6 +86,8 @@ resource "aws_s3_bucket_lifecycle_configuration" "website" {
     id     = "delete-incomplete-uploads"
     status = "Enabled"
 
+    filter {}
+
     abort_incomplete_multipart_upload {
       days_after_initiation = 7
     }