Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up

Host a thumbsup static gallery on AWS

License

NotificationsYou must be signed in to change notification settings

thumbsup/aws-private-gallery

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

13 Commits
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

One-click deployment of your static Thumbsup gallery to AWS

Features:

  • Custom domain name
  • CDN caching
  • HTTPS / TLS
  • User authentication

It is designed to have:

  • minimal infrastructure: no servers or databases to maintain
  • low cost: the website is served from cache (even private content!)
  • invite-only: you can control who has access
  • flexible: can login with email/password, or using social logins
  • self managed: users can reset their own passwords

Intro

There are 4 main AWS components involved:

SeeDESIGN.md for more details about how the site is setup.

This repo is meant to provide a bootstrap for your private gallery.Cognito is very flexible, and you will probably want to tweak a few settings once deployed.For example, you might want to:

  • customise the login page with a logo
  • allow self sign-ups with an approval workflow
  • enable social logins with Google or Facebook

Setup

1. Configure this repo

Before you setup the gallery, you will need to clone and adjust the following files:

TemplateExpected nameContent
lambda/whitelist/emails.js.examplelambda/whitelist/emails.jsList of email addresses that can access the gallery
infra/terraform.tfvars.exampleinfra/terraform.tfvarsS3 bucket name, domain name...
infra/backend.tf.exampleinfra/backend.tfTerraform state storage
infra/templates/email-invite.html.exampleinfra/templates/email-invite.htmlEmail template

2. Create the TLS certificate for your domain

Create a TLS certificate inAWS Certificate Manager.Regardless of any other settings, the certificate must be created inus-east-1 (North Virginia).Follow the prompts to validate the domain by email or DNS.

3. Build the Lambda functions

The login/whitelist functions are written inNode.js,built and packaged insideDocker.The following will create the ZIP files which are needed for the next step.

cd lambda./build.sh

4. Setup your CloudFront private key

Authentication relies on cookies signed with a key pair.This is a sensitive value, so the stack expects it to be stored encrypted inSSM Parameter Store.

First, generate a new key pair locally:

openssl genrsa -out private_key.pem 2048openssl rsa -pubout -in private_key.pem -out public_key.pem

Then store the public key on CloudFront:

  1. Open the CloudFront UI
  2. Navigate to "Key management", then "Public keys"
  3. Upload the public key, and take note of the Key ID you receive
  4. Navigate to the "Key group" section just underneath
  5. Create a new key group which includes the public key above

Then store the values in Parameter Store:

  1. Open the Parameter Store UI
  2. Create the 2 following entries:
NameTypeKMS Key IDValueExample
cloudfront_keypair_idString-Public ID of the key pairABC123456789
cloudfront_private_keySecure Stringalias/aws/ssmContents of the private key-----BEGIN RSA PRIVATE KEY-----
...
-----END RSA PRIVATE KEY-----

You should then delete the private key you have downloaded.AWS recommends rotating this key pair every 3 months.

Note: the Parameter Store values are cached in the Lambda function to speed up invocation.When you rotate the key pair, the old value will still be used until the nextLambda cold start.You can re-deploy the Lambda function to force a cold-start.

4. Deploy infrastructure

The whole infrastructure is written asTerraform templates.First, authenticate against AWS with theAWS CLI:

  • runaws configure and enter the access key and secret key
  • if you saved your credentials as a non-default profile, runexport AWS_PROFILE=profile_name
  • select the target AWS region usingexport AWS_REGION=ap-southeast-2

Then simply run the following commands to create the infrastructure:

cd infraterraform apply

If you make any subsequent changes, simply re-runterraform apply to apply the update.

!!NOTE!! The code has not yet been updated to take advantage of CloudFront Keypairs.Once deployed, you must:

  • go into the CloudFront distribution
  • edit the "behaviours" section forHTML andDefault
  • updateTrusted authorization type fromSelf to the keygroup you created above

6. Create users

The final step is to create a user so you can go through the login page.

  • Navigate tohttps://console.aws.amazon.com/cognito
  • Click "Browse your user pools"
  • Select the pool that was created by Terraform
  • Click "Users and groups", then "Create user"
  • Provide an email address and temporary password

Make sure that this email address is part of email whitelist (emails.js).This validation is done onall logins, both for local Cognito users and social sign-in (if configured).

That's it!

You should now be able to browse tohttps://your-gallery.com and be prompted to login.

It's time to upload your gallery to the bucket defined ininfra/terraform.tfvars.The simplest way is using the CLI withaws s3 sync, e.g.

aws s3 sync ./gallery s3://my-gallery

About

Host a thumbsup static gallery on AWS

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published
[8]ページ先頭
©2009-2025 Movatter.jp