signage-app: roll

sorah · sorah · commit 1b534da12d93 · 2025-05-21T23:02:22.000+09:00
diff --git a/tf/signage-app/.mairu.json b/tf/signage-app/.mairu.json
@@ -0,0 +1,4 @@
+{
+  "server": "https://amc.rubykaigi.net/api/remote/",
+  "role": "arn:aws:iam::005216166247:role/OrgzAdmin"
+}
diff --git a/tf/signage-app/.terraform.lock.hcl b/tf/signage-app/.terraform.lock.hcl
diff --git a/tf/signage-app/dev.tf b/tf/signage-app/dev.tf
@@ -21,6 +21,8 @@ module "dev" {
   cloudfront_log_prefix = "cf/signage-dev.rubykaigi.org/"
 
   manage_config_in_s3 = false
+
+  ssm_parameter_path_prefix = "/signage/dev/"
 }
 
 resource "aws_route53_record" "dev" {
diff --git a/tf/signage-app/prd.tf b/tf/signage-app/prd.tf
@@ -1,3 +1,6 @@
+locals {
+  captioner_enabled = true
+}
 module "prd" {
   source = "github.com/ruby-no-kai/signage-app//tf"
   #source = "/home/sorah/git/github.com/ruby-no-kai/signage-app/tf"
@@ -20,7 +23,7 @@ module "prd" {
 
   github_actions_subs = ["repo:ruby-no-kai/signage-app:environment:prd"]
 
-  captioner_enabled = false
+  captioner_enabled = local.captioner_enabled
   captioner_params = {
     vpc_id                            = data.aws_vpc.main.id
     ec2_security_group_ids            = [data.aws_security_group.default.id, aws_security_group.captioner.id]
@@ -29,7 +32,8 @@ module "prd" {
     medialive_subnet_id_1             = data.aws_subnet.main-public-c.id
     medialive_subnet_id_2             = data.aws_subnet.main-public-d.id
     medialive_security_group_ids      = [data.aws_security_group.default.id, aws_security_group.medialive.id]
-    medialive_role_arn                = data.aws_iam_role.MediaLiveAccessRole.arn
+    medialive_s3_bucket               = aws_s3_bucket.live.bucket
+    medialive_s3_prefix               = "rk25/"
     ssh_import_ids                    = jsondecode(file("${path.module}/../../data/ssh_import_ids.json"))
   }
   captioner_channels = {
@@ -48,6 +52,8 @@ module "prd" {
   }
 
   callback_urls = toset([])
+
+  ssm_parameter_path_prefix = "/signage/prd/"
 }
 
 resource "aws_route53_record" "prd" {
@@ -65,7 +71,7 @@ resource "aws_route53_record" "prd" {
 
 resource "random_pet" "prd-stream-key" {
   keepers = {
-    doggo = "doggo"
+    doggo = "rk25"
   }
 }
 
@@ -76,14 +82,24 @@ resource "random_id" "prd_client_secret" {
 #  value = random_id.dev_client_secret.id
 #}
 
-resource "aws_route53_record" "prd-captioner" {
-  for_each = { for zone in local.rubykaigi_net_zones : zone => module.prd.captioner_ip_address if module.prd.captioner_ip_address != null }
-  zone_id  = each.key
-  name     = "captioner.apne1.rubykaigi.net."
-  type     = "A"
-  ttl      = 60
+resource "aws_route53_record" "prd-captioner-public" {
+  count   = local.captioner_enabled ? 1 : 0
+  zone_id = data.aws_route53_zone.rubykaigi-net_public.zone_id
+  name    = "captioner.apne1.rubykaigi.net."
+  type    = "A"
+  ttl     = 60
+  records = [
+    module.prd.captioner_ip_address,
+  ]
+}
+resource "aws_route53_record" "prd-captioner-private" {
+  count   = local.captioner_enabled ? 1 : 0
+  zone_id = data.aws_route53_zone.rubykaigi-net_private.zone_id
+  name    = "captioner.apne1.rubykaigi.net."
+  type    = "A"
+  ttl     = 60
   records = [
-    each.value,
+    module.prd.captioner_ip_address,
   ]
 }
 
diff --git a/tf/signage-app/s3.tf b/tf/signage-app/s3.tf
@@ -0,0 +1,62 @@
+resource "aws_s3_bucket" "live" {
+  bucket = "rk-live-video"
+}
+
+resource "aws_s3_bucket_public_access_block" "live" {
+  bucket = aws_s3_bucket.live.id
+
+  block_public_acls       = false
+  block_public_policy     = false
+  ignore_public_acls      = false
+  restrict_public_buckets = false
+}
+
+data "aws_iam_policy_document" "live" {
+  statement {
+    effect  = "Allow"
+    actions = ["s3:GetObject"]
+    resources = [
+      "${aws_s3_bucket.live.arn}/*/live/*",
+    ]
+    principals {
+      type = "AWS"
+      identifiers = [
+        "*",
+      ]
+    }
+  }
+}
+
+resource "aws_s3_bucket_policy" "live" {
+  bucket = aws_s3_bucket.live.id
+  policy = data.aws_iam_policy_document.live.json
+
+  depends_on = [aws_s3_bucket_public_access_block.live]
+}
+
+resource "aws_s3_bucket_versioning" "live" {
+  bucket = aws_s3_bucket.live.id
+  versioning_configuration {
+    status = "Enabled"
+  }
+}
+
+resource "aws_s3_bucket_lifecycle_configuration" "live" {
+  bucket = aws_s3_bucket.live.id
+
+  transition_default_minimum_object_size = "all_storage_classes_128K"
+
+  rule {
+    id     = "config"
+    status = "Enabled"
+
+    filter {
+    }
+
+    noncurrent_version_expiration {
+      noncurrent_days = 7
+    }
+  }
+
+  depends_on = [aws_s3_bucket_versioning.live]
+}

-Original file line number
+Diff line change
@@ @@ -0,0 +1,4 @@ @@
 +{
 +  "server": "https://amc.rubykaigi.net/api/remote/",
 +  "role": "arn:aws:iam::005216166247:role/OrgzAdmin"
 +}
Original file line number	Diff line number	Diff line change
`@@ -21,6 +21,8 @@ module "dev" {`
`21`	`21`	`cloudfront_log_prefix = "cf/signage-dev.rubykaigi.org/"`
`22`	`22`
`23`	`23`	`manage_config_in_s3 = false`
	`24`	`+`
	`25`	`+ ssm_parameter_path_prefix = "/signage/dev/"`
`24`	`26`	`}`
`25`	`27`
`26`	`28`	`resource "aws_route53_record" "dev" {`