DEV Community: Idan Fishman The latest articles on DEV Community by Idan Fishman (@idanfishman). https://dev.to/idanfishman https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F912352%2Ffe10b114-4f8a-4872-9d7e-1911352f9282.jpeg DEV Community: Idan Fishman https://dev.to/idanfishman en Complete CI/CD Pipeline for Static Websites with AWS S3, Cloudflare CDN, and Cache Purging Idan Fishman Sat, 03 Aug 2024 15:02:51 +0000 https://dev.to/idanfishman/complete-cicd-pipeline-for-static-websites-with-aws-s3-cloudflare-cdn-and-cache-purging-49ah https://dev.to/idanfishman/complete-cicd-pipeline-for-static-websites-with-aws-s3-cloudflare-cdn-and-cache-purging-49ah <p>Hey, fellow developers! Are you tired of the tedious manual steps involved in deploying static websites? Say no more! In this article, we'll set up an amazing CI/CD pipeline using GitHub Actions to deploy static websites on AWS S3, supercharge them with Cloudflare as a CDN, and automate cache purging like a pro. Plus, you'll get to try out my brand-new GitHub Action that makes cache purging a breeze. Ready? Let's dive in!</p> <p><a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F2dbx5jjs886fhilw731y.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F2dbx5jjs886fhilw731y.png" alt="traffic-flow" width="800" height="166"></a></p> <h2> Prerequisites </h2> <p>Before we embark on this adventure, make sure you have:</p> <ol> <li> <strong>AWS Account</strong>: With permissions to create IAM roles, identity providers, and S3 buckets.</li> <li> <strong>Cloudflare Account</strong>: With a configured zone.</li> <li> <strong>GitHub Repository</strong>: For your static website project.</li> </ol> <h2> Step 1: Set Up AWS IAM OpenID Connect Provider </h2> <h3> Create OpenID Connect Provider </h3> <ol> <li> <strong>Create OpenID Connect Provider</strong>:</li> </ol> <ul> <li>Go to the IAM console.</li> <li>In the navigation pane, choose <strong>Identity providers</strong>, and then choose <strong>Add provider</strong>.</li> <li>For <strong>Provider type</strong>, choose <strong>OpenID Connect</strong>.</li> <li>For <strong>Provider URL</strong>, enter <code>https://token.actions.githubusercontent.com</code>.</li> <li>For <strong>Audience</strong>, enter <code>sts.amazonaws.com</code>.</li> <li>For <strong>Thumbprints</strong>, add the following thumbprints: <ul> <li><code>6938fd4d98bab03faadb97b34396831e3780aea1</code></li> <li><code>1c58a3a8518e8759bf075b76b750d4f2df264fcd</code></li> </ul> </li> <li>Choose <strong>Add provider</strong>.</li> </ul> <h3> IAM Role for GitHub Actions </h3> <ol> <li> <strong>Create IAM Role</strong>:</li> </ol> <ul> <li>Go to the IAM console.</li> <li>Create a new role with the following trust policy to allow GitHub runners to assume this role: </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Version"</span><span class="p">:</span><span class="w"> </span><span class="s2">"2012-10-17"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Statement"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Effect"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Allow"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Principal"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Federated"</span><span class="p">:</span><span class="w"> </span><span class="s2">"arn:aws:iam::YOUR_ACCOUNT_ID:oidc-provider/token.actions.githubusercontent.com"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"Action"</span><span class="p">:</span><span class="w"> </span><span class="s2">"sts:AssumeRoleWithWebIdentity"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Condition"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"StringEquals"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"token.actions.githubusercontent.com:aud"</span><span class="p">:</span><span class="w"> </span><span class="s2">"sts.amazonaws.com"</span><span class="p">,</span><span class="w"> </span><span class="nl">"token.actions.githubusercontent.com:sub"</span><span class="p">:</span><span class="w"> </span><span class="s2">"repo:YOUR_GITHUB_USERNAME/YOUR_REPOSITORY_NAME:*"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <ol> <li> <strong>Attach Policies</strong>:</li> </ol> <ul> <li>Attach a policy to the role that allows <code>s3:PutObject</code> and other necessary permissions for your S3 bucket. </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Version"</span><span class="p">:</span><span class="w"> </span><span class="s2">"2012-10-17"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Statement"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Effect"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Allow"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Action"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"s3:PutObject"</span><span class="p">],</span><span class="w"> </span><span class="nl">"Resource"</span><span class="p">:</span><span class="w"> </span><span class="s2">"arn:aws:s3:::YOUR_BUCKET_NAME/*"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h3> S3 Bucket Configuration </h3> <ol> <li> <strong>Create an S3 Bucket</strong>:</li> </ol> <ul> <li>Go to the S3 console and create a new bucket for your static website.</li> <li>Enable static website hosting and select <code>index.html</code> as the index document.</li> </ul> <ol> <li> <strong>Set Bucket Policy</strong>:</li> </ol> <ul> <li>Restrict access to Cloudflare IP ranges and the GitHub Actions IAM role. </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Version"</span><span class="p">:</span><span class="w"> </span><span class="s2">"2012-10-17"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Statement"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Sid"</span><span class="p">:</span><span class="w"> </span><span class="s2">"AllowGetFromCloudflare"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Effect"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Allow"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Principal"</span><span class="p">:</span><span class="w"> </span><span class="s2">"*"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Action"</span><span class="p">:</span><span class="w"> </span><span class="s2">"s3:GetObject"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Resource"</span><span class="p">:</span><span class="w"> </span><span class="s2">"arn:aws:s3:::YOUR_BUCKET_NAME/*"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Condition"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"IpAddress"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"aws:SourceIp"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"CLOUDFLARE_IP_RANGES"</span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Sid"</span><span class="p">:</span><span class="w"> </span><span class="s2">"AllowPutFromGitHubActions"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Effect"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Allow"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Principal"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"AWS"</span><span class="p">:</span><span class="w"> </span><span class="s2">"arn:aws:iam::YOUR_ACCOUNT_ID:role/GITHUB_ACTIONS_ROLE_NAME"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"Action"</span><span class="p">:</span><span class="w"> </span><span class="s2">"s3:PutObject"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Resource"</span><span class="p">:</span><span class="w"> </span><span class="s2">"arn:aws:s3:::YOUR_BUCKET_NAME/*"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <ul> <li>For Cloudflare IP ranges, refer to <a href="https://www.cloudflare.com/ips/" rel="noopener noreferrer">Cloudflare IP Ranges</a>.</li> </ul> <h2> Step 2: Configure GitHub Actions Workflow </h2> <h3> Secrets and Variables </h3> <ol> <li> <strong>Add GitHub Secrets</strong>:</li> </ol> <ul> <li><code>GITHUB_RUNNERS_AWS_IAM_ROLE_ARN</code></li> <li> <code>CLOUDFLARE_API_KEY</code> (with zone cache purge permission)</li> </ul> <ol> <li> <strong>Add GitHub Variables</strong>: <ul> <li><code>CLOUDFLARE_ZONE_ID</code></li> <li> <code>S3_BUCKETS</code>: A comma-separated list of S3 bucket names.</li> </ul> </li> </ol> <h3> GitHub Actions Workflow </h3> <p>Create a <code>.github/workflows/deploy.yml</code> file in your repository with the following content:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">name</span><span class="pi">:</span> <span class="s">Build and Deploy</span> <span class="na">on</span><span class="pi">:</span> <span class="na">push</span><span class="pi">:</span> <span class="na">branches</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">main</span> <span class="na">jobs</span><span class="pi">:</span> <span class="na">ci</span><span class="pi">:</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">permissions</span><span class="pi">:</span> <span class="na">id-token</span><span class="pi">:</span> <span class="s">write</span> <span class="na">contents</span><span class="pi">:</span> <span class="s">read</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Checkout code</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v4</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Configure AWS credentials</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">aws-actions/configure-aws-credentials@v4</span> <span class="na">with</span><span class="pi">:</span> <span class="na">aws-region</span><span class="pi">:</span> <span class="s">us-east-1</span> <span class="na">role-to-assume</span><span class="pi">:</span> <span class="s">${{ secrets.GITHUB_RUNNERS_AWS_IAM_ROLE_ARN }}</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Setup Node.js</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/setup-node@v4</span> <span class="na">with</span><span class="pi">:</span> <span class="na">cache</span><span class="pi">:</span> <span class="s">yarn</span> <span class="na">cache-dependency-path</span><span class="pi">:</span> <span class="s">yarn.lock</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Install dependencies</span> <span class="na">run</span><span class="pi">:</span> <span class="s">yarn</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Run build</span> <span class="na">run</span><span class="pi">:</span> <span class="s">yarn build</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Upload build artifacts to S3</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">IFS=',' read -ra buckets &lt;&lt;&lt; "${{ vars.S3_BUCKETS }}"</span> <span class="s">for bucket in "${buckets[@]}"; do</span> <span class="s"># upload the build artifacts to the S3 bucket to the root path</span> <span class="s">aws s3 cp dist "s3://${bucket}/" --recursive</span> <span class="s">done</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Purge Cloudflare cache</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">fishmanlabs/cloudflare-purge-cache-action@v1</span> <span class="na">with</span><span class="pi">:</span> <span class="na">api_token</span><span class="pi">:</span> <span class="s">${{ secrets.CLOUDFLARE_API_KEY }}</span> <span class="na">zone_id</span><span class="pi">:</span> <span class="s">${{ var.CLOUDFLARE_ZONE_ID }}</span> <span class="na">purge_everything</span><span class="pi">:</span> <span class="kc">false</span> <span class="na">purge_files</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">/</span> <span class="s">/index.html</span> </code></pre> </div> <h3> Workflow Breakdown </h3> <ol> <li> <strong>Checkout Code</strong>: Checks out the code from your GitHub repository.</li> <li> <strong>Configure AWS Credentials</strong>: Configures AWS credentials for the GitHub Actions runner using the IAM role created earlier.</li> <li> <strong>Setup Node.js</strong>: Sets up Node.js environment and caches dependencies.</li> <li> <strong>Install Dependencies</strong>: Installs project dependencies using yarn.</li> <li> <strong>Run Build</strong>: Builds the static website using the specified environment.</li> <li> <strong>Upload Build Artifacts to S3</strong>: Uploads the built files to the specified S3 buckets.</li> <li> <strong>Purge Cloudflare Cache</strong>: Uses the Cloudflare Purge Cache GitHub Action to purge the Cloudflare cache for the specified files.</li> </ol> <h2> Step 3: Configure Cloudflare </h2> <ol> <li> <strong>API Key Permissions</strong>: Ensure the API key used has zone purge scope permission.</li> <li> <strong>Enable Static Website</strong>: Ensure your S3 bucket is configured for static website hosting and select <code>index.html</code> as the index document.</li> <li> <strong>SSL Rule</strong>: In Cloudflare, set up an SSL rule to use flexible SSL when proxying to the S3 static website endpoint.</li> </ol> <h2> Conclusion </h2> <p>By following this guide, you can set up a complete CI/CD pipeline for deploying static websites to AWS S3, using Cloudflare as a CDN, and automating cache purging. This approach ensures that your users always receive the latest content without manual intervention, optimizing both performance and user experience.</p> <p>I'm thrilled to introduce my new GitHub Action, <a href="https://github.com/marketplace/actions/cloudflare-cache-purge" rel="noopener noreferrer">Cloudflare Purge Cache</a>, which makes cache purging effortless. If you find it useful, I would love to see your support by giving it a star on GitHub! Check out the <a href="https://github.com/marketplace/actions/cloudflare-cache-purge" rel="noopener noreferrer">Cloudflare Purge Cache GitHub Action</a> on GitHub Marketplace and integrate it into your project today. For more details and support, visit the <a href="https://github.com/fishmanlabs/cloudflare-purge-cache-action" rel="noopener noreferrer">repository</a>. Let's make the web faster together!</p> githubactions aws cloudflare staticwebsite