feat: security and infrastructure improvements#6
Merged
flaviomilan merged 4 commits intomainfrom Mar 27, 2026
Merged
Conversation
- Restructure Terraform into separate files per resource (s3, cloudfront, acm, route53, waf, monitoring) - Add S3 encryption (AES-256), versioning, and lifecycle management - Enhance CloudFront with HTTP/3, TLS 1.2_2021, CSP, Referrer-Policy, Permissions-Policy - Expand WAF v2 with rate limiting, Known Bad Inputs, IP Reputation, Anonymous IP rules and logging - Add ACM SAN for www subdomain with validation timeout - Add Route53 IPv6 (AAAA) records and www aliases, force_destroy=false by default - Add CloudWatch dashboard, alarms (5xx/4xx/WAF), SNS notifications - Add bootstrap module for remote state (S3 + DynamoDB locking) - Redesign GitHub Actions: 4-step deploy with approval gates, DNS verification, cache invalidation - Switch to OIDC authentication (no long-lived AWS credentials) - Fix invalid count+for_each on Route53 records and S3 objects - Fix inconsistent workflow paths (/infra/aws, /apps -> /src) - Add 13 variables with validations (was 6), including CSP, WAF rate limit, monitoring - Update README with full documentation, deploy flow, costs, and troubleshooting
- Change enable_monitoring default to false (~$10-15/month) - Add enable_s3_versioning variable (default false) - Gate S3 versioning and lifecycle on enable_s3_versioning - Update README cost table with per-feature costs and toggle variables
- Remove AWS credentials from PR quality check (not needed for validate) - Add access key fallback to all deploy/bootstrap workflow credential steps - The action auto-detects: OIDC if AWS_ROLE_ARN is set, access keys otherwise - Translate entire README.md from Portuguese to English - Add troubleshooting section for credential errors - Document both auth options (access keys and OIDC)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Melhorias de Segurança e Infraestrutura
Resumo
Reestruturação completa do Terraform e dos workflows GitHub Actions para uma solução altamente segura e automatizada.
Mudanças Principais
🔒 Segurança
force_destroy=false, IPv6 (AAAA) e registros www🏗️ Infraestrutura
s3.tf,cloudfront.tf,acm.tf,route53.tf,waf.tf,monitoring.tf)bootstrap/para state remoto (S3 + DynamoDB locking)🔄 CI/CD
workflow_dispatch)📊 Monitoramento
🐛 Bugs Corrigidos
count+for_eachsimultâneos em Route53 records e S3 objects (inválido no Terraform)/infra/aws,/apps→/src)Validação
terraform validate✅ emsrc/ebootstrap/