From 9cbc1e708a9a1ead4bf7fbf285f512f56e4da877 Mon Sep 17 00:00:00 2001 From: Jonathan Bernard Date: Mon, 12 Aug 2024 12:14:01 -0500 Subject: [PATCH] Migrate off of ECS onto sobeck.jdb-software.com. --- .tool-versions | 1 + api/Makefile | 17 +++++ api/hff_entry_forms.service | 16 +++++ operations/opentofu/.terraform.lock.hcl | 36 ++++++++++ operations/{terraform => opentofu}/common.tf | 0 .../deployed_env/cloudfront.tf | 0 .../deployed_env/load-balancer.tf | 8 ++- .../deployed_env/variables.tf | 4 ++ operations/{terraform => opentofu}/ecr.tf | 0 operations/{terraform => opentofu}/main.tf | 8 ++- .../{terraform => opentofu}/terraform.tf | 0 .../{terraform => opentofu}/terraform.tfstate | 0 .../terraform.tfstate.backup | 0 operations/terraform/deployed_env/ecs.tf | 70 ------------------- operations/terraform/deployed_env/iam.tf | 69 ------------------ 15 files changed, 87 insertions(+), 142 deletions(-) create mode 100644 .tool-versions create mode 100644 api/hff_entry_forms.service create mode 100644 operations/opentofu/.terraform.lock.hcl rename operations/{terraform => opentofu}/common.tf (100%) rename operations/{terraform => opentofu}/deployed_env/cloudfront.tf (100%) rename operations/{terraform => opentofu}/deployed_env/load-balancer.tf (77%) rename operations/{terraform => opentofu}/deployed_env/variables.tf (93%) rename operations/{terraform => opentofu}/ecr.tf (100%) rename operations/{terraform => opentofu}/main.tf (84%) rename operations/{terraform => opentofu}/terraform.tf (100%) rename operations/{terraform => opentofu}/terraform.tfstate (100%) rename operations/{terraform => opentofu}/terraform.tfstate.backup (100%) delete mode 100644 operations/terraform/deployed_env/ecs.tf delete mode 100644 operations/terraform/deployed_env/iam.tf diff --git a/.tool-versions b/.tool-versions new file mode 100644 index 0000000..bab318a --- /dev/null +++ b/.tool-versions @@ -0,0 +1 @@ +opentofu 1.8.1 diff --git a/api/Makefile b/api/Makefile index dc0e872..21a5e5b 100644 --- a/api/Makefile +++ b/api/Makefile @@ -82,3 +82,20 @@ echo-vars: "VERSION=$(VERSION)\n" \ "PORT=$(PORT)\n" \ "INTEGRATION_TOKEN=$(INTEGRATION_TOKEN)\n" + +publis: + -rm -r deploy + -mkdir deploy + m4 \ + -D "HFF_ENTRY_FORMS_API_VERSION=$(VERSION)" \ + -D "TARGET_ENV=$(TARGET_ENV)" \ + -D "TARGET_PORT=$(TARGET_PORT)" \ + hff_entry_forms_api.service \ + > deploy/hff_entry_forms_api.$(TARGET_ENV).service + -ssh deployer@$(TARGET_SERVER) "docker stop hff_entry_forms.$(TARGET_ENV).service && sudo systemctl stop hff_entry_forms.$(TARGET_ENV)" + ssh deployer@$(TARGET_SERVER) "aws ecr get-login-password --region us-west-2 | docker login --username AWS --password-stdin $(ECR_ACCOUNT_URL) && docker pull $(ECR_ACCOUNT_URL)/hff_entry_forms:$(VERSION)" + scp \ + deploy/hff_entry_forms.$(TARGET_ENV).service \ + deployer@$(TARGET_SERVER):/etc/systemd/system/hff_entry_forms.$(TARGET_ENV).service + ssh deployer@$(TARGET_SERVER) "sudo systemctl daemon-reload" + ssh deployer@$(TARGET_SERVER) "sudo systemctl start hff_entry_forms.$(TARGET_ENV)" diff --git a/api/hff_entry_forms.service b/api/hff_entry_forms.service new file mode 100644 index 0000000..d8c1314 --- /dev/null +++ b/api/hff_entry_forms.service @@ -0,0 +1,16 @@ +[Unit] +Description=HFF Entry Forms (TARGET_ENV) +After=network-online.target +Requires=docker.service + +[Service] +TimeoutStartSec=0 +Restart=always +ExecStartPre=-/usr/bin/docker rm %n +ExecStart=/usr/bin/docker run --rm -p TARGET_PORT:80 --name %n \ + --env-file /etc/hff_entry_forms/TARGET_ENV.env \ + 063932952339.dkr.ecr.us-west-2.amazonaws.com/hff_entry_forms:HFF_ENTRY_FORMS_VERSION +ExecStop=/usr/bin/docker stop --name %n + +[Install] +WantedBy=default.target diff --git a/operations/opentofu/.terraform.lock.hcl b/operations/opentofu/.terraform.lock.hcl new file mode 100644 index 0000000..d3fc6db --- /dev/null +++ b/operations/opentofu/.terraform.lock.hcl @@ -0,0 +1,36 @@ +# This file is maintained automatically by "tofu init". +# Manual edits may be lost in future updates. + +provider "registry.opentofu.org/hashicorp/aws" { + version = "5.62.0" + hashes = [ + "h1:DzXMlmL2hRPfACAbN1PUhnLDGY9Kl0vbrt05qSfGsxA=", + "zh:2cb519ce7f3cbcb88b2e93dd3b3424ad85a347fc0e7429661945da5df8a20fda", + "zh:2fc7ed911cceaa1652d1f4090eaa91e8463aba86873910bccf16601260379886", + "zh:395b32d157adeb92571a0efd230c73bbee01744782a50356fb16e8946bd63ffb", + "zh:43303d36af40a568cd40bd54dc9e8430e18c4a4d78682b459dca8c755c717a0c", + "zh:65b2c6e955deeeffb9d9cd4ed97e8c532a453ba690d0e3d88c740f9036bccc4d", + "zh:a9d09dc9daf33b16894ed7d192ceb4c402261da58cded503a3ffa1dd2373e3fb", + "zh:c5e9f8bc4397c2075b6dc62458be51b93322517affd760c161633d56b0b9a334", + "zh:db0921c091402179edd549f8aa4f12dce18aab09d4302e800c67d6ec6ff88a86", + "zh:e7d13f9c0891446d03c29e4fcd60de633f71bbf1bc9786fca47a0ee356ac979a", + "zh:f128a725dbdbd31b9ed8ea478782152339c9fab4d635485763c8da2a477fe3f6", + ] +} + +provider "registry.opentofu.org/hashicorp/external" { + version = "2.3.3" + hashes = [ + "h1:bDJy8Mj5PMTEuxm6Wu9A9dATBL+mQDmHx8NnLzjvCcc=", + "zh:1ec36864a1872abdfd1c53ba3c6837407564ac0d86ab80bf4fdc87b41106fe68", + "zh:2117e0edbdc88f0d22fe02fe6b2cfbbbc5d5ce40f8f58e484d8d77d64dd7340f", + "zh:4bcfdacd8e2508c16e131de9072cecd359e0ade3b8c6798a049883f37a5872ea", + "zh:4da71bc601a37bf8b7413c142d43f5f28e97e531d4836ee8624f41b9fb62e250", + "zh:55b9eebac79a46f88db5615f1ee0ac4c3f9351caa4eb8542171ef5d87de60338", + "zh:74d64afaef190321f8ddf1c4a9c6489d6cf51098704a2456c1553406e8306328", + "zh:8a357e51a0ec69872fafc64da3c6a1039277d325255ef5a264b727d83995d18b", + "zh:aacd2e6c13fe19115d51cd28a40a28da017bb48c2e18dec4460d1c37506b1495", + "zh:e19c8bdf0e059341d008a50f9138c44009e9ebb3a8047a300e6bc63ed8af8ea0", + "zh:fafa9639d8b8402e35f3864c6cfb0762ec57cc365a8f383e2acf81105b1b9eea", + ] +} diff --git a/operations/terraform/common.tf b/operations/opentofu/common.tf similarity index 100% rename from operations/terraform/common.tf rename to operations/opentofu/common.tf diff --git a/operations/terraform/deployed_env/cloudfront.tf b/operations/opentofu/deployed_env/cloudfront.tf similarity index 100% rename from operations/terraform/deployed_env/cloudfront.tf rename to operations/opentofu/deployed_env/cloudfront.tf diff --git a/operations/terraform/deployed_env/load-balancer.tf b/operations/opentofu/deployed_env/load-balancer.tf similarity index 77% rename from operations/terraform/deployed_env/load-balancer.tf rename to operations/opentofu/deployed_env/load-balancer.tf index 6aa4484..6536887 100644 --- a/operations/terraform/deployed_env/load-balancer.tf +++ b/operations/opentofu/deployed_env/load-balancer.tf @@ -1,6 +1,6 @@ resource "aws_lb_target_group" "hff_entry_forms_api" { name = "${local.environment_name}-${substr(uuid(), 0, 2)}" - port = 80 + port = var.target_port protocol = "HTTP" target_type = "instance" vpc_id = data.terraform_remote_state.jdbsoft.outputs.aws_vpc_jdbsoft.id @@ -41,3 +41,9 @@ resource "aws_lb_listener_rule" "hff_entry_forms_api" { Environment = local.environment_name } } + +resource "aws_lb_target_group_attachment" "hff_entry_forms_api" { + target_group_arn = aws_lb_target_group.hff_entry_forms_api.arn + target_id = data.terraform_remote_state.jdbsoft.outputs.sobeck-instance-id + port = var.target_port +} diff --git a/operations/terraform/deployed_env/variables.tf b/operations/opentofu/deployed_env/variables.tf similarity index 93% rename from operations/terraform/deployed_env/variables.tf rename to operations/opentofu/deployed_env/variables.tf index 75967a2..ab2beef 100644 --- a/operations/terraform/deployed_env/variables.tf +++ b/operations/opentofu/deployed_env/variables.tf @@ -12,6 +12,10 @@ variable "ecr_repo" { description = "ECR repository information." } +variable "target_port" { + description = "The port the deployed service will listen on." +} + variable "api_certificate_arn" { description = "ARN of the certificate to use for the API loadbalancer." } diff --git a/operations/terraform/ecr.tf b/operations/opentofu/ecr.tf similarity index 100% rename from operations/terraform/ecr.tf rename to operations/opentofu/ecr.tf diff --git a/operations/terraform/main.tf b/operations/opentofu/main.tf similarity index 84% rename from operations/terraform/main.tf rename to operations/opentofu/main.tf index bb4f89e..0a6f18e 100644 --- a/operations/terraform/main.tf +++ b/operations/opentofu/main.tf @@ -15,6 +15,7 @@ module "dev_env" { artifact_bucket = aws_s3_bucket.hff_entry_forms cloudfront_certificate_arn = var.cloudfront_certificate_arn ecr_repo = aws_ecr_repository.hff_entry_forms_api + target_port = 6005 } module "prod_env" { @@ -25,11 +26,14 @@ module "prod_env" { artifact_bucket = aws_s3_bucket.hff_entry_forms cloudfront_certificate_arn = var.cloudfront_certificate_arn ecr_repo = aws_ecr_repository.hff_entry_forms_api + target_port = 6006 } data "aws_iam_policy_document" "cloudfront_access_policy" { - source_json = "${module.dev_env.oai_access_policy.json}" - override_json = "${module.prod_env.oai_access_policy.json}" + source_policy_documents = [ + module.dev_env.oai_access_policy.json, + module.prod_env.oai_access_policy.json + ] } resource "aws_s3_bucket_policy" "hff_entry_forms" { diff --git a/operations/terraform/terraform.tf b/operations/opentofu/terraform.tf similarity index 100% rename from operations/terraform/terraform.tf rename to operations/opentofu/terraform.tf diff --git a/operations/terraform/terraform.tfstate b/operations/opentofu/terraform.tfstate similarity index 100% rename from operations/terraform/terraform.tfstate rename to operations/opentofu/terraform.tfstate diff --git a/operations/terraform/terraform.tfstate.backup b/operations/opentofu/terraform.tfstate.backup similarity index 100% rename from operations/terraform/terraform.tfstate.backup rename to operations/opentofu/terraform.tfstate.backup diff --git a/operations/terraform/deployed_env/ecs.tf b/operations/terraform/deployed_env/ecs.tf deleted file mode 100644 index d31e6fc..0000000 --- a/operations/terraform/deployed_env/ecs.tf +++ /dev/null @@ -1,70 +0,0 @@ -resource "aws_secretsmanager_secret" "hff_entry_forms_api" { - name = "${local.environment_name}-Config" - tags = { Environment = local.environment_name } -} - -resource "aws_ecs_task_definition" "hff_entry_forms_api" { - family = local.environment_name - network_mode = "bridge" - requires_compatibilities = ["EC2"] - execution_role_arn = aws_iam_role.ecs_task.arn - - # See https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_ContainerDefinition.html - container_definitions = jsonencode([ - { - name = local.environment_name - image = "${var.ecr_repo.repository_url}:${data.external.git_describe.result.version}" - cpu = 128 - memory = 128 - memoryReservation = 32 - environment = [ - { - name = "PORT" - value = "80" - } - ] - portMappings = [ - { - protocol = "tcp" - containerPort = 80 - } - ] - secrets = [ - { - name = "INTEGRATION_TOKEN" - description = "Connection string with user credentials." - valueFrom = "${aws_secretsmanager_secret.hff_entry_forms_api.arn}:integrationToken::" - }, - { - name = "KNOWN_ORIGINS" - description = "Connection string with user credentials." - valueFrom = "${aws_secretsmanager_secret.hff_entry_forms_api.arn}:knownOrigins::" - } - ] - } - ]) - - tags = { - Name = local.api_domain_name - Environment = local.environment_name - } -} - -resource "aws_ecs_service" "hff_entry_forms_api" { - name = local.environment_name - cluster = data.terraform_remote_state.jdbsoft.outputs.aws_ecs_cluster_ortis.id - task_definition = aws_ecs_task_definition.hff_entry_forms_api.arn - desired_count = 1 - launch_type = "EC2" - - load_balancer { - target_group_arn = aws_lb_target_group.hff_entry_forms_api.arn - container_name = local.environment_name - container_port = 80 - } - - tags = { - Name = local.api_domain_name - Environment = local.environment_name - } -} diff --git a/operations/terraform/deployed_env/iam.tf b/operations/terraform/deployed_env/iam.tf deleted file mode 100644 index 7dd245c..0000000 --- a/operations/terraform/deployed_env/iam.tf +++ /dev/null @@ -1,69 +0,0 @@ -resource "aws_iam_role" "ecs_task" { - name = "${local.environment_name}-EcsTaskRole" - - assume_role_policy = jsonencode({ - Version = "2012-10-17" - Statement = [ - { - Action = "sts:AssumeRole" - Effect = "Allow" - Sid = "" - Principal = { - Service = "ecs-tasks.amazonaws.com" - } - } - ] - }) - - inline_policy { - name = "AllowSecretsAccessForHffEntryFormsApiTasks" - policy = jsonencode({ - Version = "2012-10-17" - Statement = [ - { - Effect = "Allow" - Action = [ - "secretsmanager:GetSecretValue", - "kms:Decrypt" - ] - Resource = [ - aws_secretsmanager_secret.hff_entry_forms_api.arn - ] - } - ] - }) - } - - inline_policy { - name = "AllowAccessToEcrForHffEntryFormsApiTasks" - policy = jsonencode({ - Version = "2012-10-17" - Statement = [ - { - Effect = "Allow" - Action = [ - "ecr:GetAuthorizationToken" - ] - Resource = [ "*" ] - }, - { - Effect = "Allow" - Action = [ - "ecr:BatchGetImage", - "ecr:BatchCheckLayerAvailability", - "ecr:DescribeImages", - "ecr:GetDownloadUrlForLayer" - ] - Resource = [ - var.ecr_repo.arn - ] - } - ] - }) - } - - tags = { - Name = "HffEntryForms-EcsTaskRole" - Environment = local.environment_name - } -}