Migrate off of ECS onto sobeck.jdb-software.com.

2024-08-12 12:14:01 -05:00
parent dfaede9fd8
commit 9cbc1e708a
15 changed files with 87 additions and 142 deletions
--- a/operations/opentofu/.terraform.lock.hcl
+++ b/operations/opentofu/.terraform.lock.hcl
@@ -0,0 +1,36 @@
+# This file is maintained automatically by "tofu init".
+# Manual edits may be lost in future updates.
+
+provider "registry.opentofu.org/hashicorp/aws" {
+  version = "5.62.0"
+  hashes = [
+    "h1:DzXMlmL2hRPfACAbN1PUhnLDGY9Kl0vbrt05qSfGsxA=",
+    "zh:2cb519ce7f3cbcb88b2e93dd3b3424ad85a347fc0e7429661945da5df8a20fda",
+    "zh:2fc7ed911cceaa1652d1f4090eaa91e8463aba86873910bccf16601260379886",
+    "zh:395b32d157adeb92571a0efd230c73bbee01744782a50356fb16e8946bd63ffb",
+    "zh:43303d36af40a568cd40bd54dc9e8430e18c4a4d78682b459dca8c755c717a0c",
+    "zh:65b2c6e955deeeffb9d9cd4ed97e8c532a453ba690d0e3d88c740f9036bccc4d",
+    "zh:a9d09dc9daf33b16894ed7d192ceb4c402261da58cded503a3ffa1dd2373e3fb",
+    "zh:c5e9f8bc4397c2075b6dc62458be51b93322517affd760c161633d56b0b9a334",
+    "zh:db0921c091402179edd549f8aa4f12dce18aab09d4302e800c67d6ec6ff88a86",
+    "zh:e7d13f9c0891446d03c29e4fcd60de633f71bbf1bc9786fca47a0ee356ac979a",
+    "zh:f128a725dbdbd31b9ed8ea478782152339c9fab4d635485763c8da2a477fe3f6",
+  ]
+}
+
+provider "registry.opentofu.org/hashicorp/external" {
+  version = "2.3.3"
+  hashes = [
+    "h1:bDJy8Mj5PMTEuxm6Wu9A9dATBL+mQDmHx8NnLzjvCcc=",
+    "zh:1ec36864a1872abdfd1c53ba3c6837407564ac0d86ab80bf4fdc87b41106fe68",
+    "zh:2117e0edbdc88f0d22fe02fe6b2cfbbbc5d5ce40f8f58e484d8d77d64dd7340f",
+    "zh:4bcfdacd8e2508c16e131de9072cecd359e0ade3b8c6798a049883f37a5872ea",
+    "zh:4da71bc601a37bf8b7413c142d43f5f28e97e531d4836ee8624f41b9fb62e250",
+    "zh:55b9eebac79a46f88db5615f1ee0ac4c3f9351caa4eb8542171ef5d87de60338",
+    "zh:74d64afaef190321f8ddf1c4a9c6489d6cf51098704a2456c1553406e8306328",
+    "zh:8a357e51a0ec69872fafc64da3c6a1039277d325255ef5a264b727d83995d18b",
+    "zh:aacd2e6c13fe19115d51cd28a40a28da017bb48c2e18dec4460d1c37506b1495",
+    "zh:e19c8bdf0e059341d008a50f9138c44009e9ebb3a8047a300e6bc63ed8af8ea0",
+    "zh:fafa9639d8b8402e35f3864c6cfb0762ec57cc365a8f383e2acf81105b1b9eea",
+  ]
+}
--- a/operations/opentofu/common.tf
+++ b/operations/opentofu/common.tf
@@ -0,0 +1,21 @@
+### Variables
+
+variable "aws_region" {
+  description = "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-regions-availability-zones.html"
+  default = "us-west-2" # Oregon
+}
+
+variable "app_root_url" {
+  description = "Name of the S3 bucket to store deployed artifacts, logs, etc."
+  default = "forms.hopefamilyfellowship.com"
+}
+
+variable "cloudfront_certificate_arn" {
+  description = "Name of the certificate to use for CloudFront distributions (must be in us-east-1)."
+  default = "arn:aws:acm:us-east-1:063932952339:certificate/8e4b4a05-d61e-49af-b7e9-8e59999f197a"
+}
+
+variable "api_certificate_arn" {
+  description = "Name of the certificate to use for the API load balancer (must be in the same region as the loadbalancer)."
+  default = "arn:aws:acm:us-west-2:063932952339:certificate/04c33fd7-a6b0-4f58-8e8a-fddbe361aa85"
+}
--- a/operations/opentofu/deployed_env/cloudfront.tf
+++ b/operations/opentofu/deployed_env/cloudfront.tf
@@ -0,0 +1,99 @@
+data "aws_iam_policy_document" "bucket_access_policy" {
+  statement {
+    actions   = [ "s3:GetObject" ]
+    effect    = "Allow"
+    resources = [ "${var.artifact_bucket.arn}/${var.environment}/webroot/*" ]
+
+    principals {
+      type        = "AWS"
+      identifiers = [ aws_cloudfront_origin_access_identity.origin_access_identity.iam_arn ]
+    }
+  }
+
+  statement {
+    actions   = [ "s3:ListBucket" ]
+    effect    = "Allow"
+    resources = [ var.artifact_bucket.arn ]
+
+    principals {
+      type        = "AWS"
+      identifiers = [ aws_cloudfront_origin_access_identity.origin_access_identity.iam_arn ]
+    }
+  }
+}
+
+output "oai_access_policy" {
+ value = data.aws_iam_policy_document.bucket_access_policy
+}
+
+resource "aws_cloudfront_origin_access_identity" "origin_access_identity" {
+  comment = "OAI for HFF Entry Forms {$var.environment} environment."
+}
+
+resource "aws_cloudfront_distribution" "s3_distribution" {
+  origin {
+    domain_name = var.artifact_bucket.bucket_regional_domain_name
+    origin_id   = "S3-HffEntryForms-${var.environment}"
+    origin_path = "/${var.environment}/webroot"
+
+    s3_origin_config {
+      origin_access_identity = aws_cloudfront_origin_access_identity.origin_access_identity.cloudfront_access_identity_path
+    }
+  }
+
+  enabled             = true
+  is_ipv6_enabled     = true
+  comment             = "HFF Entry Forms ${var.environment} distribution."
+  default_root_object = "/index.html"
+
+  logging_config {
+    include_cookies = false
+    bucket          = var.artifact_bucket.bucket_domain_name
+    prefix          = "${var.environment}/logs/cloudfront"
+  }
+
+  aliases = [local.app_domain_name]
+
+  default_cache_behavior {
+    allowed_methods   = ["GET", "HEAD", "OPTIONS"]
+    cached_methods    = ["GET", "HEAD", "OPTIONS"]
+    target_origin_id  = "S3-HffEntryForms-${var.environment}"
+
+    forwarded_values {
+      query_string = false
+
+      cookies {
+        forward = "none"
+      }
+    }
+
+    min_ttl                 = 0
+    default_ttl             = 60 * 60 * 24 * 365  # cache for a year
+    max_ttl                 = 60 * 60 * 24 * 365  # cache for a year
+    compress                = true
+    viewer_protocol_policy  = "redirect-to-https"
+  }
+
+  custom_error_response {
+    error_code          = 404
+    response_code       = 200
+    response_page_path  = "/index.html"
+  }
+
+  price_class = "PriceClass_100" # US and Canada only
+
+  restrictions {
+    geo_restriction {
+      restriction_type = "none"
+    }
+  }
+  tags = {
+    Environment = local.environment_name
+  }
+
+  viewer_certificate {
+    # TODO
+    acm_certificate_arn = var.cloudfront_certificate_arn
+    ssl_support_method  = "sni-only"
+  }
+}
--- a/operations/opentofu/deployed_env/load-balancer.tf
+++ b/operations/opentofu/deployed_env/load-balancer.tf
@@ -0,0 +1,49 @@
+resource "aws_lb_target_group" "hff_entry_forms_api" {
+  name        = "${local.environment_name}-${substr(uuid(), 0, 2)}"
+  port        = var.target_port
+  protocol    = "HTTP"
+  target_type = "instance"
+  vpc_id      = data.terraform_remote_state.jdbsoft.outputs.aws_vpc_jdbsoft.id
+
+  health_check {
+    enabled   = true
+    matcher   = "200"
+    path      = "/v1/version"
+  }
+
+  lifecycle {
+    create_before_destroy = true
+    ignore_changes        = [name]
+  }
+
+  tags = {
+    Name        = local.api_domain_name
+    Environment = local.environment_name
+  }
+}
+
+resource "aws_lb_listener_rule" "hff_entry_forms_api" {
+  listener_arn  = data.terraform_remote_state.jdbsoft.outputs.aws_lb_listener_https.arn
+
+  action {
+    type              = "forward"
+    target_group_arn  = aws_lb_target_group.hff_entry_forms_api.arn
+  }
+
+  condition {
+    host_header {
+      values = [ local.api_domain_name ]
+    }
+  }
+
+  tags = {
+    Name        = "${local.api_domain_name} HTTPS"
+    Environment = local.environment_name
+  }
+}
+
+resource "aws_lb_target_group_attachment" "hff_entry_forms_api" {
+  target_group_arn  = aws_lb_target_group.hff_entry_forms_api.arn
+  target_id         = data.terraform_remote_state.jdbsoft.outputs.sobeck-instance-id
+  port              = var.target_port
+}
--- a/operations/opentofu/deployed_env/variables.tf
+++ b/operations/opentofu/deployed_env/variables.tf
@@ -0,0 +1,46 @@
+### Variables
+
+variable "environment" {
+  description = "The short name of this deployed environment. For example: 'dev' or 'prod'. This short name will be used to name resources (CloudFront distributions, etc.)"
+}
+
+variable "artifact_bucket" {
+  description = "The aws_s3_bucket object representing the artifact bucket where deployed artifacts, logs, etc. live."
+}
+
+variable "ecr_repo" {
+  description = "ECR repository information."
+}
+
+variable "target_port" {
+  description = "The port the deployed service will listen on."
+}
+
+variable "api_certificate_arn" {
+  description = "ARN of the certificate to use for the API loadbalancer."
+}
+
+variable "cloudfront_certificate_arn" {
+  description = "ARN of the certificate to use for CloudFront."
+}
+
+locals {
+  environment_name  = "HffEntryForms-${var.environment}"
+  app_domain_name   = "forms${var.environment == "prod" ? "" : "-${var.environment}"}.hopefamilyfellowship.com"
+  api_domain_name   = "forms-api${var.environment == "prod" ? "" : "-${var.environment}"}.hopefamilyfellowship.com"
+}
+
+data "external" "git_describe" {
+  program = ["sh", "-c", "git describe | xargs printf '{\"version\": \"%s\"}'"]
+}
+
+data "terraform_remote_state" "jdbsoft" {
+  backend = "s3"
+
+  config = {
+    bucket = "operations.jdb-software.com"
+    region = "us-west-2"
+    key    = "terraform/operations.tfstate"
+    dynamodb_table = "terraform-state-lock.jdb-software.com"
+  }
+}
--- a/operations/opentofu/ecr.tf
+++ b/operations/opentofu/ecr.tf
@@ -0,0 +1,8 @@
+resource "aws_ecr_repository" "hff_entry_forms_api" {
+  name                  = "hff_entry_forms_api"
+  image_tag_mutability  = "IMMUTABLE"
+
+  image_scanning_configuration {
+    scan_on_push  = true
+  }
+}
--- a/operations/opentofu/main.tf
+++ b/operations/opentofu/main.tf
@@ -0,0 +1,42 @@
+provider "aws" {
+  region = var.aws_region
+}
+
+resource "aws_s3_bucket" "hff_entry_forms" {
+  bucket = var.app_root_url
+  acl    = "log-delivery-write"
+}
+
+module "dev_env" {
+  source = "./deployed_env"
+
+  environment                 = "dev"
+  api_certificate_arn         = var.api_certificate_arn
+  artifact_bucket             = aws_s3_bucket.hff_entry_forms
+  cloudfront_certificate_arn  = var.cloudfront_certificate_arn
+  ecr_repo                    = aws_ecr_repository.hff_entry_forms_api
+  target_port                 = 6005
+}
+
+module "prod_env" {
+  source = "./deployed_env"
+
+  environment                 = "prod"
+  api_certificate_arn         = var.api_certificate_arn
+  artifact_bucket             = aws_s3_bucket.hff_entry_forms
+  cloudfront_certificate_arn  = var.cloudfront_certificate_arn
+  ecr_repo                    = aws_ecr_repository.hff_entry_forms_api
+  target_port                 = 6006
+}
+
+data "aws_iam_policy_document" "cloudfront_access_policy" {
+  source_policy_documents = [
+    module.dev_env.oai_access_policy.json,
+    module.prod_env.oai_access_policy.json
+  ]
+}
+
+resource "aws_s3_bucket_policy" "hff_entry_forms" {
+  bucket = aws_s3_bucket.hff_entry_forms.id
+  policy = data.aws_iam_policy_document.cloudfront_access_policy.json
+}
--- a/operations/opentofu/terraform.tf
+++ b/operations/opentofu/terraform.tf
@@ -0,0 +1,8 @@
+terraform {
+  backend "s3" {
+    bucket = "forms.hopefamilyfellowship.com"
+    region = "us-west-2"
+    key    = "terraform.tfstate"
+    dynamodb_table = "terraform-state-lock.jdb-software.com"
+  }
+}
--- a/operations/opentofu/terraform.tfstate
+++ b/operations/opentofu/terraform.tfstate
--- a/operations/opentofu/terraform.tfstate.backup
+++ b/operations/opentofu/terraform.tfstate.backup
@@ -0,0 +1,88 @@
+{
+  "version": 4,
+  "terraform_version": "0.13.1",
+  "serial": 3,
+  "lineage": "a0c8b19d-5dd4-8895-bb16-f9d47e764e93",
+  "outputs": {},
+  "resources": [
+    {
+      "mode": "managed",
+      "type": "aws_ecr_repository",
+      "name": "hff_entry_forms",
+      "provider": "provider[\"registry.terraform.io/hashicorp/aws\"]",
+      "instances": [
+        {
+          "schema_version": 0,
+          "attributes": {
+            "arn": "arn:aws:ecr:us-west-2:063932952339:repository/hff_entry_forms",
+            "encryption_configuration": [
+              {
+                "encryption_type": "AES256",
+                "kms_key": ""
+              }
+            ],
+            "id": "hff_entry_forms",
+            "image_scanning_configuration": [
+              {
+                "scan_on_push": true
+              }
+            ],
+            "image_tag_mutability": "IMMUTABLE",
+            "name": "hff_entry_forms",
+            "registry_id": "063932952339",
+            "repository_url": "063932952339.dkr.ecr.us-west-2.amazonaws.com/hff_entry_forms",
+            "tags": null,
+            "tags_all": {},
+            "timeouts": null
+          },
+          "private": "eyJlMmJmYjczMC1lY2FhLTExZTYtOGY4OC0zNDM2M2JjN2M0YzAiOnsiZGVsZXRlIjoxMjAwMDAwMDAwMDAwfX0="
+        }
+      ]
+    },
+    {
+      "mode": "managed",
+      "type": "aws_s3_bucket",
+      "name": "hff_entry_forms",
+      "provider": "provider[\"registry.terraform.io/hashicorp/aws\"]",
+      "instances": [
+        {
+          "schema_version": 0,
+          "attributes": {
+            "acceleration_status": "",
+            "acl": "log-delivery-write",
+            "arn": "arn:aws:s3:::forms.hopefamilyfellowship.com",
+            "bucket": "forms.hopefamilyfellowship.com",
+            "bucket_domain_name": "forms.hopefamilyfellowship.com.s3.amazonaws.com",
+            "bucket_prefix": null,
+            "bucket_regional_domain_name": "forms.hopefamilyfellowship.com.s3.us-west-2.amazonaws.com",
+            "cors_rule": [],
+            "force_destroy": false,
+            "grant": [],
+            "hosted_zone_id": "Z3BJ6K6RIION7M",
+            "id": "forms.hopefamilyfellowship.com",
+            "lifecycle_rule": [],
+            "logging": [],
+            "object_lock_configuration": [],
+            "policy": null,
+            "region": "us-west-2",
+            "replication_configuration": [],
+            "request_payer": "BucketOwner",
+            "server_side_encryption_configuration": [],
+            "tags": null,
+            "tags_all": {},
+            "versioning": [
+              {
+                "enabled": false,
+                "mfa_delete": false
+              }
+            ],
+            "website": [],
+            "website_domain": null,
+            "website_endpoint": null
+          },
+          "private": "bnVsbA=="
+        }
+      ]
+    }
+  ]
+}