Migrate off of ECS onto sobeck.jdb-software.com.

operations/opentofu/deployed_env/cloudfront.tf

@@ -0,0 +1,99 @@
+data "aws_iam_policy_document" "bucket_access_policy" {
+  statement {
+    actions   = [ "s3:GetObject" ]
+    effect    = "Allow"
+    resources = [ "${var.artifact_bucket.arn}/${var.environment}/webroot/*" ]
+
+    principals {
+      type        = "AWS"
+      identifiers = [ aws_cloudfront_origin_access_identity.origin_access_identity.iam_arn ]
+    }
+  }
+
+  statement {
+    actions   = [ "s3:ListBucket" ]
+    effect    = "Allow"
+    resources = [ var.artifact_bucket.arn ]
+
+    principals {
+      type        = "AWS"
+      identifiers = [ aws_cloudfront_origin_access_identity.origin_access_identity.iam_arn ]
+    }
+  }
+}
+
+output "oai_access_policy" {
+ value = data.aws_iam_policy_document.bucket_access_policy
+}
+
+resource "aws_cloudfront_origin_access_identity" "origin_access_identity" {
+  comment = "OAI for HFF Entry Forms {$var.environment} environment."
+}
+
+resource "aws_cloudfront_distribution" "s3_distribution" {
+  origin {
+    domain_name = var.artifact_bucket.bucket_regional_domain_name
+    origin_id   = "S3-HffEntryForms-${var.environment}"
+    origin_path = "/${var.environment}/webroot"
+
+    s3_origin_config {
+      origin_access_identity = aws_cloudfront_origin_access_identity.origin_access_identity.cloudfront_access_identity_path
+    }
+  }
+
+  enabled             = true
+  is_ipv6_enabled     = true
+  comment             = "HFF Entry Forms ${var.environment} distribution."
+  default_root_object = "/index.html"
+
+  logging_config {
+    include_cookies = false
+    bucket          = var.artifact_bucket.bucket_domain_name
+    prefix          = "${var.environment}/logs/cloudfront"
+  }
+
+  aliases = [local.app_domain_name]
+
+  default_cache_behavior {
+    allowed_methods   = ["GET", "HEAD", "OPTIONS"]
+    cached_methods    = ["GET", "HEAD", "OPTIONS"]
+    target_origin_id  = "S3-HffEntryForms-${var.environment}"
+
+    forwarded_values {
+      query_string = false
+
+      cookies {
+        forward = "none"
+      }
+    }
+
+    min_ttl                 = 0
+    default_ttl             = 60 * 60 * 24 * 365  # cache for a year
+    max_ttl                 = 60 * 60 * 24 * 365  # cache for a year
+    compress                = true
+    viewer_protocol_policy  = "redirect-to-https"
+  }
+
+  custom_error_response {
+    error_code          = 404
+    response_code       = 200
+    response_page_path  = "/index.html"
+  }
+
+  price_class = "PriceClass_100" # US and Canada only
+
+  restrictions {
+    geo_restriction {
+      restriction_type = "none"
+    }
+  }
+  tags = {
+    Environment = local.environment_name
+  }
+
+  viewer_certificate {
+    # TODO
+    acm_certificate_arn = var.cloudfront_certificate_arn
+    ssl_support_method  = "sni-only"
+  }
+}

operations/opentofu/deployed_env/load-balancer.tf

@@ -0,0 +1,49 @@
+resource "aws_lb_target_group" "hff_entry_forms_api" {
+  name        = "${local.environment_name}-${substr(uuid(), 0, 2)}"
+  port        = var.target_port
+  protocol    = "HTTP"
+  target_type = "instance"
+  vpc_id      = data.terraform_remote_state.jdbsoft.outputs.aws_vpc_jdbsoft.id
+
+  health_check {
+    enabled   = true
+    matcher   = "200"
+    path      = "/v1/version"
+  }
+
+  lifecycle {
+    create_before_destroy = true
+    ignore_changes        = [name]
+  }
+
+  tags = {
+    Name        = local.api_domain_name
+    Environment = local.environment_name
+  }
+}
+
+resource "aws_lb_listener_rule" "hff_entry_forms_api" {
+  listener_arn  = data.terraform_remote_state.jdbsoft.outputs.aws_lb_listener_https.arn
+
+  action {
+    type              = "forward"
+    target_group_arn  = aws_lb_target_group.hff_entry_forms_api.arn
+  }
+
+  condition {
+    host_header {
+      values = [ local.api_domain_name ]
+    }
+  }
+
+  tags = {
+    Name        = "${local.api_domain_name} HTTPS"
+    Environment = local.environment_name
+  }
+}
+
+resource "aws_lb_target_group_attachment" "hff_entry_forms_api" {
+  target_group_arn  = aws_lb_target_group.hff_entry_forms_api.arn
+  target_id         = data.terraform_remote_state.jdbsoft.outputs.sobeck-instance-id
+  port              = var.target_port
+}

operations/opentofu/deployed_env/variables.tf

@@ -0,0 +1,46 @@
+### Variables
+
+variable "environment" {
+  description = "The short name of this deployed environment. For example: 'dev' or 'prod'. This short name will be used to name resources (CloudFront distributions, etc.)"
+}
+
+variable "artifact_bucket" {
+  description = "The aws_s3_bucket object representing the artifact bucket where deployed artifacts, logs, etc. live."
+}
+
+variable "ecr_repo" {
+  description = "ECR repository information."
+}
+
+variable "target_port" {
+  description = "The port the deployed service will listen on."
+}
+
+variable "api_certificate_arn" {
+  description = "ARN of the certificate to use for the API loadbalancer."
+}
+
+variable "cloudfront_certificate_arn" {
+  description = "ARN of the certificate to use for CloudFront."
+}
+
+locals {
+  environment_name  = "HffEntryForms-${var.environment}"
+  app_domain_name   = "forms${var.environment == "prod" ? "" : "-${var.environment}"}.hopefamilyfellowship.com"
+  api_domain_name   = "forms-api${var.environment == "prod" ? "" : "-${var.environment}"}.hopefamilyfellowship.com"
+}
+
+data "external" "git_describe" {
+  program = ["sh", "-c", "git describe | xargs printf '{\"version\": \"%s\"}'"]
+}
+
+data "terraform_remote_state" "jdbsoft" {
+  backend = "s3"
+
+  config = {
+    bucket = "operations.jdb-software.com"
+    region = "us-west-2"
+    key    = "terraform/operations.tfstate"
+    dynamodb_table = "terraform-state-lock.jdb-software.com"
+  }
+}