Migrate off of ECS onto sobeck.jdb-software.com.

.tool-versions

@@ -0,0 +1 @@
+opentofu 1.8.1

api/Makefile

@@ -82,3 +82,20 @@ echo-vars:
 		"VERSION=$(VERSION)\n" \
 		"PORT=$(PORT)\n" \
 		"INTEGRATION_TOKEN=$(INTEGRATION_TOKEN)\n"
+
+publis:
+	-rm -r deploy
+	-mkdir deploy
+	m4 \
+		-D "HFF_ENTRY_FORMS_API_VERSION=$(VERSION)" \
+		-D "TARGET_ENV=$(TARGET_ENV)" \
+		-D "TARGET_PORT=$(TARGET_PORT)" \
+		hff_entry_forms_api.service \
+		> deploy/hff_entry_forms_api.$(TARGET_ENV).service
+	-ssh deployer@$(TARGET_SERVER) "docker stop hff_entry_forms.$(TARGET_ENV).service && sudo systemctl stop hff_entry_forms.$(TARGET_ENV)"
+	ssh deployer@$(TARGET_SERVER) "aws ecr get-login-password --region us-west-2 | docker login --username AWS --password-stdin $(ECR_ACCOUNT_URL) && docker pull $(ECR_ACCOUNT_URL)/hff_entry_forms:$(VERSION)"
+	scp \
+		deploy/hff_entry_forms.$(TARGET_ENV).service \
+		deployer@$(TARGET_SERVER):/etc/systemd/system/hff_entry_forms.$(TARGET_ENV).service
+	ssh deployer@$(TARGET_SERVER) "sudo systemctl daemon-reload"
+	ssh deployer@$(TARGET_SERVER) "sudo systemctl start hff_entry_forms.$(TARGET_ENV)"

api/hff_entry_forms.service

@@ -0,0 +1,16 @@
+[Unit]
+Description=HFF Entry Forms (TARGET_ENV)
+After=network-online.target
+Requires=docker.service
+
+[Service]
+TimeoutStartSec=0
+Restart=always
+ExecStartPre=-/usr/bin/docker rm %n
+ExecStart=/usr/bin/docker run --rm -p TARGET_PORT:80 --name %n \
+  --env-file /etc/hff_entry_forms/TARGET_ENV.env \
+  063932952339.dkr.ecr.us-west-2.amazonaws.com/hff_entry_forms:HFF_ENTRY_FORMS_VERSION
+ExecStop=/usr/bin/docker stop --name %n
+
+[Install]
+WantedBy=default.target

operations/opentofu/.terraform.lock.hcl

@@ -0,0 +1,36 @@
+# This file is maintained automatically by "tofu init".
+# Manual edits may be lost in future updates.
+
+provider "registry.opentofu.org/hashicorp/aws" {
+  version = "5.62.0"
+  hashes = [
+    "h1:DzXMlmL2hRPfACAbN1PUhnLDGY9Kl0vbrt05qSfGsxA=",
+    "zh:2cb519ce7f3cbcb88b2e93dd3b3424ad85a347fc0e7429661945da5df8a20fda",
+    "zh:2fc7ed911cceaa1652d1f4090eaa91e8463aba86873910bccf16601260379886",
+    "zh:395b32d157adeb92571a0efd230c73bbee01744782a50356fb16e8946bd63ffb",
+    "zh:43303d36af40a568cd40bd54dc9e8430e18c4a4d78682b459dca8c755c717a0c",
+    "zh:65b2c6e955deeeffb9d9cd4ed97e8c532a453ba690d0e3d88c740f9036bccc4d",
+    "zh:a9d09dc9daf33b16894ed7d192ceb4c402261da58cded503a3ffa1dd2373e3fb",
+    "zh:c5e9f8bc4397c2075b6dc62458be51b93322517affd760c161633d56b0b9a334",
+    "zh:db0921c091402179edd549f8aa4f12dce18aab09d4302e800c67d6ec6ff88a86",
+    "zh:e7d13f9c0891446d03c29e4fcd60de633f71bbf1bc9786fca47a0ee356ac979a",
+    "zh:f128a725dbdbd31b9ed8ea478782152339c9fab4d635485763c8da2a477fe3f6",
+  ]
+}
+
+provider "registry.opentofu.org/hashicorp/external" {
+  version = "2.3.3"
+  hashes = [
+    "h1:bDJy8Mj5PMTEuxm6Wu9A9dATBL+mQDmHx8NnLzjvCcc=",
+    "zh:1ec36864a1872abdfd1c53ba3c6837407564ac0d86ab80bf4fdc87b41106fe68",
+    "zh:2117e0edbdc88f0d22fe02fe6b2cfbbbc5d5ce40f8f58e484d8d77d64dd7340f",
+    "zh:4bcfdacd8e2508c16e131de9072cecd359e0ade3b8c6798a049883f37a5872ea",
+    "zh:4da71bc601a37bf8b7413c142d43f5f28e97e531d4836ee8624f41b9fb62e250",
+    "zh:55b9eebac79a46f88db5615f1ee0ac4c3f9351caa4eb8542171ef5d87de60338",
+    "zh:74d64afaef190321f8ddf1c4a9c6489d6cf51098704a2456c1553406e8306328",
+    "zh:8a357e51a0ec69872fafc64da3c6a1039277d325255ef5a264b727d83995d18b",
+    "zh:aacd2e6c13fe19115d51cd28a40a28da017bb48c2e18dec4460d1c37506b1495",
+    "zh:e19c8bdf0e059341d008a50f9138c44009e9ebb3a8047a300e6bc63ed8af8ea0",
+    "zh:fafa9639d8b8402e35f3864c6cfb0762ec57cc365a8f383e2acf81105b1b9eea",
+  ]
+}

operations/opentofu/deployed_env/load-balancer.tf

@@ -1,6 +1,6 @@
 resource "aws_lb_target_group" "hff_entry_forms_api" {
   name        = "${local.environment_name}-${substr(uuid(), 0, 2)}"
-  port        = 80
+  port        = var.target_port
   protocol    = "HTTP"
   target_type = "instance"
   vpc_id      = data.terraform_remote_state.jdbsoft.outputs.aws_vpc_jdbsoft.id
@@ -41,3 +41,9 @@ resource "aws_lb_listener_rule" "hff_entry_forms_api" {
     Environment = local.environment_name
   }
 }
+
+resource "aws_lb_target_group_attachment" "hff_entry_forms_api" {
+  target_group_arn  = aws_lb_target_group.hff_entry_forms_api.arn
+  target_id         = data.terraform_remote_state.jdbsoft.outputs.sobeck-instance-id
+  port              = var.target_port
+}

operations/opentofu/deployed_env/variables.tf

@@ -12,6 +12,10 @@ variable "ecr_repo" {
   description = "ECR repository information."
 }
 
+variable "target_port" {
+  description = "The port the deployed service will listen on."
+}
+
 variable "api_certificate_arn" {
   description = "ARN of the certificate to use for the API loadbalancer."
 }

operations/opentofu/main.tf

@@ -15,6 +15,7 @@ module "dev_env" {
   artifact_bucket             = aws_s3_bucket.hff_entry_forms
   cloudfront_certificate_arn  = var.cloudfront_certificate_arn
   ecr_repo                    = aws_ecr_repository.hff_entry_forms_api
+  target_port                 = 6005
 }
 
 module "prod_env" {
@@ -25,11 +26,14 @@ module "prod_env" {
   artifact_bucket             = aws_s3_bucket.hff_entry_forms
   cloudfront_certificate_arn  = var.cloudfront_certificate_arn
   ecr_repo                    = aws_ecr_repository.hff_entry_forms_api
+  target_port                 = 6006
 }
 
 data "aws_iam_policy_document" "cloudfront_access_policy" {
-  source_json   = "${module.dev_env.oai_access_policy.json}"
-  override_json = "${module.prod_env.oai_access_policy.json}"
+  source_policy_documents = [
+    module.dev_env.oai_access_policy.json,
+    module.prod_env.oai_access_policy.json
+  ]
 }
 
 resource "aws_s3_bucket_policy" "hff_entry_forms" {

operations/terraform/deployed_env/ecs.tf

@@ -1,70 +0,0 @@
-resource "aws_secretsmanager_secret" "hff_entry_forms_api" {
-  name  = "${local.environment_name}-Config"
-  tags  = { Environment = local.environment_name }
-}
-
-resource "aws_ecs_task_definition" "hff_entry_forms_api" {
-  family                    = local.environment_name
-  network_mode              = "bridge"
-  requires_compatibilities  = ["EC2"]
-  execution_role_arn        = aws_iam_role.ecs_task.arn
-
-  # See https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_ContainerDefinition.html
-  container_definitions = jsonencode([
-    {
-      name              = local.environment_name
-      image             = "${var.ecr_repo.repository_url}:${data.external.git_describe.result.version}"
-      cpu               = 128
-      memory            = 128
-      memoryReservation = 32
-      environment       = [
-        {
-          name  = "PORT"
-          value = "80"
-        }
-      ]
-      portMappings      = [
-        {
-          protocol      = "tcp"
-          containerPort = 80
-        }
-      ]
-      secrets           = [
-        {
-          name      = "INTEGRATION_TOKEN"
-          description = "Connection string with user credentials."
-          valueFrom   = "${aws_secretsmanager_secret.hff_entry_forms_api.arn}:integrationToken::"
-        },
-        {
-          name      = "KNOWN_ORIGINS"
-          description = "Connection string with user credentials."
-          valueFrom   = "${aws_secretsmanager_secret.hff_entry_forms_api.arn}:knownOrigins::"
-        }
-      ]
-    }
-  ])
-
-  tags = {
-    Name        = local.api_domain_name
-    Environment = local.environment_name
-  }
-}
-
-resource "aws_ecs_service" "hff_entry_forms_api" {
-  name            = local.environment_name
-  cluster         = data.terraform_remote_state.jdbsoft.outputs.aws_ecs_cluster_ortis.id
-  task_definition = aws_ecs_task_definition.hff_entry_forms_api.arn
-  desired_count   = 1
-  launch_type     = "EC2"
-
-  load_balancer {
-    target_group_arn  = aws_lb_target_group.hff_entry_forms_api.arn
-    container_name    = local.environment_name
-    container_port    = 80
-  }
-
-  tags = {
-    Name        = local.api_domain_name
-    Environment = local.environment_name
-  }
-}

operations/terraform/deployed_env/iam.tf

@@ -1,69 +0,0 @@
-resource "aws_iam_role" "ecs_task" {
-  name  = "${local.environment_name}-EcsTaskRole"
-
-  assume_role_policy = jsonencode({
-    Version   = "2012-10-17"
-    Statement = [
-      {
-        Action    = "sts:AssumeRole"
-        Effect    = "Allow"
-        Sid       = ""
-        Principal = {
-          Service = "ecs-tasks.amazonaws.com"
-        }
-      }
-    ]
-  })
-
-  inline_policy {
-    name    = "AllowSecretsAccessForHffEntryFormsApiTasks"
-    policy  = jsonencode({
-      Version   = "2012-10-17"
-      Statement = [
-        {
-          Effect    = "Allow"
-          Action    = [
-            "secretsmanager:GetSecretValue",
-            "kms:Decrypt"
-          ]
-          Resource  = [
-            aws_secretsmanager_secret.hff_entry_forms_api.arn
-          ]
-        }
-      ]
-    })
-  }
-
-  inline_policy {
-    name    = "AllowAccessToEcrForHffEntryFormsApiTasks"
-    policy  = jsonencode({
-      Version   = "2012-10-17"
-      Statement = [
-        {
-          Effect    = "Allow"
-          Action    = [
-            "ecr:GetAuthorizationToken"
-          ]
-          Resource  = [ "*" ]
-        },
-        {
-          Effect    = "Allow"
-          Action    = [
-            "ecr:BatchGetImage",
-            "ecr:BatchCheckLayerAvailability",
-            "ecr:DescribeImages",
-            "ecr:GetDownloadUrlForLayer"
-          ]
-          Resource  = [
-            var.ecr_repo.arn
-          ]
-        }
-      ]
-    })
-  }
-
-  tags = {
-    Name        = "HffEntryForms-EcsTaskRole"
-    Environment = local.environment_name
-  }
-}