Merge pull request #3 from NASA-IMPACT/fix/tf-env-variables

Tf env variables, remove dns

db/Dockerfile

@@ -1,4 +1,4 @@
-FROM public.ecr.aws/lambda/python:3.9
+FROM --platform=linux/amd64 public.ecr.aws/lambda/python:3.9
 
 # WORKDIR /tmp
 

docs/IACHOWTO.md

@@ -22,6 +22,8 @@ $ tfenv use 1.3.9
 5. we also use Terraform "workspaces" so our infra state stays nicely separated in the same S3 bucket. Some quick samples of how to interact with that:
 
 ```bash
+$ AWS_PROFILE=<account> terraform workspace new west2-staging
+
 $ AWS_PROFILE=<account> terraform workspace list        
 * default
   west2-staging

scripts/build.sh

@@ -1,15 +1,19 @@
 #!/bin/sh
+export TARGET_ENVIRONMENT=dev
+export TARGET_PROJECT_NAME=ghgc-features-api
 
-# aws ecr describe-repositories \
-#    | jq '.repositories | map(.repositoryUri)' \
-#    | grep $TARGET_PROJECT_NAME | grep $TARGET_ENVIRONMENT \
-#    | xargs -I {} bash -c "aws ecr get-login-password | docker login --username AWS --password-stdin {}"
+cd wfs3-app/
 
-# aws ecr describe-repositories \
-#     | jq '.repositories | map(.repositoryUri)' \
-#     | grep $TARGET_PROJECT_NAME | grep $TARGET_ENVIRONMENT \
-#     | sed -E 's/"|,//g' \
-#     | xargs -I {} docker build -t {}:latest ../wfs3-app/
+aws ecr describe-repositories \
+   | jq '.repositories | map(.repositoryUri)' \
+   | grep $TARGET_PROJECT_NAME | grep $TARGET_ENVIRONMENT \
+   | xargs -I {} bash -c "aws ecr get-login-password | docker login --username AWS --password-stdin {}"
+
+aws ecr describe-repositories \
+    | jq '.repositories | map(.repositoryUri)' \
+    | grep $TARGET_PROJECT_NAME | grep $TARGET_ENVIRONMENT \
+    | sed -E 's/"|,//g' \
+    | xargs -I {} docker build -t {}:latest ../wfs3-app/
 
 aws ecr describe-repositories \
     | jq '.repositories | map(.repositoryUri)' \

scripts/deploy.sh

@@ -0,0 +1,86 @@
+#! /bin/bash
+# Check .env file
+
+
+DOT_ENV=$1
+
+if [ -f $DOT_ENV ]
+then
+  set -a; source $DOT_ENV; set +a
+else
+  echo "Run: ./scripts/deploy.sh <.env_file>"
+  echo "Please create $DOT_ENV file first and try again"
+  exit 1
+fi
+
+function create_state_bucket {
+  # $1 region
+  # $2 bucket_name
+
+  aws s3 mb  s3://$2  --region $1
+  aws s3api put-bucket-versioning \
+    --bucket $2 \
+    --versioning-configuration Status=Enabled
+}
+
+function generate_terraform_variables {
+  tf_vars=(tf tfvars)
+    for tf_var in "${tf_vars[@]}"; do
+    (
+      echo "cat <<EOF"
+      cat terraform.${tf_var}.tmpl
+      echo EOF
+    ) | sh > terraform.${tf_var}
+  done
+
+}
+
+function check_create_remote_state {
+  # $1 aws_region
+  # $2 bucket name
+  # $3 dynamotable_name
+  AWS_REGION=$1
+  STATE_BUCKET_NAME=$2
+
+  bucketstatus=$(aws s3api head-bucket --bucket $STATE_BUCKET_NAME  2>&1)
+
+  if echo "${bucketstatus}" | grep 'Not Found';
+  then
+        echo "Creating TF remote state"
+        create_state_bucket $AWS_REGION $STATE_BUCKET_NAME
+  elif echo "${bucketstatus}" | grep 'Forbidden';
+  then
+    echo "Bucket $STATE_BUCKET_NAME exists but not owned"
+    exit 1
+  elif echo "${bucketstatus}" | grep 'Bad Request';
+  then
+    echo "Bucket $STATE_BUCKET_NAME specified is less than 3 or greater than 63 characters"
+    exit 1
+  else
+    echo "State Bucket $STATE_BUCKET_NAME owned and exists. Continue...";
+  fi
+}
+
+
+cd ./terraform/features-api
+generate_terraform_variables
+check_create_remote_state $AWS_REGION $STATE_BUCKET_NAME
+
+read -rp 'action [init|plan|deploy]: ' ACTION
+case $ACTION in
+  init)
+    terraform init
+    ;;
+  plan)
+    terraform plan
+    ;;
+
+  deploy)
+    terraform apply --auto-approve
+    ;;
+  *)
+    echo "Choose from 'init', 'plan' or 'deploy'"
+    exit 1
+    ;;
+esac
+

terraform/features-api/dns.tf

@@ -1,34 +1,34 @@
-data "aws_route53_zone" "zone" {
-  provider = aws.west2
-  name     = var.dns_zone_name
-}
+# data "aws_route53_zone" "zone" {
+#   provider = aws.west2
+#   name     = var.dns_zone_name
+# }
 
-resource "aws_acm_certificate" "cert" {
-  provider          = aws.west2
-  domain_name       = "*.${data.aws_route53_zone.zone.name}"
-  validation_method = "DNS"
-  tags              = var.tags
+# resource "aws_acm_certificate" "cert" {
+#   provider          = aws.west2
+#   domain_name       = "*.${data.aws_route53_zone.zone.name}"
+#   validation_method = "DNS"
+#   tags              = var.tags
 
-  lifecycle {
-    create_before_destroy = true
-  }
-}
+#   lifecycle {
+#     create_before_destroy = true
+#   }
+# }
 
-resource "aws_route53_record" "subdomain_record" {
-  provider = aws.west2
-  name     = "${var.dns_subdomain}.${data.aws_route53_zone.zone.name}"
-  zone_id  = data.aws_route53_zone.zone.id
-  type     = "A"
+# resource "aws_route53_record" "subdomain_record" {
+#   provider = aws.west2
+#   name     = "${var.dns_subdomain}.${data.aws_route53_zone.zone.name}"
+#   zone_id  = data.aws_route53_zone.zone.id
+#   type     = "A"
 
-  alias {
-    name                   = aws_alb.alb_ecs.dns_name
-    zone_id                = aws_alb.alb_ecs.zone_id
-    evaluate_target_health = true
-  }
-}
+#   alias {
+#     name                   = aws_alb.alb_ecs.dns_name
+#     zone_id                = aws_alb.alb_ecs.zone_id
+#     evaluate_target_health = true
+#   }
+# }
 
-resource "aws_lb_listener_certificate" "cert" {
-  provider        = aws.west2
-  listener_arn    = aws_alb_listener.alb_listener_ecs.arn
-  certificate_arn = aws_acm_certificate.cert.arn
-}
+# resource "aws_lb_listener_certificate" "cert" {
+#   provider        = aws.west2
+#   listener_arn    = aws_alb_listener.alb_listener_ecs.arn
+#   certificate_arn = aws_acm_certificate.cert.arn
+# }

terraform/features-api/ecs_api.tf

@@ -78,7 +78,7 @@ module "ecs_cluster" {
     {
       // stupid hack b/c of FastAPI and Starlette bug
       name  = "FAST_API_SCHEME"
-      value = var.env == "dev" ? "https" : "http" //quick hack for now, TODO: include 'contains' function
+      value = "http" //quick hack for now, TODO: include 'contains' function
     }
   ]
 
@@ -94,7 +94,7 @@ module "ecs_cluster" {
   load_balancer        = true
   lb_type              = "application"
   lb_target_group_arn  = aws_alb_target_group.alb_target_group.arn
-  lb_security_group_id = aws_security_group.web_inbound_sg.id
+  lb_security_group_id = aws_security_group.https_web_inbound_sg.id
   lb_container_port    = var.service_port
 
   tags = var.tags

terraform/features-api/load_balancer.tf

@@ -82,7 +82,7 @@ resource "aws_security_group" "https_web_inbound_sg" {
 resource "aws_alb" "alb_ecs" {
   name            = "tf-${var.project_name}-${var.env}-alb"
   subnets         = data.aws_subnets.public.ids
-  security_groups = [aws_security_group.https_web_inbound_sg.id]
+  security_groups = [aws_security_group.web_inbound_sg.id]
 
   tags = merge({
     Name = "tf-${var.project_name}-alb"
@@ -117,28 +117,27 @@ resource "aws_alb_target_group" "alb_target_group" {
   ]
 }
 
-#resource "aws_alb_listener" "alb_listener_ecs" {
-#  load_balancer_arn = aws_alb.alb_ecs.arn
-#  port              = 80
-#  protocol          = var.alb_protocol
-#  depends_on        = [aws_alb_target_group.alb_target_group]
-#
-#  default_action {
-#    target_group_arn = aws_alb_target_group.alb_target_group.arn
-#    type             = "forward"
-#  }
-#}
-
 resource "aws_alb_listener" "alb_listener_ecs" {
-  load_balancer_arn = aws_alb.alb_ecs.arn
-  port              = 443
-  protocol          = var.alb_protocol
-  ssl_policy        = "ELBSecurityPolicy-2016-08"
-  certificate_arn   = aws_acm_certificate.cert.arn
-  depends_on        = [aws_alb_target_group.alb_target_group]
-
-  default_action {
-    target_group_arn = aws_alb_target_group.alb_target_group.arn
-    type             = "forward"
-  }
-}
+ load_balancer_arn = aws_alb.alb_ecs.arn
+ port              = 80
+ depends_on        = [aws_alb_target_group.alb_target_group]
+ protocol = "HTTP"
+ default_action {
+   target_group_arn = aws_alb_target_group.alb_target_group.arn
+   type             = "forward"
+ }
+}
+
+# resource "aws_alb_listener" "alb_listener_ecs" {
+#   load_balancer_arn = aws_alb.alb_ecs.arn
+#   port              = 443
+#   protocol          = var.alb_protocol
+#   ssl_policy        = "ELBSecurityPolicy-2016-08"
+#   certificate_arn   = aws_acm_certificate.cert.arn
+#   depends_on        = [aws_alb_target_group.alb_target_group]
+
+#   default_action {
+#     target_group_arn = aws_alb_target_group.alb_target_group.arn
+#     type             = "forward"
+#   }
+# }

terraform/features-api/outputs.tf

@@ -17,3 +17,7 @@ output "protocol_on_aws_alb_listener" {
   description = "HTTP/HTTPS protocol on the ALB Listener"
   value       = aws_alb_listener.alb_listener_ecs.protocol
 }
+
+output "alb_url" {
+  value = "https://${aws_alb.alb_ecs.dns_name}"
+}

terraform/features-api/secret_manager.tf

@@ -25,7 +25,7 @@ resource "aws_secretsmanager_secret" "config" {
 }
 
 resource "aws_secretsmanager_secret" "db_config" {
-  name       = "${var.project_name}-wfs3-${var.env}-db"
+  name       = "${var.project_name}-wfs3-${var.env}-db-secrets"
   kms_key_id = data.aws_kms_key.secretsmanager.id
   tags       = var.tags
 }

terraform/features-api/init.tf → terraform/features-api/terraform.tf

@@ -17,7 +17,7 @@ terraform {
     }
   }
   backend "s3" {
-    bucket = "ghg-wfs3-tf-state-bucket"
+    bucket = "ghgc-features-tf-state-bucket"
     key    = "root"
     region = "us-west-2"
   }

terraform/features-api/terraform.tf.tmpl

@@ -0,0 +1,24 @@
+provider "aws" {
+  alias  = "west1"
+  region = "us-west-1"
+}
+
+provider "aws" {
+  alias  = "west2"
+  region = "us-west-2"
+}
+
+terraform {
+  required_version = "1.3.9"
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 5.0"
+    }
+  }
+  backend "s3" {
+    bucket = "${STATE_BUCKET_NAME}"
+    key    = "root"
+    region = "${AWS_REGION}"
+  }
+}

terraform/features-api/terraform.tfvars

@@ -0,0 +1,9 @@
+region             = "us-west-2"
+registry_name      = "ghgc-features-api-registry"
+env                = "dev"
+project_name       = "ghgc-features-api"
+availability_zones = ["us-west-2a", "us-west-2b"]
+service_port       = "8080"
+dns_zone_name      = "dev.ghg.center"
+tags               = {"project": "ghgc", "service": "ghgc-features-api-dev"}
+vpc_id = "vpc-0a20167ff1004d0f2"

terraform/features-api/terraform.tfvars.tmpl

@@ -0,0 +1,9 @@
+region             = "${AWS_REGION}"
+registry_name      = "${REGISTRY_NAME}"
+env                = "${ENV}"
+project_name       = "${PROJECT_NAME}"
+availability_zones = ${AZ}
+service_port       = "${SERVICE_PORT}"
+dns_zone_name      = "${DNS_ZONE_NAME}"
+tags               = ${TAGS}
+vpc_id = "${VPC_ID}"

terraform/features-api/variables.tf

@@ -38,14 +38,15 @@ variable "default_secret" {
 # }
 
 variable "dns_zone_name" {
+  default = null
 }
 
 variable "dns_subdomain" {
-
+  default = null
 }
 
 variable "alb_protocol" {
-  default = "HTTPS"
+  default = "HTTP"
 }
 
 variable "vpc_id" {}

terraform/features-api/vars/dev.tf

@@ -1,11 +1,12 @@
 region             = "us-west-2"
-registry_name      = "features-api-registry"
+registry_name      = "ghgc-features-api-registry"
 env                = "dev"
-project_name       = "veda-features-api"
+project_name       = "ghgc-features-api"
 db_public_subnet = false
 availability_zones = ["us-west-2a", "us-west-2b"]
 service_port       = 8080
-dns_zone_name      = "delta-backend.com"
-dns_subdomain      = "ghg-dev"
-tags               = {"project": "veda", "service": "veda-features-api-dev"}
-vpc_id = "vpc-0512162c42da5e645"
+dns_zone_name      = "dev.ghg.center"
+dns_subdomain      = "features-api"
+tags               = {"project": "ghgc", "service": "ghgc-features-api-dev"}
+vpc_id = "vpc-0a20167ff1004d0f2"
+alb_protocol = "HTTP"