Initial Infra Code Changes (#5)

* added initial ecr tf scripts

* Use env variables from root

* - Added ecs, ecr, vpc, elb code
- Minor refactoring for naming convention and code formatting

* hard code region for backend config

* Include container module dependencies.

* Fixed renamed resource

* Add networking module reference

* Fixed passing of i/o variables

* Use sg.id to sgs in lb

* Use lb arn

* - Added internet gateway
- Added tags

* Fixed plan error

* Fixed subnet id build error

* Update lb tg to use target type to ip

* Revert to single value only

* - changed app name to jasper
- changed task def to use web
- added variables for web and api images

* Added force_delete in ECR repo resource

* Update web container name and port

* Added port variable

* Changed port type to number

* - Added more roles to ecs web task definition
- Renamed web task definition

* Fixed ecs web task role policy

* Added ECS Web Task ARN to policy

* - Renamed resources
- Enabled public ip

* Updated policy

* Added log groups and change port to 8080

* - Setup CW for ECS tasks
- Ensure ECS is accessed from LB only

* - Added sandbox.tfvars
- Adjusted ecs resources
- Renamed stuff

* Use default vpc

* Removed unused variables

* - Refactor variables
- Added backend tfvars

* Removed .gitkeep

* Use tfvars file in aws template tf

* - Added dev workflow
- Added initial documentation

* Moved app related variables so that values are retrieved as an env variable from Github.

---------

Co-authored-by: Ronaldo Macapobre <[email protected]>

.github/workflows/aws-template-terraform.yml

@@ -14,7 +14,7 @@ on:
         type: string
       TEST_BUCKET_NAME:
         required: true
-        type: string 
+        type: string
 
 permissions:
   id-token: write
@@ -35,10 +35,10 @@ jobs:
         env:
           CONTEXT_FOLDER: ${{ inputs.CONTEXT_FOLDER }}
           CHANGE_FOLDER_NAME: ${{ inputs.CHANGE_FOLDER_NAME }}
-        run: |            
+        run: |
           echo "=============== list modified files ==============="
           git diff --name-only HEAD^ HEAD
-          
+
           echo "========== check paths of modified files =========="
           git diff --name-only HEAD^ HEAD >> files.txt
           infra_changed=false
@@ -55,54 +55,53 @@ jobs:
   deploy_infra:
     name: Deploy Infra
     runs-on: ubuntu-latest
-    environment: 
+    environment:
       name: ${{ inputs.ENVIRONMENT_NAME }}
+    env:
+      TF_VAR_app_name: ${{ vars.APP_NAME }}
+      TF_VAR_environment: ${{ vars.ENVIRONMENT_NAME }}
+      TF_VAR_kms_key_name: ${{ vars.KMS_KEY_NAME }}
     needs: [check_changes]
     steps:
-    - name: Checkout repository
-      uses: actions/checkout@v4    
-
-    - name: Configure AWS credentials
-      uses: aws-actions/configure-aws-credentials@v4
-      with:
-        role-skip-session-tagging: true
-        aws-region: ${{ vars.AWS_REGION }}
-        role-to-assume: ${{ vars.AWS_ROLE_ARN }}
-        role-duration-seconds: 1800
-        role-session-name: ci-deployment
-
-    - name: Setup Terraform
-      uses: hashicorp/setup-terraform@v3
-      with:
-        terraform_version: 1.9.0
-    - name: Terraform Init
-      id: init
-      env: 
-        CONTEXT_FOLDER: ${{ inputs.CONTEXT_FOLDER }}
-      run: |
-        terraform init -input=false
-      working-directory: ${{ inputs.CONTEXT_FOLDER }}
-    - name: Terraform Plan
-      id: plan
-      env: 
-        CONTEXT_FOLDER: ${{ inputs.CONTEXT_FOLDER }}
-        TF_VAR_test_s3_bucket_name: ${{ inputs.TEST_BUCKET_NAME }}
-      run: |
-        terraform plan -no-color -input=false
-      continue-on-error: true
-      working-directory: ${{ inputs.CONTEXT_FOLDER }}
-    - name: Terraform Plan Status
-      if: steps.plan.outcome == 'failure'
-      run: exit 1
-    - name: Terraform Apply
-      env: 
-        CONTEXT_FOLDER: ${{ inputs.CONTEXT_FOLDER }}
-        TF_VAR_test_s3_bucket_name: ${{ inputs.TEST_BUCKET_NAME }}
-      run: |
-        terraform apply --auto-approve -input=false
-      working-directory: ${{ inputs.CONTEXT_FOLDER }}
-
-
+      - name: Checkout repository
+        uses: actions/checkout@v4
 
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-skip-session-tagging: true
+          aws-region: ${{ vars.AWS_REGION }}
+          role-to-assume: ${{ vars.AWS_ROLE_ARN }}
+          role-duration-seconds: 1800
+          role-session-name: ci-deployment
 
-
+      - name: Setup Terraform
+        uses: hashicorp/setup-terraform@v3
+        with:
+          terraform_version: 1.9.0
+      - name: Terraform Init
+        id: init
+        env:
+          CONTEXT_FOLDER: ${{ inputs.CONTEXT_FOLDER }}
+        run: |
+          terraform init -input=false -backend-config=backend.tfvars -var-file=${{ inputs.ENVIRONMENT_NAME }}.tfvars
+        working-directory: ${{ inputs.CONTEXT_FOLDER }}
+      - name: Terraform Plan
+        id: plan
+        env:
+          CONTEXT_FOLDER: ${{ inputs.CONTEXT_FOLDER }}
+          #TF_VAR_test_s3_bucket_name: ${{ inputs.TEST_BUCKET_NAME }}
+        run: |
+          terraform plan -no-color -input=false -var-file=${{ inputs.ENVIRONMENT_NAME }}.tfvars
+        continue-on-error: true
+        working-directory: ${{ inputs.CONTEXT_FOLDER }}
+      - name: Terraform Plan Status
+        if: steps.plan.outcome == 'failure'
+        run: exit 1
+      - name: Terraform Apply
+        env:
+          CONTEXT_FOLDER: ${{ inputs.CONTEXT_FOLDER }}
+          #TF_VAR_test_s3_bucket_name: ${{ inputs.TEST_BUCKET_NAME }}
+        run: |
+          terraform apply --auto-approve -input=false -var-file=${{ inputs.ENVIRONMENT_NAME }}.tfvars
+        working-directory: ${{ inputs.CONTEXT_FOLDER }}

.github/workflows/deploy-infra-dev.yml

@@ -0,0 +1,14 @@
+name: Deploy AWS Infra to Dev
+
+on:
+  workflow_dispatch:
+
+jobs:
+  infrastructure_deploy_snd:
+    uses: ./.github/workflows/aws-template-terraform.yml
+    with:
+      CONTEXT_FOLDER: ./infrastructure/cloud/environments/dev
+      CHANGE_FOLDER_NAME: environments/dev
+      ENVIRONMENT_NAME: dev
+      TEST_BUCKET_NAME: jasper-test-bucket
+    secrets: inherit

infrastructure/cloud/README.md

@@ -0,0 +1,44 @@
+# JASPER's AWS Infrastructure Setup
+
+This repository includes Terraform scripts for provisioning and managing JASPER's AWS infrastructure. The team has adopted a modularized folder structure to enhance reusability, maintainability, and separation of concerns. The infrastructure-as-code is organized into reusable, encapsulated components known as modules, along with environment-specific configurations. This structure enables consistent and efficient management of infrastructure across various environments, such as development, testing, and production.
+
+## Prerequisites
+
+1. Navigate to [BC Gov's AWS instance](https://login.nimbus.cloud.gov.bc.ca/api).
+2. Configure AWS CLI
+
+```
+aws configure sso
+```
+
+3. Follow instructions from CLI.
+
+## Running Terraform Scripts Locally
+
+1. Navigate to the desired environment (`/dev` or `/test`) where you want the Terraform scripts to be executed.
+2. Initialize the working directory.
+
+```
+terraform init -backend-config=backend.tfvars
+```
+
+3. Preview the changes that Terraform plans to deploy.
+
+```
+terraform plan -var-file="./<environment>.tfvars"
+```
+
+4. If everything looks good, execute the actions propsed Terraform plan.
+
+```
+terraform apply -var-file="./<environment>.tfvars"
+```
+
+## Deploying Terraform changes via Github Actions
+
+1. Commit and push your working branch to Github.
+2. Navigate to [Actions](https://github.com/bcgov/jasper/actions) tab.
+3. Select the desired workflow (Deploy AWS Infra to `<environment>`).
+4. Click `Run workflow` dropdown.
+5. Select working branch
+6. Click `Run workflow` button.

infrastructure/cloud/environments/dev/backend.tfvars

@@ -0,0 +1,4 @@
+bucket         = "terraform-remote-state-dev"
+dynamodb_table = "terraform-remote-state-lock"
+key            = "terraform.tfstate"
+region         = "ca-central-1"

infrastructure/cloud/environments/dev/dev.tfvars

@@ -0,0 +1,2 @@
+region              = "ca-central-1"
+test_s3_bucket_name = "test-s3-bucket"

infrastructure/cloud/environments/dev/providers.tf

@@ -0,0 +1,21 @@
+terraform {
+  required_version = "~> 1.9.0"
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 5.0"
+    }
+
+    tls = {
+      source  = "hashicorp/tls"
+      version = "4.0.5"
+    }
+  }
+
+  backend "s3" {
+  }
+}
+
+provider "aws" {
+  region = var.region
+}

infrastructure/cloud/environments/dev/variables.tf

@@ -0,0 +1,24 @@
+variable "test_s3_bucket_name" {
+  description = "The name of the S3 bucket to create for testing"
+  type        = string
+}
+
+variable "region" {
+  description = "The AWS region"
+  type        = string
+}
+
+variable "kms_key_name" {
+  description = "Name of KMS key"
+  type        = string
+}
+
+variable "app_name" {
+  description = "The name of the application"
+  type        = string
+}
+
+variable "environment" {
+  description = "The AWS environment to deploy to"
+  type        = string
+}

infrastructure/cloud/environments/dev/webapp.tf

@@ -0,0 +1,41 @@
+module "security" {
+  source       = "../../modules/security"
+  environment  = var.environment
+  app_name     = var.app_name
+  kms_key_name = var.kms_key_name
+}
+
+module "storage" {
+  source              = "../../modules/storage"
+  environment         = var.environment
+  app_name            = var.app_name
+  kms_key_name        = module.security.kms_key_alias
+  test_s3_bucket_name = var.test_s3_bucket_name
+  depends_on          = [module.security]
+}
+
+module "networking" {
+  source      = "../../modules/networking"
+  environment = var.environment
+  app_name    = var.app_name
+  region      = var.region
+  subnet_ids  = module.networking.subnet_ids
+}
+
+module "container" {
+  source                 = "../../modules/container"
+  environment            = var.environment
+  app_name               = var.app_name
+  region                 = var.region
+  ecs_execution_role_arn = module.security.ecs_execution_role_arn
+  subnet_ids             = module.networking.subnet_ids
+  sg_id                  = module.networking.sg_id
+  lb_tg_arn              = module.networking.lb_tg_arn
+  ecs_web_log_group_name = module.monitoring.ecs_web_log_group_name
+}
+
+module "monitoring" {
+  source      = "../../modules/monitoring"
+  environment = var.environment
+  app_name    = var.app_name
+}

infrastructure/cloud/environments/sandbox/backend.tfvars

@@ -0,0 +1,4 @@
+bucket         = "terraform-remote-state-sandbox-12345"
+dynamodb_table = "terraform-remote-state-lock-12345"
+key            = "terraform.tfstate"
+region         = "ca-central-1"

infrastructure/cloud/environments/sandbox/providers.tf

@@ -13,16 +13,9 @@ terraform {
   }
 
   backend "s3" {
-    bucket         = "terraform-remote-state-sandbox-12345"
-    key            = "terraform.tfstate"
-    region         = "ca-central-1"
-    dynamodb_table = "terraform-remote-state-lock-12345"
   }
-
 }
 
-
-
 provider "aws" {
-  region = "ca-central-1"
-}
+  region = var.region
+}

infrastructure/cloud/environments/sandbox/sandbox.tfvars

@@ -0,0 +1,2 @@
+region              = "ca-central-1"
+test_s3_bucket_name = "test-s3-bucket"

infrastructure/cloud/environments/sandbox/variables.tf

@@ -1,6 +1,24 @@
+variable "test_s3_bucket_name" {
+  description = "The name of the S3 bucket to create for testing"
+  type        = string
+}
 
+variable "region" {
+  description = "The AWS region"
+  type        = string
+}
 
-variable test_s3_bucket_name {
-  type = string
-  description = "The name of the S3 bucket to create for testing"
-}
+variable "kms_key_name" {
+  description = "Name of KMS key"
+  type        = string
+}
+
+variable "app_name" {
+  description = "The name of the application"
+  type        = string
+}
+
+variable "environment" {
+  description = "The AWS environment to deploy to"
+  type        = string
+}

infrastructure/cloud/environments/sandbox/webapp.tf

@@ -1,23 +1,41 @@
+module "security" {
+  source       = "../../modules/security"
+  environment  = var.environment
+  app_name     = var.app_name
+  kms_key_name = var.kms_key_name
+}
 
-
-locals {
-  environment = "snd"
-  application_name = "jasper-aws"
+module "storage" {
+  source              = "../../modules/storage"
+  environment         = var.environment
+  app_name            = var.app_name
+  kms_key_name        = module.security.kms_key_alias
+  test_s3_bucket_name = var.test_s3_bucket_name
+  depends_on          = [module.security]
 }
 
-module "security" {
-  source = "../../modules/security"
-  environment = local.environment
-    application_name = local.application_name
-    kms_key_name = "jasper-kms-key"
+module "networking" {
+  source      = "../../modules/networking"
+  environment = var.environment
+  app_name    = var.app_name
+  region      = var.region
+  subnet_ids  = module.networking.subnet_ids
+}
 
+module "container" {
+  source                 = "../../modules/container"
+  environment            = var.environment
+  app_name               = var.app_name
+  region                 = var.region
+  ecs_execution_role_arn = module.security.ecs_execution_role_arn
+  subnet_ids             = module.networking.subnet_ids
+  sg_id                  = module.networking.sg_id
+  lb_tg_arn              = module.networking.lb_tg_arn
+  ecs_web_log_group_name = module.monitoring.ecs_web_log_group_name
 }
 
-module "storage" {
-  source = "../../modules/storage"
-  environment = local.environment
-    application_name = local.application_name
-    kms_key_name = module.security.kms_key_alias
-    test_s3_bucket_name = var.test_s3_bucket_name
-    depends_on = [ module.security ]
-}
+module "monitoring" {
+  source      = "../../modules/monitoring"
+  environment = var.environment
+  app_name    = var.app_name
+}