Terraform provisioning for Jupiter into Azure Cloud

.dockerignore

@@ -11,6 +11,12 @@ coverage/
 .ruby-version
 vendor/bundle
 
+/storage/*
+
+/public/packs
+/public/packs-test
+/node_modules
+
 .dockerignore
 docker-compose.yml
 docker-compose.lightweight.yml

.env_deployment_sample

@@ -1,7 +1,6 @@
 #Rails application env variables
 RAILS_ENV=uat
 DATABASE_URL=postgresql://jupiter:mysecretpassword@postgres:5432/
-FCREPO_URL=http://fcrepo:8080/fcrepo/rest
 SOLR_URL=http://solr:8983/solr/jupiter-uat
 REDIS_URL=redis://redis/1
 SECRET_KEY_BASE=33d83bc35b707a1f70ac9475cdaabd4224fca0d3edc07e0ce6db13515d1c1e3aaf4c3b8bf580d9ea6198ec90bae2005ca807fa46a9aee5906bd64be99cc2e065
@@ -10,16 +9,13 @@ SAML_CERTIFICATE=
 ROLLBAR_TOKEN=
 GOOGLE_ANALYTICS_TOKEN=
 RAILS_LOG_TO_STDOUT=true
-# Comma delimited string of rack attack safelisted IPs
-RACK_ATTACK_SAFELISTED_IPS=
 TLD_LENGTH=3
 GOOGLE_CLIENT_ID=
 GOOGLE_CLIENT_SECRET=
 GOOGLE_DEVELOPER_KEY=
 ERA_HOST=era.uat.library.ualberta.ca
 DIGITIZATION_HOST=digitalcollections.uat.library.ualberta.ca
 
-
 # Postgres environment variables
 PGDATA=/var/lib/postgresql/data/pgdata
 POSTGRES_PASSWORD=mysecretpassword

Gemfile

@@ -80,6 +80,10 @@ gem 'google-api-client',
 gem 'builder_deferred_tagging', github: 'ualbertalib/builder_deferred_tagging', tag: 'v0.01'
 gem 'oaisys', github: 'ualbertalib/oaisys', tag: 'v1.0.3'
 
+group :uat do
+  gem 'azure-storage-blob', require: false
+end
+
 # Seeds
 group :development, :test, :uat do
   gem 'faker', require: false

Gemfile.lock

@@ -113,6 +113,14 @@ GEM
       public_suffix (>= 2.0.2, < 5.0)
     amazing_print (1.4.0)
     ast (2.4.2)
+    azure-storage-blob (2.0.3)
+      azure-storage-common (~> 2.0)
+      nokogiri (~> 1, >= 1.10.8)
+    azure-storage-common (2.0.4)
+      faraday (~> 1.0)
+      faraday_middleware (~> 1.0, >= 1.0.0.rc1)
+      net-http-persistent (~> 4.0)
+      nokogiri (~> 1, >= 1.10.8)
     bcrypt (3.1.16)
     better_errors (2.9.1)
       coderay (>= 1.0.0)
@@ -233,6 +241,8 @@ GEM
     faraday-net_http_persistent (1.2.0)
     faraday-patron (1.0.0)
     faraday-rack (1.0.0)
+    faraday_middleware (1.2.0)
+      faraday (~> 1.0)
     ffi (1.15.5)
     flipper (0.23.1)
     flipper-active_record (0.23.0)
@@ -620,6 +630,7 @@ DEPENDENCIES
   active_link_to
   acts_as_rdfable!
   addressable (~> 2.8.0)
+  azure-storage-blob
   bcrypt (>= 3.1.13)
   better_errors (>= 2.3.0)
   binding_of_caller

README.md

@@ -10,7 +10,7 @@
 
 **Requirements:**
 
-- **Ruby** 2.5+
+- **Ruby** 2.6+
 - **PostgreSQL**
 - **Redis**
 - **Solr**

config/puma.rb

@@ -4,8 +4,8 @@
 # the maximum value specified for Puma. Default is set to 5 threads for minimum
 # and maximum; this matches the default thread size of Active Record.
 #
-max_threads_count = ENV.fetch('PUMA_MAX_THREADS', 5)
-min_threads_count = ENV.fetch('PUMA_MIN_THREADS') { max_threads_count }
+max_threads_count = ENV.fetch('RAILS_MAX_THREADS', 5)
+min_threads_count = ENV.fetch('RAILS_MIN_THREADS') { max_threads_count }
 threads min_threads_count, max_threads_count
 
 # Specifies the `worker_timeout` threshold that Puma will use to wait before
@@ -39,14 +39,5 @@
 #
 # preload_app!
 
-if ENV['RAILS_ENV'] == 'uat'
-  workers ENV.fetch('WEB_CONCURRENCY', 3)
-  preload_app!
-  on_worker_boot do
-    ActiveSupport.on_load(:active_record) do
-      ActiveRecord::Base.establish_connection
-    end
-  end
-end
-# Allow puma to be restarted by `rails restart` command.
+# Allow puma to be restarted by `bin/rails restart` command.
 plugin :tmp_restart

config/secrets.yml

@@ -36,7 +36,6 @@ shared:
   allow_crawlers: <%= ENV['RAILS_ALLOW_CRAWLERS'] || false %>
   preservation_queue_name: <%= ENV['PMPY_QUEUE_NAME'] || 'prod:pmpy_queue' %>
   fits_path: <%= ENV['FITS_PATH'] || 'fits.sh' %>
-  rack_attack_safelisted_ips: <%= ENV['RACK_ATTACK_SAFELISTED_IPS'] || '""' %>
   system_user_api_key: <%= ENV['SYSTEM_USER_API_KEY'] %>
 
   tld_length: <%= ENV['TLD_LENGTH'] || 1 %>
@@ -63,11 +62,6 @@ development:
   saml_idp_cert: ''
   saml_idp_sso_target_url: ''
 
-  fcrepo_url: <%= ENV['FCREPO_URL'] || 'http://localhost:8080/fcrepo/rest' %>
-  fcrepo_user: fedoraAdmin
-  fcrepo_password: fedoraAdmin
-  fcrepo_base_path: /dev
-
   preservation_queue_name: <%= ENV['PMPY_QUEUE_NAME']  || 'dev:pmpy_queue'%>
   system_user_api_key: <%= ENV['SYSTEM_USER_API_KEY'] || '3eeb395e-63b7-11ea-bc55-0242ac130003' %>
 
@@ -88,11 +82,6 @@ test:
   saml_idp_cert: ''
   saml_idp_sso_target_url: ''
 
-  fcrepo_url: <%= ENV['FCREPO_URL'] || 'http://localhost:8080/fcrepo/rest' %>
-  fcrepo_user: fedoraAdmin
-  fcrepo_password: fedoraAdmin
-  fcrepo_base_path: /test
-
   preservation_queue_name: <%= ENV['PMPY_QUEUE_NAME'] || 'test:pmpy_queue' %>
   system_user_api_key: <%= ENV['SYSTEM_USER_API_KEY'] || '3eeb395e-63b7-11ea-bc55-0242ac130003' %>
 
@@ -117,10 +106,6 @@ uat:
   saml_idp_sso_target_url: 'https://login-uat.ualberta.ca/saml2/idp/SSOService.php'
 
   database_url: <%= ENV['DATABASE_URL'] %>
-  fcrepo_user: <%= ENV['FCREPO_USER'] %>
-  fcrepo_password: <%= ENV['FCREPO_PASSWORD'] %>
-  fcrepo_url: <%= ENV['FCREPO_URL'] %>
-  fcrepo_base_path: /uat
   solr_url: <%= ENV['SOLR_URL'] %>
 
 staging:
@@ -135,10 +120,6 @@ staging:
   saml_idp_sso_target_url: 'https://login-uat.ualberta.ca/saml2/idp/SSOService.php'
 
   database_url: <%= ENV['DATABASE_URL'] %>
-  fcrepo_user: <%= ENV['FCREPO_USER'] %>
-  fcrepo_password: <%= ENV['FCREPO_PASSWORD'] %>
-  fcrepo_url: <%= ENV['FCREPO_URL'] %>
-  fcrepo_base_path: /prod
   solr_url: <%= ENV['SOLR_URL'] %>
 
 production:
@@ -154,10 +135,6 @@ production:
   saml_idp_sso_target_url: 'https://login.ualberta.ca/saml2/idp/SSOService.php'
 
   database_url: <%= ENV['DATABASE_URL'] %>
-  fcrepo_user: <%= ENV['FCREPO_USER'] %>
-  fcrepo_password: <%= ENV['FCREPO_PASSWORD'] %>
-  fcrepo_url: <%= ENV['FCREPO_URL'] %>
-  fcrepo_base_path: /prod
   solr_url: <%= ENV['SOLR_URL'] %>
 
   skylight_authentication: <%= ENV['SKYLIGHT_AUTHENTICATION'] %>

config/storage.yml

@@ -24,11 +24,11 @@ local:
 #   bucket: your_own_bucket
 
 # Use rails credentials:edit to set the Azure Storage secret (as azure_storage:storage_access_key)
-# microsoft:
-#   service: AzureStorage
-#   storage_account_name: your_account_name
-#   storage_access_key: <%= Rails.application.credentials.dig(:azure_storage, :storage_access_key) %>
-#   container: your_container_name
+microsoft:
+  service: AzureStorage
+  storage_account_name: <%= ENV["AZURE_STORAGE_ACCOUNT_NAME"] %>
+  storage_access_key: <%= ENV["AZURE_STORAGE_ACCESS_KEY"] %>
+  container: <%= ENV["AZURE_STORAGE_CONTAINER"] %>
 
 # mirror:
 #   service: Mirror

terraform/.gitignore

@@ -0,0 +1,47 @@
+# Local .terraform directories
+**/.terraform/*
+
+# .tfstate files
+*.tfstate
+*.tfstate.*
+
+# Crash log files
+crash.log
+crash.*.log
+# Local .terraform directories
+**/.terraform/*
+
+# .tfstate files
+*.tfstate
+*.tfstate.*
+
+# Crash log files
+crash.log
+crash.*.log
+
+# Exclude all .tfvars files, which are likely to contain sentitive data, such as
+# password, private keys, and other secrets. These should not be part of version
+# control as they are data points which are potentially sensitive and subject
+# to change depending on the environment.
+#
+*.tfvars
+
+# Ignore override files as they are usually used to override resources locally and so
+# are not checked in
+override.tf
+override.tf.json
+*_override.tf
+*_override.tf.json
+
+# Include override files you do wish to add to version control using negated pattern
+#
+# !example_override.tf
+
+# Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan
+# example: *tfplan*
+
+# Ignore CLI configuration files
+.terraformrc
+terraform.rc
+
+kubeconfig