[IT-3995] Setup containerized infra for Agora app (Sage-Bionetworks-IT#1

)

We are basically using Sage-Bionetworks-IT/schematic-infra-v2[1] as a template for this repo and updating files to fit agora app.

* Update files for Agora deployment to ECS
* Update to unused VPC CIDRs
* Update certificate ARNs
* Add ContainerVolume object for attaching volumes to containers
* Add test for Service stack

[1] https://github.com/Sage-Bionetworks-IT/schematic-infra-v2

.devcontainer/devcontainer.json

@@ -0,0 +1,15 @@
+{
+  "name": "AWS CDK & Python Development Environment",
+  "image": "mcr.microsoft.com/devcontainers/base:ubuntu-22.04",
+  "features": {
+    "ghcr.io/devcontainers/features/node:1.5.0": {
+      "version": "22.6.0"
+    },
+    "ghcr.io/devcontainers/features/python:1.6.3": {
+      "version": "3.12.0"
+    },
+    "ghcr.io/devcontainers/features/aws-cli:1": {}
+  },
+  "postCreateCommand": "./tools/setup.sh",
+  "shutdownAction": "stopContainer"
+}

.flake8

@@ -0,0 +1,16 @@
+[flake8]
+exclude =
+	.git,
+	__pycache__,
+	build,
+	dist,
+	.tox,
+	venv,
+	.venv,
+	.pytest_cache
+max-complexity = 12
+#per-file-ignores =
+#	docs/_api/conf.py: E265
+#	integration-tests/steps/*: E501,F811,F403,F405
+extend-ignore = E203
+max-line-length = 120

.github/CODEOWNERS

@@ -0,0 +1 @@
+*  @Sage-Bionetworks-IT/sagebio-it @Sage-Bionetworks-IT/infra-oversight-committee

.github/PULL_REQUEST_TEMPLATE.md

@@ -0,0 +1,7 @@
+DELETE THIS TEMPLATE BEFORE SUBMITTING
+
+PR Checklist:
+[ ] Clearly explain your change with a descriptive commit message
+
+[ ] Setup pre-commit and run the validators (info in README.md)
+    To validate files run: `pre-commit run --all-files`

.github/workflows/aws-deploy.yaml

@@ -0,0 +1,53 @@
+# reusable template for deployments to AWS accounts
+name: aws-deploy
+
+# Ensures that only one deploy task per branch/environment will run at a time.
+concurrency:
+  group: ${{ inputs.environment }}
+  cancel-in-progress: false
+
+on:
+  workflow_call:
+    inputs:
+      aws-region:
+        type: string
+        default: us-east-1
+      role-to-assume:
+        required: true
+        type: string
+      role-session-name:
+        required: true
+        type: string
+      role-duration-seconds:
+        type: number
+        default: 3600
+      environment:
+        required: true
+        type: string
+
+jobs:
+  deploy:
+    permissions:
+      id-token: write
+      contents: read
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v3
+      - name: Install AWS CLI
+        run: sudo snap install aws-cli --classic
+      - name: Install AWS CDK CLI
+        run: npm install -g aws-cdk
+      - name: Install python dependencies
+        run: pip install -r requirements.txt -r requirements-dev.txt
+      - name: Assume AWS Role
+        uses: aws-actions/configure-aws-credentials@v2
+        with:
+          aws-region: ${{ inputs.aws-region }}
+          role-to-assume: ${{ inputs.role-to-assume }}
+          role-session-name: ${{ inputs.role-session-name }}
+          role-duration-seconds: ${{ inputs.role-duration-seconds }}
+      - name: CDK deploy
+        run: cdk deploy --all --concurrency 5 --require-approval never
+        env:
+          ENV: ${{ inputs.environment }}

.github/workflows/check.yml

@@ -0,0 +1,34 @@
+name: check
+
+on:
+  pull_request:
+    branches: ['*']
+  push:
+    branches: ['*']
+
+jobs:
+  unit-tests:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v3
+      - name: Install dependencies
+        run: pip install -r requirements.txt -r requirements-dev.txt
+      - name: Run unit tests
+        run: python -m pytest tests/ -s -v
+  synth:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v3
+      - name: Install dependencies
+        run: pip install -r requirements.txt -r requirements-dev.txt
+      - name: Generate cloudformation
+        uses: youyo/aws-cdk-github-actions@v2
+        env:
+          ENV: dev
+        with:
+          cdk_subcommand: 'synth'
+          actions_comment: false
+          debug_log: true
+          cdk_args: '--output ./cdk.out'

.github/workflows/deploy-dev.yaml

@@ -0,0 +1,18 @@
+name: deploy-dev
+
+on:
+  workflow_run:
+    workflows:
+      - check
+    types:
+      - completed
+    branches:
+      - dev
+
+jobs:
+  aws-deploy:
+    uses: "./.github/workflows/aws-deploy.yaml"
+    with:
+      role-to-assume: "arn:aws:iam::631692904429:role/sagebase-github-oidc-sage-bionetworks-it-schematic-infra-v2"
+      role-session-name: ${{ github.repository_owner }}-${{ github.event.repository.name }}-${{ github.run_id }}
+      environment: dev

.github/workflows/deploy-prod.yaml

@@ -0,0 +1,18 @@
+name: deploy-prod
+
+on:
+  workflow_run:
+    workflows:
+      - check
+    types:
+      - completed
+    branches:
+      - prod
+
+jobs:
+  aws-deploy:
+    uses: "./.github/workflows/aws-deploy.yaml"
+    with:
+      role-to-assume: "arn:aws:iam::878654265857:role/sagebase-github-oidc-sage-bionetworks-it-schematic-infra-v2"
+      role-session-name: ${{ github.repository_owner }}-${{ github.event.repository.name }}-${{ github.run_id }}
+      environment: prod

.github/workflows/deploy-stage.yaml

@@ -0,0 +1,18 @@
+name: deploy-stage
+
+on:
+  workflow_run:
+    workflows:
+      - check
+    types:
+      - completed
+    branches:
+      - stage
+
+jobs:
+  aws-deploy:
+    uses: "./.github/workflows/aws-deploy.yaml"
+    with:
+      role-to-assume: "arn:aws:iam::878654265857:role/sagebase-github-oidc-sage-bionetworks-it-schematic-infra-v2"
+      role-session-name: ${{ github.repository_owner }}-${{ github.event.repository.name }}-${{ github.run_id }}
+      environment: stage

.gitignore

@@ -1,30 +1,14 @@
-# Byte-compiled / optimized / DLL files
-__pycache__/
-*.py[cod]
-*$py.class
-
-# C extensions
-*.so
-
-# Distribution / packaging
-.Python
-build/
-develop-eggs/
-dist/
-downloads/
-eggs/
-.eggs/
-lib/
-lib64/
-parts/
-sdist/
-var/
-wheels/
-share/python-wheels/
-*.egg-info/
-.installed.cfg
-*.egg
-MANIFEST
+*.swp
+package-lock.json
+__pycache__
+.pytest_cache
+.venv
+*.egg-info
+
+# CDK asset staging directory
+.cdk.staging
+cdk.out
+
 
 # PyInstaller
 #  Usually these files are written by a python script from a template
@@ -39,17 +23,14 @@ pip-delete-this-directory.txt
 # Unit test / coverage reports
 htmlcov/
 .tox/
-.nox/
 .coverage
 .coverage.*
 .cache
 nosetests.xml
 coverage.xml
 *.cover
-*.py,cover
 .hypothesis/
 .pytest_cache/
-cover/
 
 # Translations
 *.mo
@@ -59,7 +40,6 @@ cover/
 *.log
 local_settings.py
 db.sqlite3
-db.sqlite3-journal
 
 # Flask stuff:
 instance/
@@ -72,51 +52,16 @@ instance/
 docs/_build/
 
 # PyBuilder
-.pybuilder/
 target/
 
 # Jupyter Notebook
 .ipynb_checkpoints
 
-# IPython
-profile_default/
-ipython_config.py
-
 # pyenv
-#   For a library or package, you might want to ignore these files since the code is
-#   intended to run in multiple environments; otherwise, check them in:
-# .python-version
+.python-version
 
-# pipenv
-#   According to pypa/pipenv#598, it is recommended to include Pipfile.lock in version control.
-#   However, in case of collaboration, if having platform-specific dependencies or dependencies
-#   having no cross-platform support, pipenv may install dependencies that don't work, or not
-#   install all needed dependencies.
-#Pipfile.lock
-
-# poetry
-#   Similar to Pipfile.lock, it is generally recommended to include poetry.lock in version control.
-#   This is especially recommended for binary packages to ensure reproducibility, and is more
-#   commonly ignored for libraries.
-#   https://python-poetry.org/docs/basic-usage/#commit-your-poetrylock-file-to-version-control
-#poetry.lock
-
-# pdm
-#   Similar to Pipfile.lock, it is generally recommended to include pdm.lock in version control.
-#pdm.lock
-#   pdm stores project-wide configurations in .pdm.toml, but it is recommended to not include it
-#   in version control.
-#   https://pdm.fming.dev/latest/usage/project/#working-with-version-control
-.pdm.toml
-.pdm-python
-.pdm-build/
-
-# PEP 582; used by e.g. github.com/David-OConnor/pyflow and github.com/pdm-project/pdm
-__pypackages__/
-
-# Celery stuff
+# celery beat schedule file
 celerybeat-schedule
-celerybeat.pid
 
 # SageMath parsed files
 *.sage.py
@@ -142,21 +87,33 @@ venv.bak/
 
 # mypy
 .mypy_cache/
-.dmypy.json
-dmypy.json
 
-# Pyre type checker
-.pyre/
+.idea/
+git-crypt.key
+
+# Elastic Beanstalk Files
+.elasticbeanstalk/*
+!.elasticbeanstalk/*.cfg.yml
+!.elasticbeanstalk/*.global.yml
 
-# pytype static type analyzer
-.pytype/
+# sceptre remote templates
+templates/remote/
+
+# lambda artifacts
+lambdas/*.zip
+
+# MAC Crap
+.DS_Store
+
+# temp files
+temp/
+
+# pipenv
+Pipfile*
 
-# Cython debug symbols
-cython_debug/
+# npm
+node_modules/
 
-# PyCharm
-#  JetBrains specific template is maintained in a separate JetBrains.gitignore that can
-#  be found at https://github.com/github/gitignore/blob/main/Global/JetBrains.gitignore
-#  and can be added to the global gitignore or merged into this file.  For a more nuclear
-#  option (not recommended) you can uncomment the following to ignore the entire idea folder.
-#.idea/
+# sceptre
+sceptre/**/templates/remote/
+.dump/