From 7f97fe1a477343ca65d1d0cc27f95734b0dc2326 Mon Sep 17 00:00:00 2001
From: "eve n.u" <eve@eatbigger.fish>
Date: Wed, 17 Apr 2024 14:31:43 -0700
Subject: [PATCH] Migrate AWS Blake env to its own TF directory (#321)

---
 infrastructure/maskfile.md                    | 70 ++++++++++---------
 .../environments/blake/.terraform.lock.hcl    | 66 +++++++++++++++++
 .../aws/environments/blake/blake.s3.tfbackend |  3 -
 .../terraform/aws/environments/blake/main.tf  | 68 ++++++++++++++++++
 .../aws/environments/blake/variables.tfvars   | 12 ----
 .../aws/modules/core-services/main.tf         |  9 ---
 .../aws/modules/core-services/variables.tf    |  9 ---
 .../aws/{ => modules/deployment}/main.tf      | 45 +++++++-----
 .../aws/{ => modules/deployment}/outputs.tf   |  0
 .../aws/{ => modules/deployment}/variables.tf |  6 --
 10 files changed, 199 insertions(+), 89 deletions(-)
 create mode 100644 infrastructure/terraform/aws/environments/blake/.terraform.lock.hcl
 delete mode 100644 infrastructure/terraform/aws/environments/blake/blake.s3.tfbackend
 create mode 100644 infrastructure/terraform/aws/environments/blake/main.tf
 delete mode 100644 infrastructure/terraform/aws/environments/blake/variables.tfvars
 rename infrastructure/terraform/aws/{ => modules/deployment}/main.tf (85%)
 rename infrastructure/terraform/aws/{ => modules/deployment}/outputs.tf (100%)
 rename infrastructure/terraform/aws/{ => modules/deployment}/variables.tf (90%)

diff --git a/infrastructure/maskfile.md b/infrastructure/maskfile.md
index a0947ef82..4ad51396f 100644
--- a/infrastructure/maskfile.md
+++ b/infrastructure/maskfile.md
@@ -28,15 +28,9 @@ Both `act` commands (for container version updates) and `terraform` commands
 Usually this means setting a file at `~/.aws/credentials` and `~/.aws/config`:
 see https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html
 
+## aws:tf:plan
 
-## aws:tf:apply
-
-> Runs the named infrastructure script interactively using the environment specified.
-
-REQUIRES an environment variable setting:
- TF_VAR_HONEYCOMB_API_KEY
-for secrets that don't exist in this repository
-
+> Runs the plan (diff showing) command interactively using the environment specified.
 
 **OPTIONS**
 
@@ -50,36 +44,53 @@ for secrets that don't exist in this repository
 
 ```bash
 (
-    cd terraform/aws
-
-    echo "checking for environment configuration files..."
+    cd terraform/aws/environments/${proper_name}
 
-    tf_var_file="./environments/${proper_name}/variables.tfvars"
-
-    if [ ! -f ${tf_var_file} ]; then
-        echo "REQUIRED var file missing: ${tf_var_file}"
+    export AWS_PAGER=""
+    if aws sts get-caller-identity; then
+        echo "AWS identity check succeeded."
+    else
+        echo "AWS CLI misconfigured; see maskfile.md for info"
         exit 1
     fi
 
-    echo "checking environment setup..."
-    if [ -z "${TF_VAR_HONEYCOMB_API_KEY}" ]; then
-        echo "REQURED env secret TF_VAR_HONEYCOMB_API_KEY missing"
-        exit 1
-    fi
+    echo "showing env diff for $proper_name from $(pwd)"
+
+    terraform plan \
+        -input=false
+)
+```
+
+## aws:tf:apply
+
+> Runs the apply command interactively, still asking for confirmation, using the environment specified.
+
+**OPTIONS**
+
+-   proper_name
+    -   flags: -n --proper-name
+    -   type: string
+    -   desc: proper name of AWS environment (see `./aws` module); e.g. blake
+    -   required
+
+<!-- A code block defines the script to be executed -->
+
+```bash
+(
+    cd terraform/aws/environments/${proper_name}
 
     export AWS_PAGER=""
     if aws sts get-caller-identity; then
         echo "AWS identity check succeeded."
     else
-        echo "AWS CLI misconfigured; see Maskfile.md for info"
+        echo "AWS CLI misconfigured; see maskfile.md for info"
         exit 1
     fi
 
     echo "applying $proper_name from $(pwd)"
 
     terraform apply \
-        -input=false \
-        -var-file=${tf_var_file}
+        -input=false
 )
 ```
 
@@ -98,18 +109,9 @@ for secrets that don't exist in this repository
 ```bash
 
 (
-    cd terraform/aws
-    echo "checking for environment configuration files..."
-
-    tf_backend_file="./environments/${proper_name}/${proper_name}.s3.tfbackend"
-
-    if [ ! -f ${tf_backend_file} ]; then
-        echo "REQUIRED backend file missing: ${tf_backend_file}"
-        exit 1
-    fi
+    cd terraform/aws/environments/${proper_name}
 
-    terraform init \
-        -backend-config ${tf_backend_file}
+    terraform init
 )
 ```
 
diff --git a/infrastructure/terraform/aws/environments/blake/.terraform.lock.hcl b/infrastructure/terraform/aws/environments/blake/.terraform.lock.hcl
new file mode 100644
index 000000000..9d08fe07d
--- /dev/null
+++ b/infrastructure/terraform/aws/environments/blake/.terraform.lock.hcl
@@ -0,0 +1,66 @@
+# This file is maintained automatically by "terraform init".
+# Manual edits may be lost in future updates.
+
+provider "registry.terraform.io/hashicorp/aws" {
+  version     = "5.45.0"
+  constraints = ">= 4.0.0, >= 4.66.1, >= 5.0.0, >= 5.27.0"
+  hashes = [
+    "h1:8m3+C1VNevzU/8FsABoKp2rTOx3Ue7674INfhfk0TZY=",
+    "zh:1379bcf45aef3d486ee18b4f767bfecd40a0056510d26107f388be3d7994c368",
+    "zh:1615a6f5495acfb3a0cb72324587261dd4d72711a3cc51aff13167b14531501e",
+    "zh:18b69a0f33f8b1862fbd3f200756b7e83e087b73687085f2cf9c7da4c318e3e6",
+    "zh:2c5e7aecd197bc3d3b19290bad8cf4c390c2c6a77bb165da4e11f53f2dfe2e54",
+    "zh:3794da9bef97596e3bc60e12cdd915bda5ec2ed62cd1cd93723d58b4981905fe",
+    "zh:40a5e45ed91801f83db76dffd467dcf425ea2ca8642327cf01119601cb86021c",
+    "zh:4abfc3f53d0256a7d5d1fa5e931e4601b02db3d1da28f452341d3823d0518f1a",
+    "zh:4eb0e98078f79aeb06b5ff6115286dc2135d12a80287885698d04036425494a2",
+    "zh:75470efbadea4a8d783642497acaeec5077fc4a7f3df3340defeaa1c7de29bf7",
+    "zh:8861a0b4891d5fa2fa7142f236ae613cea966c45b5472e3915a4ac3abcbaf487",
+    "zh:8bf6f21cd9390b742ca0b4393fde92616ca9e6553fb75003a0999006ad233d35",
+    "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425",
+    "zh:ad73008a044e75d337acda910fb54d8b81a366873c8a413fec1291034899a814",
+    "zh:bf261713b0b8bebfe8c199291365b87d9043849f28a2dc764bafdde73ae43693",
+    "zh:da3bafa1fd830be418dfcc730e85085fe67c0d415c066716f2ac350a2306f40a",
+  ]
+}
+
+provider "registry.terraform.io/hashicorp/random" {
+  version = "3.6.1"
+  hashes = [
+    "h1:a+Goawwh6Qtg4/bRWzfDtIdrEFfPlnVy0y4LdUQY3nI=",
+    "zh:2a0ec154e39911f19c8214acd6241e469157489fc56b6c739f45fbed5896a176",
+    "zh:57f4e553224a5e849c99131f5e5294be3a7adcabe2d867d8a4fef8d0976e0e52",
+    "zh:58f09948c608e601bd9d0a9e47dcb78e2b2c13b4bda4d8f097d09152ea9e91c5",
+    "zh:5c2a297146ed6fb3fe934c800e78380f700f49ff24dbb5fb5463134948e3a65f",
+    "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3",
+    "zh:7ce41e26f0603e31cdac849085fc99e5cd5b3b73414c6c6d955c0ceb249b593f",
+    "zh:8c9e8d30c4ef08ee8bcc4294dbf3c2115cd7d9049c6ba21422bd3471d92faf8a",
+    "zh:93e91be717a7ffbd6410120eb925ebb8658cc8f563de35a8b53804d33c51c8b0",
+    "zh:982542e921970d727ce10ed64795bf36c4dec77a5db0741d4665230d12250a0d",
+    "zh:b9d1873f14d6033e216510ef541c891f44d249464f13cc07d3f782d09c7d18de",
+    "zh:cfe27faa0bc9556391c8803ade135a5856c34a3fe85b9ae3bdd515013c0c87c1",
+    "zh:e4aabf3184bbb556b89e4b195eab1514c86a2914dd01c23ad9813ec17e863a8a",
+  ]
+}
+
+provider "registry.terraform.io/honeycombio/honeycombio" {
+  version     = "0.23.0"
+  constraints = ">= 0.22.0"
+  hashes = [
+    "h1:mhsV03cb4R2rVrYw5mvqGYt6+JWY7G9WuyQtEzRA0NY=",
+    "zh:26096a5e3dc62694ee77502576451760f45ffc6f261e1cbf20bfa0a2d7db6310",
+    "zh:4319141b4351bbf9d264125c52076beeadec1c32f8c32b2374c12904aed333ae",
+    "zh:46e6be60b42b4930ed009fd47531ce79b1bc9856270c352a1c47442e561bedf2",
+    "zh:66a92ed38bb54e00615c545f0c5347decad89b4b79e383fa6c2d98f91c9b9119",
+    "zh:7a183d29ec2ed2ca25608cd7773b1ab190b4f40e994e8c862d1ce3d39325e240",
+    "zh:84639abe86bde03bb9c98f9a38f77244b99f123f2e7fc3f516fdda44722bf33e",
+    "zh:adb5cd576c2b725083724c51d8cbdb7f0dc90e9af9bd2a0f3f8fd1d6dd245a78",
+    "zh:c0c6dd4a8590bdc5b32ba5cc1e230bc59a829b7843b1ff87620f5511ded345cb",
+    "zh:c8be403926818dd14a13427d83793f0526e8e8ef15eefb2b1fcf230a345a3f10",
+    "zh:d20f4c2a1bdd736f3cca547c2fc9511fb71b7b2138cfee050102b63ec4e67a39",
+    "zh:d433aa9a07ef9b89238032fde0b9030fd9f2c56edfeacaa81141bcfbcec0513d",
+    "zh:e7285c3de2877194972b1aaf629c00c1fd3b7334223bbce251089e964ee95c79",
+    "zh:fbbee6e911a74500e62f86d35e84f8531a516c10f9bc6c629f83fa502fde7fc2",
+    "zh:fdb1e996ba43d7b09918e85e8bbb1b3cf5b18333a5e4c103a54abef7e6b534c7",
+  ]
+}
diff --git a/infrastructure/terraform/aws/environments/blake/blake.s3.tfbackend b/infrastructure/terraform/aws/environments/blake/blake.s3.tfbackend
deleted file mode 100644
index 4b05592ba..000000000
--- a/infrastructure/terraform/aws/environments/blake/blake.s3.tfbackend
+++ /dev/null
@@ -1,3 +0,0 @@
-bucket = "pubpub-tfstates"
-key    = "ecs-blake.tfstate"
-region = "us-east-1"
diff --git a/infrastructure/terraform/aws/environments/blake/main.tf b/infrastructure/terraform/aws/environments/blake/main.tf
new file mode 100644
index 000000000..efd72cd60
--- /dev/null
+++ b/infrastructure/terraform/aws/environments/blake/main.tf
@@ -0,0 +1,68 @@
+######
+##
+##  Terraform-meta configurations
+##
+######
+
+terraform {
+  required_version = ">= 1.5.0"
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 5.0"
+    }
+
+    honeycombio = {
+      source  = "honeycombio/honeycombio"
+      version = ">= 0.22.0"
+    }
+  }
+  backend "s3" {
+    bucket = "pubpub-tfstates"
+    key    = "ecs-blake.tfstate"
+    region = "us-east-1"
+  }
+}
+
+provider "aws" {
+  region = local.region
+}
+
+######
+##
+##  Environment-specific configuration
+##
+######
+
+locals {
+  name = "blake"
+  environment = "staging"
+  region = "us-east-1"
+
+  # TODO: Resume using this once we also Terraform the Route53
+  # pubpub_url = "https://v7.pubpub.org"
+
+  MAILGUN_SMTP_USERNAME = "v7@mg.pubpub.org"
+  NEXT_PUBLIC_SUPABASE_URL = "https://dsleqjuvzuoycpeotdws.supabase.co"
+  NEXT_PUBLIC_SUPABASE_PUBLIC_KEY = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJzdXBhYmFzZSIsInJlZiI6ImRzbGVxanV2enVveWNwZW90ZHdzIiwicm9sZSI6ImFub24iLCJpYXQiOjE2ODIzNTE0MjEsImV4cCI6MTk5NzkyNzQyMX0.3HHC0f7zlFXP77N0U8cS3blr7n6hhjqdYI6_ciQJams"
+  ASSETS_BUCKET_NAME = "assets.blake.pubpub.org"
+}
+
+######
+##
+##  Complete generic environment
+##
+######
+
+module "deployment" {
+  source = "../../modules/deployment"
+
+  name = local.name
+  environment = local.environment
+  region = local.region
+
+  MAILGUN_SMTP_USERNAME = local.MAILGUN_SMTP_USERNAME
+  NEXT_PUBLIC_SUPABASE_URL = local.NEXT_PUBLIC_SUPABASE_URL
+  NEXT_PUBLIC_SUPABASE_PUBLIC_KEY = local.NEXT_PUBLIC_SUPABASE_PUBLIC_KEY
+  ASSETS_BUCKET_NAME = local.ASSETS_BUCKET_NAME
+}
diff --git a/infrastructure/terraform/aws/environments/blake/variables.tfvars b/infrastructure/terraform/aws/environments/blake/variables.tfvars
deleted file mode 100644
index 252a86e09..000000000
--- a/infrastructure/terraform/aws/environments/blake/variables.tfvars
+++ /dev/null
@@ -1,12 +0,0 @@
-name = "blake"
-environment = "staging"
-region = "us-east-1"
-# TODO: Resume using this once we also Terraform the Route53
-# pubpub_url = "https://v7.pubpub.org"
-MAILGUN_SMTP_USERNAME = "v7@mg.pubpub.org"
-NEXT_PUBLIC_SUPABASE_URL = "https://dsleqjuvzuoycpeotdws.supabase.co"
-NEXT_PUBLIC_SUPABASE_PUBLIC_KEY = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJzdXBhYmFzZSIsInJlZiI6ImRzbGVxanV2enVveWNwZW90ZHdzIiwicm9sZSI6ImFub24iLCJpYXQiOjE2ODIzNTE0MjEsImV4cCI6MTk5NzkyNzQyMX0.3HHC0f7zlFXP77N0U8cS3blr7n6hhjqdYI6_ciQJams"
-ASSETS_BUCKET_NAME = "assets.blake.pubpub.org"
-
-# ensure these SECRETS are set in sibling secrets.tfvars, which is gitignored
-# HONEYCOMB_API_KEY
diff --git a/infrastructure/terraform/aws/modules/core-services/main.tf b/infrastructure/terraform/aws/modules/core-services/main.tf
index 331829766..aa1c3b7a3 100644
--- a/infrastructure/terraform/aws/modules/core-services/main.tf
+++ b/infrastructure/terraform/aws/modules/core-services/main.tf
@@ -30,15 +30,6 @@ resource "aws_secretsmanager_secret" "honeycomb_api_key" {
   name = "honeycombio-apikey-${var.cluster_info.name}-${var.cluster_info.environment}"
 }
 
-# N.B. since we have to tell terraform about this secret in order to
-#   configure the Honeycomb module, we might as well set it up automatically
-#   for Secrets Manager too. This pattern is not ideal design on the part of
-#   Honeycomb.
-resource "aws_secretsmanager_secret_version" "honeycomb_api_key" {
-  secret_id     = aws_secretsmanager_secret.honeycomb_api_key.id
-  secret_string = var.HONEYCOMB_API_KEY
-}
-
 # generate password and make it accessible through aws secrets manager
 resource "random_password" "rds_db_password" {
   length           = 16
diff --git a/infrastructure/terraform/aws/modules/core-services/variables.tf b/infrastructure/terraform/aws/modules/core-services/variables.tf
index 5c2ca3fb7..397a66230 100644
--- a/infrastructure/terraform/aws/modules/core-services/variables.tf
+++ b/infrastructure/terraform/aws/modules/core-services/variables.tf
@@ -18,12 +18,3 @@ variable "assets_bucket_url_name" {
   description = "Name for the asset bucket -- typically a domain like assets.v7.pubpub.org"
   type = string
 }
-
-# TODO: Possibly, this factoring could be improved
-# by making it easier to deploy the Core without a honeycomb
-# account.
-variable "HONEYCOMB_API_KEY" {
-  description = "API key for the honeycomb environment"
-  type = string
-  sensitive = true
-}
diff --git a/infrastructure/terraform/aws/main.tf b/infrastructure/terraform/aws/modules/deployment/main.tf
similarity index 85%
rename from infrastructure/terraform/aws/main.tf
rename to infrastructure/terraform/aws/modules/deployment/main.tf
index 1104620f5..3af3191d4 100644
--- a/infrastructure/terraform/aws/main.tf
+++ b/infrastructure/terraform/aws/modules/deployment/main.tf
@@ -13,17 +13,14 @@ terraform {
       version = ">= 0.22.0"
     }
   }
-  backend "s3" {
-    # contents provided in NAME.s3.tfbackend
-  }
 }
 
-provider "aws" {
-  region = var.region
-}
+# provider "aws" {
+#   region = var.region
+# }
 
 module "cluster" {
-  source = "./modules/v7-cluster"
+  source = "../v7-cluster"
 
   name = var.name
   environment = var.environment
@@ -35,15 +32,14 @@ module "cluster" {
 }
 
 module "core_dependency_services" {
-  source = "./modules/core-services"
+  source = "../core-services"
 
   cluster_info = module.cluster.cluster_info
   assets_bucket_url_name = var.ASSETS_BUCKET_NAME
-  HONEYCOMB_API_KEY = var.HONEYCOMB_API_KEY
 }
 
 module "service_core" {
-  source = "./modules/container-generic"
+  source = "../container-generic"
 
   service_name = "core"
   cluster_info = module.cluster.cluster_info
@@ -107,7 +103,7 @@ module "service_core" {
 }
 
 module "service_flock" {
-  source = "./modules/container-generic"
+  source = "../container-generic"
 
   service_name = "jobs"
   cluster_info = module.cluster.cluster_info
@@ -133,7 +129,7 @@ module "service_flock" {
 }
 
  module "service_intg_submissions" {
-   source = "./modules/container-generic"
+   source = "../container-generic"
 
    service_name = "integration-submissions"
    cluster_info = module.cluster.cluster_info
@@ -166,7 +162,7 @@ module "service_flock" {
  }
 
  module "service_intg_evaluations" {
-   source = "./modules/container-generic"
+   source = "../container-generic"
 
    service_name = "integration-evaluations"
    cluster_info = module.cluster.cluster_info
@@ -199,7 +195,7 @@ module "service_flock" {
  }
 
  module "service_bastion" {
-   source = "./modules/container-generic"
+   source = "../container-generic"
 
    service_name = "bastion"
    cluster_info = module.cluster.cluster_info
@@ -230,9 +226,26 @@ module "service_flock" {
    }
  }
 
+
+# N.B. This invocation means that the deployment including honeycomb cannot succeed
+#   until after you have inserted the secret into the AWS console. This only happens
+#   in this one case because with things like ECS, you can successfully "apply"
+#   even if secrets are not present; the containers will simply fail to start.
+#   However, this last section of TF code can be commented out for a first apply,
+#   then go and insert secret in console, then reapply with this.
+#
+#   This is the result of an awkward design pattern, where instead of the
+#   Honeycomb provider being configured to search for an API key in the env,
+#   the modules themselves expect an API key as an inline var and fail if
+#   it is not set. This is probably because the API keys are different for
+#   different environments, rather than per account/user/etc.
+data "aws_secretsmanager_secret_version" "honeycomb_api_key" {
+  secret_id = module.core_dependency_services.secrets.honeycomb_api_key
+}
+
 module "observability_honeycomb_integration" {
-  source = "./modules/honeycomb-integration"
+  source = "../honeycomb-integration"
 
   cluster_info = module.cluster.cluster_info
-  HONEYCOMB_API_KEY = var.HONEYCOMB_API_KEY
+  HONEYCOMB_API_KEY = data.aws_secretsmanager_secret_version.honeycomb_api_key.secret_string
 }
diff --git a/infrastructure/terraform/aws/outputs.tf b/infrastructure/terraform/aws/modules/deployment/outputs.tf
similarity index 100%
rename from infrastructure/terraform/aws/outputs.tf
rename to infrastructure/terraform/aws/modules/deployment/outputs.tf
diff --git a/infrastructure/terraform/aws/variables.tf b/infrastructure/terraform/aws/modules/deployment/variables.tf
similarity index 90%
rename from infrastructure/terraform/aws/variables.tf
rename to infrastructure/terraform/aws/modules/deployment/variables.tf
index 76ce40e9a..88aeffc06 100644
--- a/infrastructure/terraform/aws/variables.tf
+++ b/infrastructure/terraform/aws/modules/deployment/variables.tf
@@ -50,9 +50,3 @@ variable "ASSETS_BUCKET_NAME" {
   description = "Name of the S3 bucket to store assets"
   type = string
 }
-
-variable "HONEYCOMB_API_KEY" {
-  description = "API Key for Honeycomb integration"
-  type = string
-  sensitive = true
-}