diff --git a/infrastructure/maskfile.md b/infrastructure/maskfile.md index 4ad51396f..534cc6254 100644 --- a/infrastructure/maskfile.md +++ b/infrastructure/maskfile.md @@ -28,7 +28,16 @@ Both `act` commands (for container version updates) and `terraform` commands Usually this means setting a file at `~/.aws/credentials` and `~/.aws/config`: see https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html -## aws:tf:plan +`terraform` commands for the `global` workspace require write-access API token +to Cloudflare. Since this is one of the highest-security-profile accounts, it +is not assumed all developers have access to this. To run these commands, set +`CLOUDFLARE_API_TOKEN` environment variable. + +## tf + +> Terraform-related commands to run in one workspace or another + +### tf plan > Runs the plan (diff showing) command interactively using the environment specified. @@ -44,7 +53,7 @@ see https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html ```bash ( - cd terraform/aws/environments/${proper_name} + cd terraform/environments/${proper_name} export AWS_PAGER="" if aws sts get-caller-identity; then @@ -61,7 +70,7 @@ see https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html ) ``` -## aws:tf:apply +### tf apply > Runs the apply command interactively, still asking for confirmation, using the environment specified. @@ -77,7 +86,7 @@ see https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html ```bash ( - cd terraform/aws/environments/${proper_name} + cd terraform/environments/${proper_name} export AWS_PAGER="" if aws sts get-caller-identity; then @@ -94,7 +103,7 @@ see https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html ) ``` -## aws:tf:init +### tf init > Runs the initialization for the environment @@ -109,13 +118,17 @@ see https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html ```bash ( - cd terraform/aws/environments/${proper_name} + cd terraform/environments/${proper_name} terraform init ) ``` -## aws:ecs:deploy:all +## ecs + +> commands that manage AWS containers + +### ecs deploy:all > Use `act` CLI to deploy all containers to a given SHA (or HEAD). @@ -160,7 +173,7 @@ see https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html ) ``` -## aws:ecs:deploy:one +### ecs deploy:one > Use `act` CLI to deploy ONE container/service to a given SHA (or HEAD). @@ -211,7 +224,7 @@ see https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html ) ``` -## aws:ecr:build:all +### ecs build:all > Use `act` CLI to build and push all containers with local code, tagged with the HEAD (or HEAD-dirty) SHA @@ -235,7 +248,7 @@ No options are required -- the workflow infers them all. ) ``` -## aws:bastion +### ecs bastion > Opens an interactive shell on the bastion container in AWS @@ -286,7 +299,7 @@ aws ecs \ -## nginx:build +### ecs nginx:build > Builds the nginx container used in AWS ECS for inbound traffic @@ -298,7 +311,7 @@ docker build \ ./nginx ``` -## nginx:push +### ecs nginx:push > Pushes the locally built latest nginx container diff --git a/infrastructure/terraform/aws/README.md b/infrastructure/terraform/README.md similarity index 100% rename from infrastructure/terraform/aws/README.md rename to infrastructure/terraform/README.md diff --git a/infrastructure/terraform/aws/.terraform.lock.hcl b/infrastructure/terraform/aws/.terraform.lock.hcl deleted file mode 100644 index cb0c20f9e..000000000 --- a/infrastructure/terraform/aws/.terraform.lock.hcl +++ /dev/null @@ -1,66 +0,0 @@ -# This file is maintained automatically by "terraform init". -# Manual edits may be lost in future updates. - -provider "registry.terraform.io/hashicorp/aws" { - version = "5.33.0" - constraints = ">= 4.0.0, >= 5.0.0" - hashes = [ - "h1:kPm7PkwHh6tZ74pUj5C/QRPtauxdnzrEG2yhCJla/4o=", - "zh:10bb683f2a9306e881f51a971ad3b2bb654ac94b54945dd63769876a343b5b04", - "zh:3916406db958d5487ea0c2d2320012d1907c29e6d01bf693560fe05e38ee0601", - "zh:3cb54b76b2f9e30620f3281ab7fb20633b1e4584fc84cc4ecd5752546252e86f", - "zh:513bcfd6971482215c5d64725189f875cbcbd260c6d11f0da4d66321efd93a92", - "zh:545a34427ebe7a950056627e7c980c9ba16318bf086d300eb808ffc41c52b7a8", - "zh:5a44b90faf1c8e8269f389c04bfac25ad4766d26360e7f7ac371be12a442981c", - "zh:64e1ef83162f78538dccad8b035577738851395ba774d6919cb21eb465a21e3a", - "zh:7315c70cb6b7f975471ea6129474639a08c58c071afc95a36cfaa41a13ae7fb9", - "zh:9806faae58938d638b757f54414400be998dddb45edfd4a29c85e827111dc93d", - "zh:997fa2e2db242354d9f772fba7eb17bd6d18d28480291dd93f85a18ca0a67ac2", - "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425", - "zh:9f9e076b7e9752971f39eead6eda69df1c5e890c82ba2ca95f56974af7adfe79", - "zh:b1d6af047f96de7f97d38b685654f1aed4356d5060b0e696d87d0270f5d49f75", - "zh:bfb0654b6f34398aeffdf907b744af06733d168db610a2c5747263380f817ac7", - "zh:e25203ee8cedccf60bf450950d533d3c172509bda8af97dbc3bc817d2a503c57", - ] -} - -provider "registry.terraform.io/hashicorp/random" { - version = "3.6.0" - hashes = [ - "h1:I8MBeauYA8J8yheLJ8oSMWqB0kovn16dF/wKZ1QTdkk=", - "zh:03360ed3ecd31e8c5dac9c95fe0858be50f3e9a0d0c654b5e504109c2159287d", - "zh:1c67ac51254ba2a2bb53a25e8ae7e4d076103483f55f39b426ec55e47d1fe211", - "zh:24a17bba7f6d679538ff51b3a2f378cedadede97af8a1db7dad4fd8d6d50f829", - "zh:30ffb297ffd1633175d6545d37c2217e2cef9545a6e03946e514c59c0859b77d", - "zh:454ce4b3dbc73e6775f2f6605d45cee6e16c3872a2e66a2c97993d6e5cbd7055", - "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", - "zh:91df0a9fab329aff2ff4cf26797592eb7a3a90b4a0c04d64ce186654e0cc6e17", - "zh:aa57384b85622a9f7bfb5d4512ca88e61f22a9cea9f30febaa4c98c68ff0dc21", - "zh:c4a3e329ba786ffb6f2b694e1fd41d413a7010f3a53c20b432325a94fa71e839", - "zh:e2699bc9116447f96c53d55f2a00570f982e6f9935038c3810603572693712d0", - "zh:e747c0fd5d7684e5bfad8aa0ca441903f15ae7a98a737ff6aca24ba223207e2c", - "zh:f1ca75f417ce490368f047b63ec09fd003711ae48487fba90b4aba2ccf71920e", - ] -} - -provider "registry.terraform.io/honeycombio/honeycombio" { - version = "0.22.0" - constraints = ">= 0.3.0" - hashes = [ - "h1:y2thf9K3ZkOd+7YlE0c9Hrhlrym0Byou9ZaF4pRzdcQ=", - "zh:02fc459be9937338a4c29513b8b97780c380f153a083e81b6c3c6df3bd0963be", - "zh:488659a795acd8923069fdf50f7b79ae214059e304a5fb8fe6fe590bc3e22225", - "zh:508ccec207061bcd662c41867b8fcf60eb38e08e7cfac24951b624f7a7f1312b", - "zh:694c3076c2a140d3c9217987f5b5a5e30425aeab13831cfe6fd716c411ec262e", - "zh:8ada3becaf167c60cb73d7da7254896451926e7d51e4c2d5bdae0d77042529d7", - "zh:92b1d2711fe3fea68885043cee68a3b349453bcb357317fc38417e14dfc17c4e", - "zh:95e147005583e3f73a53933f510bcc0f0e7509db0cb6b4f19f7572b19aa84e13", - "zh:af1ceff120c8252fbab7e85650f7bfb218a33a8bf0450614cb8a1a35938a26f1", - "zh:d63e4befd2f8f575c803a168e5a938439383014ab6cfcbd44b546ebbbb76dd05", - "zh:d78d2ed88131544c40474fb20191859ef9d8a2ee6265478ac3db618abac2b0b0", - "zh:e0cb8ce8bc92c24f31e0cc1489ae030842d53348909f8a34feea11efdac2d3c1", - "zh:e950ed7d9609db6418b0d8f6bdfdf375a0cf168af95a4220b36fc925309f90c9", - "zh:eb47da8c317e62896434c5fefea681dcc2b329200a6f0037de1fa5fdc2c0b441", - "zh:fdeed74e55497c6549f0be6608fe7ddefdc816683257245d5d31d67037bbf462", - ] -} diff --git a/infrastructure/terraform/aws/environments/blake/.terraform.lock.hcl b/infrastructure/terraform/environments/blake/.terraform.lock.hcl similarity index 74% rename from infrastructure/terraform/aws/environments/blake/.terraform.lock.hcl rename to infrastructure/terraform/environments/blake/.terraform.lock.hcl index 9d08fe07d..74cf5acb8 100644 --- a/infrastructure/terraform/aws/environments/blake/.terraform.lock.hcl +++ b/infrastructure/terraform/environments/blake/.terraform.lock.hcl @@ -1,6 +1,29 @@ # This file is maintained automatically by "terraform init". # Manual edits may be lost in future updates. +provider "registry.terraform.io/cloudflare/cloudflare" { + version = "4.30.0" + constraints = "~> 4.0" + hashes = [ + "h1:FhhTF09/BBk37akGLFx9/uWkGUGwSNRub8vP80TaF7Q=", + "zh:218d1948b59e3d2e3af082724a0d057bcca5a5643c5e7c3b85eefc02430edd6b", + "zh:24eb677bc1b205565efb5c0d1c464f63d1e240aac61f5b2ef15165fe842cb7e2", + "zh:27896ed2a4f05f6a46ef25e674e445e89bd4bfba8cddbe95940109c6dc3179cc", + "zh:38b3b8297a9650b0ed09d57e0d802f5d851062bdadf72825652232c9a67346ac", + "zh:58d49ec9f414d0ff71e94cc991e1e3e33a13502ce0fea1393edd1297d0877bab", + "zh:5ed92c556e72cc4ea7fdf6db9e0dd7b093d179e26f2d2989b21a004a6402f2ae", + "zh:71f5c64702a7b2102f6d5edfd767953cd5b1248093c05983b909de06cf0c40cc", + "zh:788a023967db63b8eda9c0415851a743daf4073bab66b0bd1204bccbb54c9f8f", + "zh:7b9cd30355b4f63941284998167c3f3e5d208685e5176928275436de012f62d2", + "zh:890df766e9b839623b1f0437355032a3c006226a6c200cd911e15ee1a9014e9f", + "zh:923ec04258fde407f0fce80488268f4277ffac68fb7240eee4f4373a344c5469", + "zh:97473bdb848a7f77832fde6d0e68877bdcc17bf47ae3639fb09e1aeff4a92a01", + "zh:9b8754d8f7c15878ecb8897a6ffc4e9ec95f4e5f0560f4129af82a8200e602ea", + "zh:b890723ed524d34e7fbee6c119714be23e1783b82441ce4c18871c9d54f10cbd", + "zh:c75e0e5f406653c9b4928d97a38410ad7bb20d48e260c17ae3125a77b0457bf5", + ] +} + provider "registry.terraform.io/hashicorp/aws" { version = "5.45.0" constraints = ">= 4.0.0, >= 4.66.1, >= 5.0.0, >= 5.27.0" diff --git a/infrastructure/terraform/aws/environments/blake/main.tf b/infrastructure/terraform/environments/blake/main.tf similarity index 89% rename from infrastructure/terraform/aws/environments/blake/main.tf rename to infrastructure/terraform/environments/blake/main.tf index efd72cd60..c4f656b77 100644 --- a/infrastructure/terraform/aws/environments/blake/main.tf +++ b/infrastructure/terraform/environments/blake/main.tf @@ -39,8 +39,8 @@ locals { environment = "staging" region = "us-east-1" - # TODO: Resume using this once we also Terraform the Route53 - # pubpub_url = "https://v7.pubpub.org" + pubpub_hostname = "blake.duqduq.org" + route53_zone_id = "Z059164612717GL8VGM95" MAILGUN_SMTP_USERNAME = "v7@mg.pubpub.org" NEXT_PUBLIC_SUPABASE_URL = "https://dsleqjuvzuoycpeotdws.supabase.co" @@ -48,6 +48,7 @@ locals { ASSETS_BUCKET_NAME = "assets.blake.pubpub.org" } + ###### ## ## Complete generic environment @@ -61,6 +62,9 @@ module "deployment" { environment = local.environment region = local.region + pubpub_hostname = local.pubpub_hostname + route53_zone_id = local.route53_zone_id + MAILGUN_SMTP_USERNAME = local.MAILGUN_SMTP_USERNAME NEXT_PUBLIC_SUPABASE_URL = local.NEXT_PUBLIC_SUPABASE_URL NEXT_PUBLIC_SUPABASE_PUBLIC_KEY = local.NEXT_PUBLIC_SUPABASE_PUBLIC_KEY diff --git a/infrastructure/terraform/globals/.terraform.lock.hcl b/infrastructure/terraform/environments/cloudflare/.terraform.lock.hcl similarity index 51% rename from infrastructure/terraform/globals/.terraform.lock.hcl rename to infrastructure/terraform/environments/cloudflare/.terraform.lock.hcl index ec30c9d73..35b9288d6 100644 --- a/infrastructure/terraform/globals/.terraform.lock.hcl +++ b/infrastructure/terraform/environments/cloudflare/.terraform.lock.hcl @@ -1,6 +1,29 @@ # This file is maintained automatically by "terraform init". # Manual edits may be lost in future updates. +provider "registry.terraform.io/cloudflare/cloudflare" { + version = "4.30.0" + constraints = "~> 4.0" + hashes = [ + "h1:FhhTF09/BBk37akGLFx9/uWkGUGwSNRub8vP80TaF7Q=", + "zh:218d1948b59e3d2e3af082724a0d057bcca5a5643c5e7c3b85eefc02430edd6b", + "zh:24eb677bc1b205565efb5c0d1c464f63d1e240aac61f5b2ef15165fe842cb7e2", + "zh:27896ed2a4f05f6a46ef25e674e445e89bd4bfba8cddbe95940109c6dc3179cc", + "zh:38b3b8297a9650b0ed09d57e0d802f5d851062bdadf72825652232c9a67346ac", + "zh:58d49ec9f414d0ff71e94cc991e1e3e33a13502ce0fea1393edd1297d0877bab", + "zh:5ed92c556e72cc4ea7fdf6db9e0dd7b093d179e26f2d2989b21a004a6402f2ae", + "zh:71f5c64702a7b2102f6d5edfd767953cd5b1248093c05983b909de06cf0c40cc", + "zh:788a023967db63b8eda9c0415851a743daf4073bab66b0bd1204bccbb54c9f8f", + "zh:7b9cd30355b4f63941284998167c3f3e5d208685e5176928275436de012f62d2", + "zh:890df766e9b839623b1f0437355032a3c006226a6c200cd911e15ee1a9014e9f", + "zh:923ec04258fde407f0fce80488268f4277ffac68fb7240eee4f4373a344c5469", + "zh:97473bdb848a7f77832fde6d0e68877bdcc17bf47ae3639fb09e1aeff4a92a01", + "zh:9b8754d8f7c15878ecb8897a6ffc4e9ec95f4e5f0560f4129af82a8200e602ea", + "zh:b890723ed524d34e7fbee6c119714be23e1783b82441ce4c18871c9d54f10cbd", + "zh:c75e0e5f406653c9b4928d97a38410ad7bb20d48e260c17ae3125a77b0457bf5", + ] +} + provider "registry.terraform.io/hashicorp/aws" { version = "5.33.0" constraints = ">= 2.0.0" diff --git a/infrastructure/terraform/environments/cloudflare/README.md b/infrastructure/terraform/environments/cloudflare/README.md new file mode 100644 index 000000000..be8b5aa62 --- /dev/null +++ b/infrastructure/terraform/environments/cloudflare/README.md @@ -0,0 +1,21 @@ +# Global Cloudflare configuration + +This module should generally be created by an admin, +and assumees the following permissions which are sensitive: + +**Cloudflare read-write token** set at `CLOUDFLARE_API_TOKEN`. In general, this +secret can be used for very nefarious things and should be extra sensitively protected. + +**AWS read-write permissions**: in `~/.aws/credentials`. see `../maskfile.md` for more info. + +## Relationship to AWS environments + +AWS environments assume existence of the Route53 zone and DNS NS records that refer authority +to that zone. If you are not using Cloudflare this module is not needed for those environments, +but in general to create a new env it is expected to augment this module with NS records referring +to this route53 configuration for domains subordinate to that new AWS env. + +Therefore updates to this module, which should happen very infrequently, should be applied before +you attempt to create the new AWS-ECS environment, otherwise that will fail due to the AWS Certificate +Manager being unsuccessful in validating your ownership of the DNS. + diff --git a/infrastructure/terraform/environments/cloudflare/main.tf b/infrastructure/terraform/environments/cloudflare/main.tf new file mode 100644 index 000000000..d3c50d3fe --- /dev/null +++ b/infrastructure/terraform/environments/cloudflare/main.tf @@ -0,0 +1,56 @@ +# aws terraform provider config + +terraform { + required_version = ">= 1.5.0" + required_providers { + aws = { + source = "hashicorp/aws" + version = ">= 2.0" + } + + cloudflare = { + source = "cloudflare/cloudflare" + version = "~> 4.0" + } + } + backend "s3" { + bucket = "pubpub-tfstates" + key = "cloudflare.tfstate" + region = "us-east-1" + } +} + + +provider "aws" { + region = "us-east-1" +} + +###### +# +## Configuration of routing from Cloudflare to Route53. +# +###### + +locals { + duqduq_domain = "duqduq.org" +} + +data "cloudflare_zone" "duqduq" { + name = local.duqduq_domain +} + +resource "aws_route53_zone" "duqduq" { + name = local.duqduq_domain +} + +# do this for all subdomains of duqduq that need to be NS'd to v7 +resource "cloudflare_record" "ns" { + for_each = toset(["0", "1", "2", "3"]) + type = "NS" + + zone_id = data.cloudflare_zone.duqduq.id + + name = "blake.${local.duqduq_domain}" + + value = aws_route53_zone.duqduq.name_servers[tonumber(each.key)] +} diff --git a/infrastructure/terraform/aws/modules/container-generic/outputs.tf b/infrastructure/terraform/environments/cloudflare/outputs.tf similarity index 100% rename from infrastructure/terraform/aws/modules/container-generic/outputs.tf rename to infrastructure/terraform/environments/cloudflare/outputs.tf diff --git a/infrastructure/terraform/environments/global_aws/.terraform.lock.hcl b/infrastructure/terraform/environments/global_aws/.terraform.lock.hcl new file mode 100644 index 000000000..35b9288d6 --- /dev/null +++ b/infrastructure/terraform/environments/global_aws/.terraform.lock.hcl @@ -0,0 +1,48 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/cloudflare/cloudflare" { + version = "4.30.0" + constraints = "~> 4.0" + hashes = [ + "h1:FhhTF09/BBk37akGLFx9/uWkGUGwSNRub8vP80TaF7Q=", + "zh:218d1948b59e3d2e3af082724a0d057bcca5a5643c5e7c3b85eefc02430edd6b", + "zh:24eb677bc1b205565efb5c0d1c464f63d1e240aac61f5b2ef15165fe842cb7e2", + "zh:27896ed2a4f05f6a46ef25e674e445e89bd4bfba8cddbe95940109c6dc3179cc", + "zh:38b3b8297a9650b0ed09d57e0d802f5d851062bdadf72825652232c9a67346ac", + "zh:58d49ec9f414d0ff71e94cc991e1e3e33a13502ce0fea1393edd1297d0877bab", + "zh:5ed92c556e72cc4ea7fdf6db9e0dd7b093d179e26f2d2989b21a004a6402f2ae", + "zh:71f5c64702a7b2102f6d5edfd767953cd5b1248093c05983b909de06cf0c40cc", + "zh:788a023967db63b8eda9c0415851a743daf4073bab66b0bd1204bccbb54c9f8f", + "zh:7b9cd30355b4f63941284998167c3f3e5d208685e5176928275436de012f62d2", + "zh:890df766e9b839623b1f0437355032a3c006226a6c200cd911e15ee1a9014e9f", + "zh:923ec04258fde407f0fce80488268f4277ffac68fb7240eee4f4373a344c5469", + "zh:97473bdb848a7f77832fde6d0e68877bdcc17bf47ae3639fb09e1aeff4a92a01", + "zh:9b8754d8f7c15878ecb8897a6ffc4e9ec95f4e5f0560f4129af82a8200e602ea", + "zh:b890723ed524d34e7fbee6c119714be23e1783b82441ce4c18871c9d54f10cbd", + "zh:c75e0e5f406653c9b4928d97a38410ad7bb20d48e260c17ae3125a77b0457bf5", + ] +} + +provider "registry.terraform.io/hashicorp/aws" { + version = "5.33.0" + constraints = ">= 2.0.0" + hashes = [ + "h1:kPm7PkwHh6tZ74pUj5C/QRPtauxdnzrEG2yhCJla/4o=", + "zh:10bb683f2a9306e881f51a971ad3b2bb654ac94b54945dd63769876a343b5b04", + "zh:3916406db958d5487ea0c2d2320012d1907c29e6d01bf693560fe05e38ee0601", + "zh:3cb54b76b2f9e30620f3281ab7fb20633b1e4584fc84cc4ecd5752546252e86f", + "zh:513bcfd6971482215c5d64725189f875cbcbd260c6d11f0da4d66321efd93a92", + "zh:545a34427ebe7a950056627e7c980c9ba16318bf086d300eb808ffc41c52b7a8", + "zh:5a44b90faf1c8e8269f389c04bfac25ad4766d26360e7f7ac371be12a442981c", + "zh:64e1ef83162f78538dccad8b035577738851395ba774d6919cb21eb465a21e3a", + "zh:7315c70cb6b7f975471ea6129474639a08c58c071afc95a36cfaa41a13ae7fb9", + "zh:9806faae58938d638b757f54414400be998dddb45edfd4a29c85e827111dc93d", + "zh:997fa2e2db242354d9f772fba7eb17bd6d18d28480291dd93f85a18ca0a67ac2", + "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425", + "zh:9f9e076b7e9752971f39eead6eda69df1c5e890c82ba2ca95f56974af7adfe79", + "zh:b1d6af047f96de7f97d38b685654f1aed4356d5060b0e696d87d0270f5d49f75", + "zh:bfb0654b6f34398aeffdf907b744af06733d168db610a2c5747263380f817ac7", + "zh:e25203ee8cedccf60bf450950d533d3c172509bda8af97dbc3bc817d2a503c57", + ] +} diff --git a/infrastructure/terraform/globals/README.md b/infrastructure/terraform/environments/global_aws/README.md similarity index 88% rename from infrastructure/terraform/globals/README.md rename to infrastructure/terraform/environments/global_aws/README.md index bd137d7a9..91f70aad9 100644 --- a/infrastructure/terraform/globals/README.md +++ b/infrastructure/terraform/environments/global_aws/README.md @@ -1,8 +1,10 @@ -# Global terraform state module +# Global configurations This module should generally be created by an admin, and not applied or updated by a machine user. +## Creation of the terraform state bucket + 1. Uncomment the code creating this bucket; comment the backend block 1. terraform init 1. Set the bucket name @@ -13,3 +15,4 @@ and not applied or updated by a machine user. 1. destroy local copies of the state file This bucket name can now be in your s3.tfbackend files everywhere. + diff --git a/infrastructure/terraform/globals/github_actions_iam.tf b/infrastructure/terraform/environments/global_aws/github_actions_iam.tf similarity index 100% rename from infrastructure/terraform/globals/github_actions_iam.tf rename to infrastructure/terraform/environments/global_aws/github_actions_iam.tf diff --git a/infrastructure/terraform/globals/main.tf b/infrastructure/terraform/environments/global_aws/main.tf similarity index 89% rename from infrastructure/terraform/globals/main.tf rename to infrastructure/terraform/environments/global_aws/main.tf index 5c66e9362..333fb53fe 100644 --- a/infrastructure/terraform/globals/main.tf +++ b/infrastructure/terraform/environments/global_aws/main.tf @@ -7,6 +7,11 @@ terraform { source = "hashicorp/aws" version = ">= 2.0" } + + cloudflare = { + source = "cloudflare/cloudflare" + version = "~> 4.0" + } } backend "s3" { bucket = "pubpub-tfstates" diff --git a/infrastructure/terraform/globals/outputs.tf b/infrastructure/terraform/environments/global_aws/outputs.tf similarity index 100% rename from infrastructure/terraform/globals/outputs.tf rename to infrastructure/terraform/environments/global_aws/outputs.tf diff --git a/infrastructure/terraform/aws/modules/container-generic/README.md b/infrastructure/terraform/modules/container-generic/README.md similarity index 100% rename from infrastructure/terraform/aws/modules/container-generic/README.md rename to infrastructure/terraform/modules/container-generic/README.md diff --git a/infrastructure/terraform/aws/modules/container-generic/main.tf b/infrastructure/terraform/modules/container-generic/main.tf similarity index 100% rename from infrastructure/terraform/aws/modules/container-generic/main.tf rename to infrastructure/terraform/modules/container-generic/main.tf diff --git a/infrastructure/terraform/aws/modules/deployment/outputs.tf b/infrastructure/terraform/modules/container-generic/outputs.tf similarity index 100% rename from infrastructure/terraform/aws/modules/deployment/outputs.tf rename to infrastructure/terraform/modules/container-generic/outputs.tf diff --git a/infrastructure/terraform/aws/modules/container-generic/variables.tf b/infrastructure/terraform/modules/container-generic/variables.tf similarity index 100% rename from infrastructure/terraform/aws/modules/container-generic/variables.tf rename to infrastructure/terraform/modules/container-generic/variables.tf diff --git a/infrastructure/terraform/aws/modules/core-services/README.md b/infrastructure/terraform/modules/core-services/README.md similarity index 100% rename from infrastructure/terraform/aws/modules/core-services/README.md rename to infrastructure/terraform/modules/core-services/README.md diff --git a/infrastructure/terraform/aws/modules/core-services/main.tf b/infrastructure/terraform/modules/core-services/main.tf similarity index 100% rename from infrastructure/terraform/aws/modules/core-services/main.tf rename to infrastructure/terraform/modules/core-services/main.tf diff --git a/infrastructure/terraform/aws/modules/core-services/outputs.tf b/infrastructure/terraform/modules/core-services/outputs.tf similarity index 100% rename from infrastructure/terraform/aws/modules/core-services/outputs.tf rename to infrastructure/terraform/modules/core-services/outputs.tf diff --git a/infrastructure/terraform/aws/modules/core-services/variables.tf b/infrastructure/terraform/modules/core-services/variables.tf similarity index 100% rename from infrastructure/terraform/aws/modules/core-services/variables.tf rename to infrastructure/terraform/modules/core-services/variables.tf diff --git a/infrastructure/terraform/aws/modules/deployment/main.tf b/infrastructure/terraform/modules/deployment/main.tf similarity index 94% rename from infrastructure/terraform/aws/modules/deployment/main.tf rename to infrastructure/terraform/modules/deployment/main.tf index 3af3191d4..8cd0d45a1 100644 --- a/infrastructure/terraform/aws/modules/deployment/main.tf +++ b/infrastructure/terraform/modules/deployment/main.tf @@ -26,6 +26,10 @@ module "cluster" { environment = var.environment region = var.region + pubpub_hostname = var.pubpub_hostname + + route53_zone_id = var.route53_zone_id + container_ingress_port = 8080 availability_zones = ["us-east-1a", "us-east-1c"] @@ -38,6 +42,10 @@ module "core_dependency_services" { assets_bucket_url_name = var.ASSETS_BUCKET_NAME } +locals { + PUBPUB_URL = "https://${var.pubpub_hostname}" +} + module "service_core" { source = "../container-generic" @@ -79,10 +87,10 @@ module "service_core" { { name = "MAILGUN_SMTP_USERNAME", value = var.MAILGUN_SMTP_USERNAME }, { name = "MAILGUN_SMTP_HOST", value = var.MAILGUN_SMTP_HOST }, { name = "MAILGUN_SMTP_PORT", value = var.MAILGUN_SMTP_PORT }, - { name = "NEXT_PUBLIC_PUBPUB_URL", value = "http://${module.cluster.cluster_info.alb_dns_name}" }, + { name = "NEXT_PUBLIC_PUBPUB_URL", value = local.PUBPUB_URL }, { name = "NEXT_PUBLIC_SUPABASE_URL", value = var.NEXT_PUBLIC_SUPABASE_URL }, { name = "NEXT_PUBLIC_SUPABASE_PUBLIC_KEY", value = var.NEXT_PUBLIC_SUPABASE_PUBLIC_KEY }, - { name = "PUBPUB_URL", value = "http://${module.cluster.cluster_info.alb_dns_name}" }, + { name = "PUBPUB_URL", value = local.PUBPUB_URL }, { name = "SUPABASE_URL", value = var.NEXT_PUBLIC_SUPABASE_URL }, { name = "SUPABASE_PUBLIC_KEY", value = var.NEXT_PUBLIC_SUPABASE_PUBLIC_KEY }, ] @@ -113,7 +121,7 @@ module "service_flock" { configuration = { container_port = 3000 environment = [ - { name = "PUBPUB_URL", value = "http://${module.cluster.cluster_info.alb_dns_name}" }, + { name = "PUBPUB_URL", value = local.PUBPUB_URL }, { name = "PGUSER", value = module.core_dependency_services.rds_connection_components.user }, { name = "PGDATABASE", value = module.core_dependency_services.rds_connection_components.database }, { name = "PGHOST", value = module.core_dependency_services.rds_connection_components.host }, @@ -150,7 +158,7 @@ module "service_flock" { configuration = { environment = [ - { name = "PUBPUB_URL", value = "http://${module.cluster.cluster_info.alb_dns_name}" }, + { name = "PUBPUB_URL", value = local.PUBPUB_URL }, ] secrets = [ @@ -183,7 +191,7 @@ module "service_flock" { configuration = { environment = [ - { name = "PUBPUB_URL", value = "http://${module.cluster.cluster_info.alb_dns_name}" }, + { name = "PUBPUB_URL", value = local.PUBPUB_URL }, ] secrets = [ diff --git a/infrastructure/terraform/modules/deployment/outputs.tf b/infrastructure/terraform/modules/deployment/outputs.tf new file mode 100644 index 000000000..9fe94c2d4 --- /dev/null +++ b/infrastructure/terraform/modules/deployment/outputs.tf @@ -0,0 +1,3 @@ +output "cluster_info" { + value = module.cluster.cluster_info +} diff --git a/infrastructure/terraform/aws/modules/deployment/variables.tf b/infrastructure/terraform/modules/deployment/variables.tf similarity index 78% rename from infrastructure/terraform/aws/modules/deployment/variables.tf rename to infrastructure/terraform/modules/deployment/variables.tf index 88aeffc06..1bd01ddbe 100644 --- a/infrastructure/terraform/aws/modules/deployment/variables.tf +++ b/infrastructure/terraform/modules/deployment/variables.tf @@ -14,10 +14,15 @@ variable "environment" { type = string } -# variable "pubpub_url" { -# description = "URL where pubpub will be addressable (include https://)" -# type = string -# } +variable "pubpub_hostname" { + description = "hostname where pubpub will be addressable (DO NOT include https://)" + type = string +} + +variable "route53_zone_id" { + description = "Zone ID of route53 zone that is already configured as the NS for your subdomain" + type = string +} variable "MAILGUN_SMTP_USERNAME" { description = "SMTP Username for Mailgun service" diff --git a/infrastructure/terraform/aws/modules/honeycomb-integration/README.md b/infrastructure/terraform/modules/honeycomb-integration/README.md similarity index 100% rename from infrastructure/terraform/aws/modules/honeycomb-integration/README.md rename to infrastructure/terraform/modules/honeycomb-integration/README.md diff --git a/infrastructure/terraform/aws/modules/honeycomb-integration/main.tf b/infrastructure/terraform/modules/honeycomb-integration/main.tf similarity index 100% rename from infrastructure/terraform/aws/modules/honeycomb-integration/main.tf rename to infrastructure/terraform/modules/honeycomb-integration/main.tf diff --git a/infrastructure/terraform/aws/modules/honeycomb-integration/outputs.tf b/infrastructure/terraform/modules/honeycomb-integration/outputs.tf similarity index 100% rename from infrastructure/terraform/aws/modules/honeycomb-integration/outputs.tf rename to infrastructure/terraform/modules/honeycomb-integration/outputs.tf diff --git a/infrastructure/terraform/aws/modules/honeycomb-integration/variables.tf b/infrastructure/terraform/modules/honeycomb-integration/variables.tf similarity index 100% rename from infrastructure/terraform/aws/modules/honeycomb-integration/variables.tf rename to infrastructure/terraform/modules/honeycomb-integration/variables.tf diff --git a/infrastructure/terraform/modules/v7-cluster/dns.tf b/infrastructure/terraform/modules/v7-cluster/dns.tf new file mode 100644 index 000000000..79ad1bc5b --- /dev/null +++ b/infrastructure/terraform/modules/v7-cluster/dns.tf @@ -0,0 +1,32 @@ +module "alb_certificate" { + source = "terraform-aws-modules/acm/aws" + version = "~> 4.0" + + domain_name = var.pubpub_hostname + zone_id = var.route53_zone_id + + validation_method = "DNS" + + subject_alternative_names = [ + "*.${var.pubpub_hostname}", + ] + + wait_for_validation = true + + tags = { + Name = var.pubpub_hostname + Environment = var.environment + } +} + +resource "aws_route53_record" "alb" { + zone_id = var.route53_zone_id + name = var.pubpub_hostname + type = "A" + + alias { + name = aws_lb.main.dns_name + zone_id = aws_lb.main.zone_id + evaluate_target_health = false + } +} diff --git a/infrastructure/terraform/aws/modules/v7-cluster/ecr.tf b/infrastructure/terraform/modules/v7-cluster/ecr.tf similarity index 100% rename from infrastructure/terraform/aws/modules/v7-cluster/ecr.tf rename to infrastructure/terraform/modules/v7-cluster/ecr.tf diff --git a/infrastructure/terraform/aws/modules/v7-cluster/ecs.tf b/infrastructure/terraform/modules/v7-cluster/ecs.tf similarity index 100% rename from infrastructure/terraform/aws/modules/v7-cluster/ecs.tf rename to infrastructure/terraform/modules/v7-cluster/ecs.tf diff --git a/infrastructure/terraform/aws/modules/v7-cluster/main.tf b/infrastructure/terraform/modules/v7-cluster/main.tf similarity index 96% rename from infrastructure/terraform/aws/modules/v7-cluster/main.tf rename to infrastructure/terraform/modules/v7-cluster/main.tf index 027d5be61..761d827db 100644 --- a/infrastructure/terraform/aws/modules/v7-cluster/main.tf +++ b/infrastructure/terraform/modules/v7-cluster/main.tf @@ -148,8 +148,11 @@ resource "aws_lb" "main" { resource "aws_lb_listener" "main" { load_balancer_arn = aws_lb.main.arn - port = 80 - protocol = "HTTP" + port = 443 + protocol = "HTTPS" + ssl_policy = "ELBSecurityPolicy-2016-08" + certificate_arn = module.alb_certificate.acm_certificate_arn + default_action { type = "fixed-response" diff --git a/infrastructure/terraform/aws/modules/v7-cluster/outputs.tf b/infrastructure/terraform/modules/v7-cluster/outputs.tf similarity index 100% rename from infrastructure/terraform/aws/modules/v7-cluster/outputs.tf rename to infrastructure/terraform/modules/v7-cluster/outputs.tf diff --git a/infrastructure/terraform/aws/modules/v7-cluster/variables.tf b/infrastructure/terraform/modules/v7-cluster/variables.tf similarity index 85% rename from infrastructure/terraform/aws/modules/v7-cluster/variables.tf rename to infrastructure/terraform/modules/v7-cluster/variables.tf index 4045e3b8a..b245d9d33 100644 --- a/infrastructure/terraform/aws/modules/v7-cluster/variables.tf +++ b/infrastructure/terraform/modules/v7-cluster/variables.tf @@ -58,3 +58,13 @@ variable "container_ingress_port" { description = "port to allow traffic in private security group" type = number } + +variable "pubpub_hostname" { + description = "domain name where this will be served by ALB" + type = string +} + +variable "route53_zone_id" { + description = "Zone ID of route53 zone that is already configured as the NS for your subdomain" + type = string +}