From 1b739148883f2fed4ee35bf06324ce1f8dd480d6 Mon Sep 17 00:00:00 2001 From: Lucas Li <35748253+yzlucas@users.noreply.github.com> Date: Tue, 1 Oct 2024 11:30:26 -0700 Subject: [PATCH 01/12] Terraform 3 (#108) * removing default application_environment * remove options in job * adding id-token write to build full environment --- .github/workflows/build-full-environment.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/build-full-environment.yml b/.github/workflows/build-full-environment.yml index f064c8429..2c2be5a95 100644 --- a/.github/workflows/build-full-environment.yml +++ b/.github/workflows/build-full-environment.yml @@ -5,6 +5,7 @@ env: permissions: contents: read packages: write + id-token: write on: pull_request_target: From 6a32bdcff9d06ae1eab05a3f36e69509db506ac3 Mon Sep 17 00:00:00 2001 From: Lucas Li <35748253+yzlucas@users.noreply.github.com> Date: Tue, 1 Oct 2024 11:42:10 -0700 Subject: [PATCH 02/12] remove client port (#110) --- terraform/terragrunt.hcl | 1 - 1 file changed, 1 deletion(-) diff --git a/terraform/terragrunt.hcl b/terraform/terragrunt.hcl index c142848be..2415e0be7 100644 --- a/terraform/terragrunt.hcl +++ b/terraform/terragrunt.hcl @@ -40,7 +40,6 @@ TARGET_AWS_ACCOUNT_ID = "${get_env("TARGET_AWS_ACCOUNT_ID")}" # client WEBADE_OAUTH2_WFPREV_UI_CLIENT_SECRET = "${get_env("WEBADE_OAUTH2_WFPREV_UI_CLIENT_SECRET")}" CLIENT_IMAGE = "${get_env("CLIENT_IMAGE")}" -WFPREV_CLIENT_PORT = "${get_env("WFPREV_CLIENT_PORT")}" EOF } From b781ba1fcc0b6a24b0590d6b9bb3f10fce021432 Mon Sep 17 00:00:00 2001 From: vivid-cpreston <97257824+vivid-cpreston@users.noreply.github.com> Date: Tue, 1 Oct 2024 11:45:54 -0700 Subject: [PATCH 03/12] Add option for manual deploy --- .github/workflows/terragrunt-deploy.yml | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/.github/workflows/terragrunt-deploy.yml b/.github/workflows/terragrunt-deploy.yml index 18d9ca13c..b571d4374 100644 --- a/.github/workflows/terragrunt-deploy.yml +++ b/.github/workflows/terragrunt-deploy.yml @@ -13,6 +13,19 @@ on: IMAGE_TAG: required: true type: string + workflow_dispatch: + inputs: + DEFAULT_APPLICATION_ENVIRONMENT: + required: true + type: choice + options: + - dev + - test + - prod + IMAGE_TAG: + required: true + type: string + default: main # SCHEMA_NAME: # required: true # type: string From e391ebc0182737271966651a841a98358dcddcef Mon Sep 17 00:00:00 2001 From: Lucas Li <35748253+yzlucas@users.noreply.github.com> Date: Tue, 1 Oct 2024 11:49:00 -0700 Subject: [PATCH 04/12] Terraform 4 (#111) * remove client port * remove duplicate vars --- terraform/variables.tf | 5 ----- 1 file changed, 5 deletions(-) diff --git a/terraform/variables.tf b/terraform/variables.tf index dda3609fe..9f594db26 100644 --- a/terraform/variables.tf +++ b/terraform/variables.tf @@ -5,11 +5,6 @@ variable "common_tags" { } } -variable "TARGET_ENV" { - description = "AWS workload account env (e.g. dev, test, prod, sandbox, unclass)" - type = string -} - variable "WFPREV_CLIENT_CPU_UNITS" { description = "client instance CPU units to provision (1 vCPU = 1024 CPU units)" type = number From f5486e9ac5b778f289515ed4fc1cfeb66b14016d Mon Sep 17 00:00:00 2001 From: Lucas Li <35748253+yzlucas@users.noreply.github.com> Date: Tue, 1 Oct 2024 12:05:11 -0700 Subject: [PATCH 05/12] Terraform 5 (#112) * adding default values to variables.tf * adding default values to variables.tf --- terraform/variables.tf | 2 ++ 1 file changed, 2 insertions(+) diff --git a/terraform/variables.tf b/terraform/variables.tf index 9f594db26..1c0778d44 100644 --- a/terraform/variables.tf +++ b/terraform/variables.tf @@ -91,11 +91,13 @@ variable "WFPREV_USERNAME" { variable "db_pass" { description = "db password, passed in as env variable at runtime" type = string + default = "" } variable "api_key" { description = "value for api key" type = string + default = "" } variable "server_name" { From d2c1eff360f133227a9adbc9862381db011837bf Mon Sep 17 00:00:00 2001 From: Lucas Li <35748253+yzlucas@users.noreply.github.com> Date: Tue, 1 Oct 2024 12:25:24 -0700 Subject: [PATCH 06/12] Terraform 5 (#113) * adding default values to variables.tf * adding default values to variables.tf * capitalized the wording --- terraform/ecs.tf | 6 +++--- terraform/variables.tf | 4 ++-- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/terraform/ecs.tf b/terraform/ecs.tf index b8c2d7f7f..04fe0d41a 100644 --- a/terraform/ecs.tf +++ b/terraform/ecs.tf @@ -61,7 +61,7 @@ resource "aws_ecs_task_definition" "wfprev_server" { environment = [ { name = "LOGGING_LEVEL" - value = var.logging_level + value = var.LOGGING_LEVEL }, { name = "AWS_REGION" @@ -157,7 +157,7 @@ resource "aws_ecs_task_definition" "wfprev_client" { environment = [ { name = "LOGGING_LEVEL" - value = "${var.logging_level}" + value = "${var.LOGGING_LEVEL}" }, { name = "AWS_REGION", @@ -267,7 +267,7 @@ resource "aws_ecs_service" "client" { name = "wfprev-client-service-${var.TARGET_ENV}" cluster = aws_ecs_cluster.wfprev_main.id task_definition = aws_ecs_task_definition.wfprev_client.arn - desired_count = var.app_count + desired_count = var.APP_COUNT enable_ecs_managed_tags = true propagate_tags = "TASK_DEFINITION" health_check_grace_period_seconds = 60 diff --git a/terraform/variables.tf b/terraform/variables.tf index 1c0778d44..8ce6967de 100644 --- a/terraform/variables.tf +++ b/terraform/variables.tf @@ -58,7 +58,7 @@ variable "server_port" { default = 443 } -variable "logging_level" { +variable "LOGGING_LEVEL" { type = string description = "Logging level for components" } @@ -157,7 +157,7 @@ variable "gov_client_url" { type = string } -variable "app_count" { +variable "APP_COUNT" { description = "Number of docker containers to run" default = 2 } From 6c4305044f2460b6ea79bca37fcb5cf3d850edba Mon Sep 17 00:00:00 2001 From: Lucas Li <35748253+yzlucas@users.noreply.github.com> Date: Tue, 1 Oct 2024 12:33:07 -0700 Subject: [PATCH 07/12] Terraform 5 (#114) * adding default values to variables.tf * adding default values to variables.tf * capitalized the wording * targer aws account id being added in vartf --- terraform/variables.tf | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/terraform/variables.tf b/terraform/variables.tf index 8ce6967de..00e86c217 100644 --- a/terraform/variables.tf +++ b/terraform/variables.tf @@ -171,4 +171,9 @@ variable "gov_api_url" { description = "domain name if using *-api.nrs.gov.bc.ca url" default = "" type = string +} + +variable "TARGET_AWS_ACCOUNT_ID" { + type = string + description = "Numerical AWS account ID" } \ No newline at end of file From 03e05aa1a11c187f7f62e397ebc649c487fddd96 Mon Sep 17 00:00:00 2001 From: Lucas Li <35748253+yzlucas@users.noreply.github.com> Date: Tue, 1 Oct 2024 13:36:28 -0700 Subject: [PATCH 08/12] Terraform 5 (#116) * adding default values to variables.tf * adding default values to variables.tf * capitalized the wording * targer aws account id being added in vartf * adding rds.tf * changes after code review * changes after code review --- .github/workflows/terragrunt-deploy.yml | 5 ++ terraform/ecs.tf | 2 +- terraform/rds.tf | 98 +++++++++++++++++++++++++ terraform/security.tf | 8 ++ terraform/terragrunt.hcl | 4 + terraform/variables.tf | 28 ++++++- 6 files changed, 142 insertions(+), 3 deletions(-) create mode 100644 terraform/rds.tf diff --git a/.github/workflows/terragrunt-deploy.yml b/.github/workflows/terragrunt-deploy.yml index b571d4374..477cdaa58 100644 --- a/.github/workflows/terragrunt-deploy.yml +++ b/.github/workflows/terragrunt-deploy.yml @@ -132,4 +132,9 @@ jobs: WFPREV_CLIENT_MEMORY: ${{vars.WFPREV_CLIENT_MEMORY}} WFPREV_CLIENT_CPU_UNITS : ${{vars.WFPREV_CLIENT_CPU_UNITS}} + # DB + WFPREV_USERNAME: ${{secrets.WFPREV_USERNAME}} + DB_PASS: ${{secrets.DB_PASS}} + DB_INSTANCE_TYPE: ${{vars.DB_INSTANCE_TYPE}} + run: terragrunt apply --terragrunt-non-interactive -auto-approve diff --git a/terraform/ecs.tf b/terraform/ecs.tf index 04fe0d41a..4dd3c0876 100644 --- a/terraform/ecs.tf +++ b/terraform/ecs.tf @@ -85,7 +85,7 @@ resource "aws_ecs_task_definition" "wfprev_server" { }, { name = "DB_PASS" - value = var.db_pass + value = var.DB_PASS }, { name = "API_KEY" diff --git a/terraform/rds.tf b/terraform/rds.tf new file mode 100644 index 000000000..424add9c8 --- /dev/null +++ b/terraform/rds.tf @@ -0,0 +1,98 @@ +resource "aws_db_subnet_group" "wfprev_db_subnet_group" { + name = "wfprev_${var.TARGET_ENV}_db_subnet_group" + subnet_ids = module.network.aws_subnet_ids.app.ids + # tags = local.common_tags +} + +/*TODO: adapt to be accessible externally*/ +resource "aws_db_instance" "wfprev_pgsqlDB" { + identifier = "wfprev${var.TARGET_ENV}" + engine = "postgres" + engine_version = var.DB_POSTGRES_VERSION + auto_minor_version_upgrade = false + allow_major_version_upgrade = true + db_name = "wfprev${var.TARGET_ENV}" + instance_class = var.DB_INSTANCE_TYPE + multi_az = var.DB_MULTI_AZ + backup_retention_period = 7 + allocated_storage = var.DB_SIZE + username = var.WFPREV_USERNAME + password = var.DB_PASS + publicly_accessible = false + skip_final_snapshot = true + storage_encrypted = true + vpc_security_group_ids = [data.aws_security_group.data.id] + # tags = local.common_tags + enabled_cloudwatch_logs_exports = ["postgresql"] + lifecycle { + prevent_destroy = true + } +} + +/* +resource "aws_db_instance" "wfone_pgsqlDB" { + identifier = "wfone${var.target_env}" + engine = "postgres" + engine_version = "13.4" + auto_minor_version_upgrade = false + db_name = "wfone${var.target_env}" + instance_class = var.db_instance_type + multi_az = var.db_multi_az + backup_retention_period = 7 + allocated_storage = var.db_size + username = var.WFONE_USERNAME + password = var.WFONE_DB_PASS + publicly_accessible = false + skip_final_snapshot = true + storage_encrypted = true + vpc_security_group_ids = [data.aws_security_group.app.id, aws_security_group.wfone_ecs_tasks.id] + tags = local.common_tags + db_subnet_group_name = aws_db_subnet_group.wfone_db_subnet_group.name + enabled_cloudwatch_logs_exports = ["postgresql"] + parameter_group_name = "wfone-manual" +} +*/ +/* +resource "aws_db_parameter_group" "wfnews_params" { + name = "wfnews-${var.target_env}" + family = "postgres13" + + parameter { + name = "max_connections" + value = "LEAST({DBInstanceClassMemory/2382848},5000)" + } +} +*/ +/* +resource "aws_db_proxy" "wfnews_db_proxy" { + name = "wfnews-db-proxy-${var.target_env}" + debug_logging = false + engine_family = "POSTGRESQL" + idle_client_timeout = 1800 + require_tls = true + role_arn = data.aws_iam_role.wfnews_automation_role.arn + vpc_security_group_ids = [data.aws_security_group.web.id, aws_security_group.wfnews_ecs_tasks.id] + vpc_subnet_ids = module.network.aws_subnet_ids.app.ids + + auth { + iam_auth = "DISABLED" + secret_arn = aws_secretsmanager_secret.wfnews_db_pw_secret.arn + username = aws_db_instance.wfnews_pgsqlDB.username + } + + tags = local.common_tags + depends_on = [ + aws_secretsmanager_secret.wfnews_db_pw_secret + ] +} + +resource "aws_db_proxy_default_target_group" "wfnews_db_target_group" { + db_proxy_name = aws_db_proxy.wfnews_db_proxy.name +} + +resource "aws_db_proxy_target" "wfnews_db_proxy_target" { + db_instance_identifier = aws_db_instance.wfnews_pgsqlDB.id + db_proxy_name = aws_db_proxy.wfnews_db_proxy.name + target_group_name = aws_db_proxy_default_target_group.wfnews_db_target_group.name +} +*/ diff --git a/terraform/security.tf b/terraform/security.tf index 446649af2..9e6869481 100644 --- a/terraform/security.tf +++ b/terraform/security.tf @@ -1,3 +1,11 @@ data "aws_security_group" "web" { name = "Web_sg" +} + +data "aws_security_group" "app" { + name = "App_sg" +} + +data "aws_security_group" "data" { + name = "Data_sg" } \ No newline at end of file diff --git a/terraform/terragrunt.hcl b/terraform/terragrunt.hcl index 2415e0be7..7fede8956 100644 --- a/terraform/terragrunt.hcl +++ b/terraform/terragrunt.hcl @@ -41,6 +41,10 @@ TARGET_AWS_ACCOUNT_ID = "${get_env("TARGET_AWS_ACCOUNT_ID")}" WEBADE_OAUTH2_WFPREV_UI_CLIENT_SECRET = "${get_env("WEBADE_OAUTH2_WFPREV_UI_CLIENT_SECRET")}" CLIENT_IMAGE = "${get_env("CLIENT_IMAGE")}" +# db +WFPREV_USERNAME = "${get_env("WFPREV_USERNAME")}" +DB_PASS = "${get_env("DB_PASS")}" +DB_INSTANCE_TYPE = "${get_env("DB_INSTANCE_TYPE")}" EOF } diff --git a/terraform/variables.tf b/terraform/variables.tf index 00e86c217..513286f9a 100644 --- a/terraform/variables.tf +++ b/terraform/variables.tf @@ -88,7 +88,7 @@ variable "WFPREV_USERNAME" { default = "" } -variable "db_pass" { +variable "DB_PASS" { description = "db password, passed in as env variable at runtime" type = string default = "" @@ -176,4 +176,28 @@ variable "gov_api_url" { variable "TARGET_AWS_ACCOUNT_ID" { type = string description = "Numerical AWS account ID" -} \ No newline at end of file +} + +variable "DB_POSTGRES_VERSION" { + description = "Which version of Postgres to use" + default = "15.4" + type = string +} + +variable "DB_INSTANCE_TYPE" { + description = "Instance type to use for database vm" + type = string + default = "" +} + +variable "DB_MULTI_AZ" { + description = "Whether to make db deployment a multi-AZ deployment" + default = false + type = bool +} + +variable "DB_SIZE" { + description = "size of db, in GB" + type = number + default = 10 +} From 8912146aef1e21796d48a37a233d725c5ec41f2f Mon Sep 17 00:00:00 2001 From: Lucas Li <35748253+yzlucas@users.noreply.github.com> Date: Tue, 1 Oct 2024 13:43:30 -0700 Subject: [PATCH 09/12] Terraform 5 (#117) * adding default values to variables.tf * adding default values to variables.tf * capitalized the wording * targer aws account id being added in vartf * adding rds.tf * changes after code review * changes after code review * changes after code review --- terraform/ecs.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/terraform/ecs.tf b/terraform/ecs.tf index 4dd3c0876..46fc8eca7 100644 --- a/terraform/ecs.tf +++ b/terraform/ecs.tf @@ -166,7 +166,7 @@ resource "aws_ecs_task_definition" "wfprev_client" { { #Base URL will use the name = "BASE_URL", - value = var.TARGET_ENV == "prod" ? "https://${var.gov_client_url}/" : "https://${aws_route53_record.wfprev_client.name}/" + value = var.TARGET_ENV == "prod" ? "https://${var.gov_client_url}/" : "${aws_apigatewayv2_stage.wfprev_stage.invoke_url}/wfprev-ui" }, { name = "WEBADE_OAUTH2_WFPREV_REST_CLIENT_SECRET", @@ -245,7 +245,7 @@ resource "aws_ecs_service" "wfprev_server" { } network_configuration { - security_groups = [aws_security_group.wfprev_ecs_tasks.id, data.aws_security_group.app.id] + security_groups = [data.aws_security_group.app.id] subnets = module.network.aws_subnet_ids.app.ids assign_public_ip = true } From 4679356b34d5d37d230001dcb9bb8ff9e7064b05 Mon Sep 17 00:00:00 2001 From: Lucas Li <35748253+yzlucas@users.noreply.github.com> Date: Tue, 1 Oct 2024 13:46:40 -0700 Subject: [PATCH 10/12] changes (#118) --- terraform/ecs.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/ecs.tf b/terraform/ecs.tf index 46fc8eca7..6c64f7395 100644 --- a/terraform/ecs.tf +++ b/terraform/ecs.tf @@ -286,7 +286,7 @@ resource "aws_ecs_service" "client" { network_configuration { - security_groups = [aws_security_group.wfprev_ecs_tasks.id, data.aws_security_group.app.id] + security_groups = [data.aws_security_group.app.id] subnets = module.network.aws_subnet_ids.app.ids assign_public_ip = true } From ae48bb7ac2919f160517f21dcba1c5ef4e27c0ae Mon Sep 17 00:00:00 2001 From: vivid-cpreston <97257824+vivid-cpreston@users.noreply.github.com> Date: Tue, 1 Oct 2024 13:50:19 -0700 Subject: [PATCH 11/12] Fix role name --- terraform/terragrunt.hcl | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/terraform/terragrunt.hcl b/terraform/terragrunt.hcl index 7fede8956..0dee249f3 100644 --- a/terraform/terragrunt.hcl +++ b/terraform/terragrunt.hcl @@ -55,8 +55,8 @@ generate "provider" { provider "aws" { region = "ca-central-1" assume_role { - role_arn = "arn:aws:iam::$${var.TARGET_AWS_ACCOUNT_ID}:role/Terraform_Deploy_Role" + role_arn = "arn:aws:iam::$${var.TARGET_AWS_ACCOUNT_ID}:role/Terraform-deploy" } } EOF -} \ No newline at end of file +} From a7b91751b7eefef6da68601e1f9bab9715bb695d Mon Sep 17 00:00:00 2001 From: Lucas Li <35748253+yzlucas@users.noreply.github.com> Date: Tue, 1 Oct 2024 14:01:08 -0700 Subject: [PATCH 12/12] Terraform 6 (#119) * changes * addding wfprev_db_subnet --- terraform/ecs.tf | 4 ++-- terraform/rds.tf | 6 ++++++ 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/terraform/ecs.tf b/terraform/ecs.tf index 6c64f7395..38ef55a4e 100644 --- a/terraform/ecs.tf +++ b/terraform/ecs.tf @@ -126,8 +126,8 @@ resource "aws_ecs_task_definition" "wfprev_server" { resource "aws_ecs_task_definition" "wfprev_client" { family = "wfprev-client-task-${var.TARGET_ENV}" - # execution_role_arn = aws_iam_role.wfprev_ecs_task_execution_role.arn - # task_role_arn = aws_iam_role.wfprev_app_container_role.arn + execution_role_arn = aws_iam_role.wfprev_ecs_task_execution_role.arn + task_role_arn = aws_iam_role.wfprev_app_container_role.arn network_mode = "awsvpc" requires_compatibilities = ["FARGATE"] cpu = var.WFPREV_CLIENT_CPU_UNITS diff --git a/terraform/rds.tf b/terraform/rds.tf index 424add9c8..9c1e0b58e 100644 --- a/terraform/rds.tf +++ b/terraform/rds.tf @@ -18,6 +18,7 @@ resource "aws_db_instance" "wfprev_pgsqlDB" { allocated_storage = var.DB_SIZE username = var.WFPREV_USERNAME password = var.DB_PASS + db_subnet_group_name = aws_db_subnet_group.wfprev_db_subnet.name publicly_accessible = false skip_final_snapshot = true storage_encrypted = true @@ -29,6 +30,11 @@ resource "aws_db_instance" "wfprev_pgsqlDB" { } } +resource "aws_db_subnet_group" "wfprev_db_subnet" { + name = "main" + subnet_ids = module.network.aws_subnet_ids.data.ids +} + /* resource "aws_db_instance" "wfone_pgsqlDB" { identifier = "wfone${var.target_env}"