Merge branch 'bcgov:main' into feature/WFPREV-34_3

bcgov · Oct 1, 2024 · e84e772 · e84e772
2 parents 4eaef29 + a7b9175
commit e84e772
Show file tree

Hide file tree

Showing 6 changed files with 180 additions and 21 deletions.
diff --git a/.github/workflows/terragrunt-deploy.yml b/.github/workflows/terragrunt-deploy.yml
@@ -13,6 +13,19 @@ on:
       IMAGE_TAG:
         required: true
         type: string
+  workflow_dispatch:
+    inputs:
+      DEFAULT_APPLICATION_ENVIRONMENT:
+        required: true
+        type: choice
+        options:
+        - dev
+        - test
+        - prod
+      IMAGE_TAG:
+        required: true
+        type: string
+        default: main
       # SCHEMA_NAME:
       #   required: true
       #   type: string
@@ -119,4 +132,9 @@ jobs:
           WFPREV_CLIENT_MEMORY: ${{vars.WFPREV_CLIENT_MEMORY}}
           WFPREV_CLIENT_CPU_UNITS : ${{vars.WFPREV_CLIENT_CPU_UNITS}}
 
+          # DB
+          WFPREV_USERNAME: ${{secrets.WFPREV_USERNAME}}
+          DB_PASS: ${{secrets.DB_PASS}}
+          DB_INSTANCE_TYPE: ${{vars.DB_INSTANCE_TYPE}}
+
         run: terragrunt apply --terragrunt-non-interactive -auto-approve
diff --git a/terraform/ecs.tf b/terraform/ecs.tf
@@ -61,7 +61,7 @@ resource "aws_ecs_task_definition" "wfprev_server" {
     environment = [
       {
         name  = "LOGGING_LEVEL"
-        value = var.logging_level
+        value = var.LOGGING_LEVEL
       },
       {
         name  = "AWS_REGION"
@@ -85,7 +85,7 @@ resource "aws_ecs_task_definition" "wfprev_server" {
       },
       {
         name  = "DB_PASS"
-        value = var.db_pass
+        value = var.DB_PASS
       },
       {
         name  = "API_KEY"
@@ -126,8 +126,8 @@ resource "aws_ecs_task_definition" "wfprev_server" {
 
 resource "aws_ecs_task_definition" "wfprev_client" {
   family                   = "wfprev-client-task-${var.TARGET_ENV}"
-  # execution_role_arn       = aws_iam_role.wfprev_ecs_task_execution_role.arn
-  # task_role_arn            = aws_iam_role.wfprev_app_container_role.arn
+  execution_role_arn       = aws_iam_role.wfprev_ecs_task_execution_role.arn
+  task_role_arn            = aws_iam_role.wfprev_app_container_role.arn
   network_mode             = "awsvpc"
   requires_compatibilities = ["FARGATE"]
   cpu                      = var.WFPREV_CLIENT_CPU_UNITS
@@ -157,7 +157,7 @@ resource "aws_ecs_task_definition" "wfprev_client" {
       environment = [
         {
           name  = "LOGGING_LEVEL"
-          value = "${var.logging_level}"
+          value = "${var.LOGGING_LEVEL}"
         },
         {
           name  = "AWS_REGION",
@@ -166,7 +166,7 @@ resource "aws_ecs_task_definition" "wfprev_client" {
         {
           #Base URL will use the 
           name  = "BASE_URL",
-          value = var.TARGET_ENV == "prod" ? "https://${var.gov_client_url}/" : "https://${aws_route53_record.wfprev_client.name}/"
+          value = var.TARGET_ENV == "prod" ? "https://${var.gov_client_url}/" : "${aws_apigatewayv2_stage.wfprev_stage.invoke_url}/wfprev-ui"
         },
         {
           name  = "WEBADE_OAUTH2_WFPREV_REST_CLIENT_SECRET",
@@ -245,7 +245,7 @@ resource "aws_ecs_service" "wfprev_server" {
   }
 
   network_configuration {
-    security_groups  = [aws_security_group.wfprev_ecs_tasks.id, data.aws_security_group.app.id]
+    security_groups  = [data.aws_security_group.app.id]
     subnets          = module.network.aws_subnet_ids.app.ids
     assign_public_ip = true
   }
@@ -267,7 +267,7 @@ resource "aws_ecs_service" "client" {
   name                              = "wfprev-client-service-${var.TARGET_ENV}"
   cluster                           = aws_ecs_cluster.wfprev_main.id
   task_definition                   = aws_ecs_task_definition.wfprev_client.arn
-  desired_count                     = var.app_count
+  desired_count                     = var.APP_COUNT
   enable_ecs_managed_tags           = true
   propagate_tags                    = "TASK_DEFINITION"
   health_check_grace_period_seconds = 60
@@ -286,7 +286,7 @@ resource "aws_ecs_service" "client" {
 
 
   network_configuration {
-    security_groups  = [aws_security_group.wfprev_ecs_tasks.id, data.aws_security_group.app.id]
+    security_groups  = [data.aws_security_group.app.id]
     subnets          = module.network.aws_subnet_ids.app.ids
     assign_public_ip = true
   }

diff --git a/terraform/rds.tf b/terraform/rds.tf
@@ -0,0 +1,104 @@
+resource "aws_db_subnet_group" "wfprev_db_subnet_group" {
+  name       = "wfprev_${var.TARGET_ENV}_db_subnet_group"
+  subnet_ids = module.network.aws_subnet_ids.app.ids
+  # tags       = local.common_tags
+}
+
+/*TODO: adapt to be accessible externally*/
+resource "aws_db_instance" "wfprev_pgsqlDB" {
+  identifier                      = "wfprev${var.TARGET_ENV}"
+  engine                          = "postgres"
+  engine_version                  = var.DB_POSTGRES_VERSION
+  auto_minor_version_upgrade      = false
+  allow_major_version_upgrade     = true
+  db_name                         = "wfprev${var.TARGET_ENV}"
+  instance_class                  = var.DB_INSTANCE_TYPE
+  multi_az                        = var.DB_MULTI_AZ
+  backup_retention_period         = 7
+  allocated_storage               = var.DB_SIZE
+  username                        = var.WFPREV_USERNAME
+  password                        = var.DB_PASS
+  db_subnet_group_name = aws_db_subnet_group.wfprev_db_subnet.name
+  publicly_accessible             = false
+  skip_final_snapshot             = true
+  storage_encrypted               = true
+  vpc_security_group_ids          = [data.aws_security_group.data.id]
+  # tags                            = local.common_tags
+  enabled_cloudwatch_logs_exports = ["postgresql"]
+  lifecycle {
+    prevent_destroy = true
+  }
+}
+
+resource "aws_db_subnet_group" "wfprev_db_subnet" {
+  name       = "main"
+  subnet_ids = module.network.aws_subnet_ids.data.ids
+}
+
+/*
+resource "aws_db_instance" "wfone_pgsqlDB" {
+  identifier                      = "wfone${var.target_env}"
+  engine                          = "postgres"
+  engine_version                  = "13.4"
+  auto_minor_version_upgrade      = false
+  db_name                         = "wfone${var.target_env}"
+  instance_class                  = var.db_instance_type
+  multi_az                        = var.db_multi_az
+  backup_retention_period         = 7
+  allocated_storage               = var.db_size
+  username                        = var.WFONE_USERNAME
+  password                        = var.WFONE_DB_PASS
+  publicly_accessible             = false
+  skip_final_snapshot             = true
+  storage_encrypted               = true
+  vpc_security_group_ids          = [data.aws_security_group.app.id, aws_security_group.wfone_ecs_tasks.id]
+  tags                            = local.common_tags
+  db_subnet_group_name            = aws_db_subnet_group.wfone_db_subnet_group.name
+  enabled_cloudwatch_logs_exports = ["postgresql"]
+  parameter_group_name            = "wfone-manual"
+}
+*/
+/*
+resource "aws_db_parameter_group" "wfnews_params" {
+  name   = "wfnews-${var.target_env}"
+  family = "postgres13"
+
+  parameter {
+    name  = "max_connections"
+    value = "LEAST({DBInstanceClassMemory/2382848},5000)"
+  }
+}
+*/
+/*
+resource "aws_db_proxy" "wfnews_db_proxy" {
+  name                   = "wfnews-db-proxy-${var.target_env}"
+  debug_logging          = false
+  engine_family          = "POSTGRESQL"
+  idle_client_timeout    = 1800
+  require_tls            = true
+  role_arn               = data.aws_iam_role.wfnews_automation_role.arn
+  vpc_security_group_ids = [data.aws_security_group.web.id, aws_security_group.wfnews_ecs_tasks.id]
+  vpc_subnet_ids         = module.network.aws_subnet_ids.app.ids
+
+  auth {
+    iam_auth    = "DISABLED"
+    secret_arn  = aws_secretsmanager_secret.wfnews_db_pw_secret.arn
+    username = aws_db_instance.wfnews_pgsqlDB.username
+  }
+
+  tags = local.common_tags
+  depends_on = [
+    aws_secretsmanager_secret.wfnews_db_pw_secret
+  ]
+}
+
+resource "aws_db_proxy_default_target_group" "wfnews_db_target_group" {
+  db_proxy_name = aws_db_proxy.wfnews_db_proxy.name
+}
+
+resource "aws_db_proxy_target" "wfnews_db_proxy_target" {
+  db_instance_identifier = aws_db_instance.wfnews_pgsqlDB.id
+  db_proxy_name          = aws_db_proxy.wfnews_db_proxy.name
+  target_group_name      = aws_db_proxy_default_target_group.wfnews_db_target_group.name
+}
+*/
diff --git a/terraform/security.tf b/terraform/security.tf
@@ -1,3 +1,11 @@
 data "aws_security_group" "web" {
   name = "Web_sg"
+}
+
+data "aws_security_group" "app" {
+  name = "App_sg"
+}
+
+data "aws_security_group" "data" {
+  name = "Data_sg"
 }
diff --git a/terraform/terragrunt.hcl b/terraform/terragrunt.hcl
@@ -40,8 +40,11 @@ TARGET_AWS_ACCOUNT_ID = "${get_env("TARGET_AWS_ACCOUNT_ID")}"
 # client
 WEBADE_OAUTH2_WFPREV_UI_CLIENT_SECRET = "${get_env("WEBADE_OAUTH2_WFPREV_UI_CLIENT_SECRET")}"
 CLIENT_IMAGE = "${get_env("CLIENT_IMAGE")}"
-WFPREV_CLIENT_PORT = "${get_env("WFPREV_CLIENT_PORT")}"
 
+# db
+WFPREV_USERNAME = "${get_env("WFPREV_USERNAME")}"
+DB_PASS = "${get_env("DB_PASS")}"
+DB_INSTANCE_TYPE = "${get_env("DB_INSTANCE_TYPE")}"
 EOF
 }
 
@@ -52,8 +55,8 @@ generate "provider" {
 provider "aws" {
   region  = "ca-central-1"
   assume_role {
-    role_arn = "arn:aws:iam::$${var.TARGET_AWS_ACCOUNT_ID}:role/Terraform_Deploy_Role"
+    role_arn = "arn:aws:iam::$${var.TARGET_AWS_ACCOUNT_ID}:role/Terraform-deploy"
   }
 }
 EOF
-}
+}
diff --git a/terraform/variables.tf b/terraform/variables.tf
@@ -5,11 +5,6 @@ variable "common_tags" {
   }
 }
 
-variable "TARGET_ENV" {
-  description = "AWS workload account env (e.g. dev, test, prod, sandbox, unclass)"
-  type        = string
-}
-
 variable "WFPREV_CLIENT_CPU_UNITS" {
   description = "client instance CPU units to provision (1 vCPU = 1024 CPU units)"
   type        = number
@@ -63,7 +58,7 @@ variable "server_port" {
   default     = 443
 }
 
-variable "logging_level" {
+variable "LOGGING_LEVEL" {
   type        = string
   description = "Logging level for components"
 }
@@ -93,14 +88,16 @@ variable "WFPREV_USERNAME" {
   default = ""
 }
 
-variable "db_pass" {
+variable "DB_PASS" {
   description = "db password, passed in as env variable at runtime"
   type        = string
+  default = ""
 }
 
 variable "api_key" {
   description = "value for api key"
   type        = string
+  default = ""
 }
 
 variable "server_name" {
@@ -160,7 +157,7 @@ variable "gov_client_url" {
   type        = string
 }
 
-variable "app_count" {
+variable "APP_COUNT" {
   description = "Number of docker containers to run"
   default     = 2
 }
@@ -174,4 +171,33 @@ variable "gov_api_url" {
   description = "domain name if using *-api.nrs.gov.bc.ca url"
   default     = ""
   type        = string
-}
+}
+
+variable "TARGET_AWS_ACCOUNT_ID" {
+  type = string
+  description = "Numerical AWS account ID"
+}
+
+variable "DB_POSTGRES_VERSION" {
+  description = "Which version of Postgres to use"
+  default     = "15.4"
+  type        = string
+}
+
+variable "DB_INSTANCE_TYPE" {
+  description = "Instance type to use for database vm"
+  type        = string
+  default = ""
+}
+
+variable "DB_MULTI_AZ" {
+  description = "Whether to make db deployment a multi-AZ deployment"
+  default     = false
+  type        = bool
+}
+
+variable "DB_SIZE" {
+  description = "size of db, in GB"
+  type        = number
+  default     = 10
+}