repo restructuring and webpage infra setup

.github/workflows/deploy.yml → .github/workflows/scheduler.yml

@@ -1,4 +1,4 @@
-name: Deploy
+name: Scheduler
 
 on:
   push:
@@ -24,8 +24,7 @@ jobs:
         uses: aws-actions/amazon-ecr-login@v2
       - name: Build, tag, and push docker image to Amazon ECR
         run: |
-          docker pull  082113759242.dkr.ecr.eu-central-1.amazonaws.com/schafkopf-scheduler-lambda:latest
-          docker build -t 082113759242.dkr.ecr.eu-central-1.amazonaws.com/schafkopf-scheduler-lambda:latest .
+          docker build -f ./schafkopf/scheduler/Dockerfile -t 082113759242.dkr.ecr.eu-central-1.amazonaws.com/schafkopf-scheduler-lambda:latest .
           docker push 082113759242.dkr.ecr.eu-central-1.amazonaws.com/schafkopf-scheduler-lambda:latest
   deploy:
     runs-on: ubuntu-latest

infrastructure/api/apigw.tf

@@ -0,0 +1,95 @@
+resource "aws_api_gateway_rest_api" "api" {
+  name        = "schafkopf-api"
+
+  endpoint_configuration {
+    types = ["REGIONAL"]
+  }
+}
+
+
+resource "aws_api_gateway_domain_name" "api" {
+  domain_name      = local.api_sub_domain
+  regional_certificate_arn = data.aws_acm_certificate.cert.arn
+  endpoint_configuration {
+    types = ["REGIONAL"]
+  }
+}
+
+resource "aws_api_gateway_base_path_mapping" "api" {
+  domain_name = aws_api_gateway_domain_name.api.domain_name
+  stage_name  = aws_api_gateway_stage.api.stage_name
+  api_id      = aws_api_gateway_rest_api.api.id
+}
+
+
+resource "aws_api_gateway_rest_api_policy" "api_policy" {
+  rest_api_id = aws_api_gateway_rest_api.api.id
+
+  policy = jsonencode({
+    Version = "2012-10-17",
+    Statement = [
+      {
+        Effect = "Allow",
+        Principal = "*",  # Change this to specific principals in production
+        Action   = "execute-api:Invoke",
+        Resource = "${aws_api_gateway_rest_api.api.execution_arn}/*"  # Allows access to all resources and methods
+      }
+    ]
+  })
+}
+
+
+resource "aws_api_gateway_deployment" "api" {
+  rest_api_id       = aws_api_gateway_rest_api.api.id
+  triggers = {
+    # NOTE: The configuration below will satisfy ordering considerations,
+    #       but not pick up all future REST API changes. More advanced patterns
+    #       are possible, such as using the filesha1() function against the
+    #       Terraform configuration file(s) or removing the .id references to
+    #       calculate a hash against whole resources. Be aware that using whole
+    #       resources will show a difference after the initial implementation.
+    #       It will stabilize to only change when resources change afterwards.
+    redeployment = sha1(jsonencode([
+      aws_api_gateway_resource.api.id,
+      aws_api_gateway_method.api.id,
+      aws_api_gateway_integration.api.id,
+      aws_api_gateway_rest_api.api.id
+    ]))
+  }
+
+  depends_on = [
+    aws_api_gateway_integration.api,
+  ]
+}
+
+resource "aws_api_gateway_stage" "api" {
+  deployment_id = aws_api_gateway_deployment.api.id
+  rest_api_id   = aws_api_gateway_rest_api.api.id
+  stage_name    = "v1"
+}
+
+resource "aws_api_gateway_resource" "api" {
+  rest_api_id = aws_api_gateway_rest_api.api.id
+  parent_id   = aws_api_gateway_rest_api.api.root_resource_id
+  path_part   = "{proxy+}"
+}
+
+resource "aws_api_gateway_method" "api" {
+  rest_api_id      = aws_api_gateway_rest_api.api.id
+  resource_id      = aws_api_gateway_resource.api.id
+  http_method      = "ANY"
+  authorization    = "NONE"
+
+  request_parameters = {
+    "method.request.path.proxy" = true
+  }
+}
+
+resource "aws_api_gateway_integration" "api" {
+  rest_api_id             = aws_api_gateway_rest_api.api.id
+  resource_id             = aws_api_gateway_resource.api.id
+  http_method             = aws_api_gateway_method.api.http_method
+  integration_http_method = "POST"
+  type                    = "AWS_PROXY"
+  uri                     = aws_lambda_function.api.invoke_arn
+}

infrastructure/api/data.tf

@@ -0,0 +1,7 @@
+data "aws_route53_zone" "domain" {
+  name = "lukas-bernhard.de"
+}
+
+data "aws_acm_certificate" "cert" {
+  domain = "*.lukas-bernhard.de"
+}

infrastructure/api/ecr.tf

@@ -0,0 +1,31 @@
+resource "aws_ecr_repository" "api" {
+  name = "schafkopf-api-lambda"
+}
+
+resource "aws_ecr_lifecycle_policy" "api" {
+  repository = aws_ecr_repository.api.name
+
+  policy = jsonencode(
+    {
+      "rules" : [
+        {
+          "rulePriority" : 1,
+          "description" : "Keep last 1 untagged images",
+          "selection" : {
+            "tagStatus" : "untagged",
+            "countType" : "imageCountMoreThan",
+            "countNumber" : 1
+          },
+          "action" : {
+            "type" : "expire"
+          }
+        }
+      ]
+  })
+}
+
+
+data "aws_ecr_image" "api" {
+  repository_name = aws_ecr_repository.api.name
+  image_tag       = "latest"
+}

infrastructure/api/lambda.tf

@@ -0,0 +1,67 @@
+resource "aws_lambda_function" "api" {
+  function_name    = "schafkopf_api"
+  package_type     = "Image"
+  image_uri        = "${aws_ecr_repository.api.repository_url}:latest"
+  source_code_hash = replace(data.aws_ecr_image.api.image_digest, "sha256:", "")
+  timeout          = 60
+  memory_size      = 512
+
+  role = aws_iam_role.api.arn
+}
+
+resource "aws_iam_role" "api" {
+  name = "schafkopf_api"
+  assume_role_policy = jsonencode({
+    "Version" : "2012-10-17",
+    "Statement" : [
+      {
+        "Action" : "sts:AssumeRole",
+        "Principal" : {
+          "Service" : [
+            "lambda.amazonaws.com"
+          ]
+        },
+        "Effect" : "Allow",
+      }
+    ]
+  })
+}
+
+
+resource "aws_iam_policy" "api" {
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Effect = "Allow"
+        Action = "logs:CreateLogGroup"
+        Resource = "*"
+      },
+      {
+        Effect = "Allow"
+        Action = "logs:CreateLogStream"
+        Resource = "*"
+      },
+      {
+        Effect = "Allow"
+        Action = "logs:PutLogEvents"
+        Resource = "*"
+      },
+    ]
+  })
+}
+
+
+resource "aws_iam_role_policy_attachment" "api" {
+  role       = aws_iam_role.api.name
+  policy_arn = aws_iam_policy.api.arn
+}
+
+
+resource "aws_lambda_permission" "wheatley-api" {
+  statement_id  = "AllowExecutionFromAPIGateway"
+  action        = "lambda:InvokeFunction"
+  function_name = aws_lambda_function.api.function_name
+  principal     = "apigateway.amazonaws.com"
+  source_arn    = "${aws_api_gateway_rest_api.api.execution_arn}/*"
+}

infrastructure/api/local.tf

@@ -0,0 +1,3 @@
+locals {
+  api_sub_domain = "api.schafkopf.lukas-bernhard.de"
+}

infrastructure/api/route53.tf

@@ -0,0 +1,5 @@
+resource "aws_route53_record" "api" {
+  zone_id = data.aws_route53_zone.domain.id
+  name    = aws_api_gateway_domain_name.api.domain_name
+  type    = "A"
+}

infrastructure/main.tf

@@ -23,3 +23,8 @@ provider "aws" {
     }
   }
 }
+
+provider "aws" {
+  alias = "us-east"
+  region = "us-east-1"
+}

infrastructure/modules.tf

@@ -0,0 +1,8 @@
+
+module "web" {
+  source = "./web"
+  providers = {
+    aws        = aws
+    aws.us-east = aws.us-east
+  }
+}

infrastructure/web/acm.tf

@@ -0,0 +1,32 @@
+resource "aws_acm_certificate" "cert-my-aws-project-com" {
+  domain_name       = local.web_sub_domain
+  validation_method = "DNS"
+  provider = aws.us-east
+  lifecycle {
+    create_before_destroy = true
+  }
+}
+
+resource "aws_acm_certificate_validation" "cert-validation" {
+  provider = aws.us-east
+  certificate_arn         = aws_acm_certificate.cert-my-aws-project-com.arn
+  validation_record_fqdns = [for record in aws_route53_record.cert-validation-record : record.fqdn]
+}
+
+
+resource "aws_route53_record" "cert-validation-record" {
+  for_each = {
+    for dvo in aws_acm_certificate.cert-my-aws-project-com.domain_validation_options : dvo.domain_name => {
+      name   = dvo.resource_record_name
+      record = dvo.resource_record_value
+      type   = dvo.resource_record_type
+    }
+  }
+
+  allow_overwrite = true
+  name            = each.value.name
+  records         = [each.value.record]
+  ttl             = 60
+  type            = each.value.type
+  zone_id         = data.aws_route53_zone.domain.zone_id
+}

infrastructure/web/cloudfront.tf

@@ -0,0 +1,61 @@
+resource "aws_cloudfront_origin_access_identity" "s3_identity" {
+  comment = "schafkopf-web"
+}
+
+resource "aws_cloudfront_distribution" "web" {
+  origin {
+    domain_name = aws_s3_bucket.web.bucket_regional_domain_name
+    origin_id = "S3-Origin"
+    s3_origin_config {
+      origin_access_identity = aws_cloudfront_origin_access_identity.s3_identity.cloudfront_access_identity_path
+    }
+  }
+  aliases = [
+    local.web_sub_domain,
+  ]
+
+
+  enabled = true
+  default_root_object = "index.html"
+
+  default_cache_behavior {
+    allowed_methods  = ["GET", "HEAD"]
+    cached_methods   = ["GET", "HEAD"]
+    target_origin_id = "S3-Origin"
+
+    viewer_protocol_policy = "redirect-to-https"
+
+    forwarded_values {
+      query_string = false
+
+      cookies {
+        forward = "none"
+      }
+    }
+  }
+
+
+  viewer_certificate {
+    acm_certificate_arn = aws_acm_certificate.cert-my-aws-project-com.arn
+    ssl_support_method = "sni-only"
+  }
+
+  restrictions {
+    geo_restriction {
+      restriction_type = "none"
+    }
+  }
+}
+
+resource "aws_route53_record" "web" {
+  zone_id = data.aws_route53_zone.domain.zone_id
+  name    = local.web_sub_domain
+  type    = "A"
+
+  alias {
+    name                   = aws_cloudfront_distribution.web.domain_name
+    zone_id                = aws_cloudfront_distribution.web.hosted_zone_id
+    evaluate_target_health = false
+  }
+}
+

infrastructure/web/data.tf

@@ -0,0 +1,5 @@
+data "aws_caller_identity" "current" {}
+
+data "aws_route53_zone" "domain" {
+  name = "lukas-bernhard.de"
+}

infrastructure/web/locals.tf

@@ -0,0 +1,4 @@
+locals {
+  account_id = data.aws_caller_identity.current.account_id
+  web_sub_domain = "schafkopf.lukas-bernhard.de"
+}

infrastructure/web/providers.tf

@@ -0,0 +1,10 @@
+terraform {
+  required_providers {
+    aws = {
+      configuration_aliases = [
+        aws,
+        aws.us-east
+      ]
+    }
+  }
+}

infrastructure/web/s3.tf

@@ -0,0 +1,22 @@
+resource "aws_s3_bucket" "web" {
+  bucket = "schafkopf-web-${local.account_id}"
+}
+
+resource "aws_s3_bucket_policy" "web" {
+  bucket = aws_s3_bucket.web.id
+
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Sid       = "AllowCloudFrontAccess"
+        Effect    = "Allow"
+        Principal = {
+          AWS = aws_cloudfront_origin_access_identity.s3_identity.iam_arn
+        }
+        Action    = "s3:GetObject"
+        Resource  = "${aws_s3_bucket.web.arn}/*"
+      }
+    ]
+  })
+}