[Do not merge] PR for diff of DANDI vs. LINC

.gitignore

@@ -32,3 +32,5 @@ override.tf.json
 # Ignore CLI configuration files
 .terraformrc
 terraform.rc
+
+.idea/

README.md

@@ -1,2 +1,2 @@
-# dandi-infrastructure
-Deployment infrastructure for the DANDI Archive.
+# linc-archive-infrastructure
+Deployment infrastructure for the LINC Brain Archive.

terraform/api.tf

@@ -1,14 +1,14 @@
-data "heroku_team" "dandi" {
-  name = "dandi"
+data "heroku_team" "linc-brain-mit" {
+  name = "linc-brain-mit"
 }
 
 module "api" {
   source  = "girder/girder4/heroku"
   version = "0.13.0"
 
-  project_slug     = "dandi-api"
-  heroku_team_name = data.heroku_team.dandi.name
-  route53_zone_id  = aws_route53_zone.dandi.zone_id
+  project_slug     = "linc-brain-prod"
+  heroku_team_name = data.heroku_team.linc-brain-mit.name
+  route53_zone_id  = aws_route53_zone.linc-brain-mit.zone_id
   subdomain_name   = "api"
 
   heroku_web_dyno_size    = "standard-2x"
@@ -20,32 +20,39 @@ module "api" {
   heroku_web_dyno_quantity    = 1
   heroku_worker_dyno_quantity = 1
 
-  django_default_from_email          = "admin@api.dandiarchive.org"
-  django_cors_origin_whitelist       = ["https://dandiarchive.org"]
-  django_cors_origin_regex_whitelist = ["^https:\\/\\/[0-9a-z\\-]+--gui-dandiarchive-org\\.netlify\\.app$"]
+    django_default_from_email          = "admin@api.lincbrain.org"
+    django_cors_origin_whitelist       = ["https://lincbrain.org"]
+    django_cors_origin_regex_whitelist = ["^https:\\/\\/[0-9a-z\\-]+\\.netlify\\.app$"]
 
-  additional_django_vars = {
-    DJANGO_CONFIGURATION                           = "HerokuProductionConfiguration"
-    DJANGO_DANDI_DANDISETS_BUCKET_NAME             = module.sponsored_dandiset_bucket.bucket_name
-    DJANGO_DANDI_DANDISETS_BUCKET_PREFIX           = ""
-    DJANGO_DANDI_DANDISETS_EMBARGO_BUCKET_NAME     = module.sponsored_embargo_bucket.bucket_name
-    DJANGO_DANDI_DANDISETS_EMBARGO_BUCKET_PREFIX   = ""
-    DJANGO_DANDI_DANDISETS_LOG_BUCKET_NAME         = module.sponsored_dandiset_bucket.log_bucket_name
-    DJANGO_DANDI_DANDISETS_EMBARGO_LOG_BUCKET_NAME = module.sponsored_embargo_bucket.log_bucket_name
-    DJANGO_DANDI_DOI_API_URL                       = "https://api.datacite.org/dois"
-    DJANGO_DANDI_DOI_API_USER                      = "dartlib.dandi"
-    DJANGO_DANDI_DOI_API_PREFIX                    = "10.48324"
-    DJANGO_DANDI_DOI_PUBLISH                       = "true"
-    DJANGO_SENTRY_DSN                              = data.sentry_key.this.dsn_public
-    DJANGO_SENTRY_ENVIRONMENT                      = "production"
-    DJANGO_CELERY_WORKER_CONCURRENCY               = "4"
-    DJANGO_DANDI_WEB_APP_URL                       = "https://dandiarchive.org"
-    DJANGO_DANDI_API_URL                           = "https://api.dandiarchive.org"
-    DJANGO_DANDI_JUPYTERHUB_URL                    = "https://hub.dandiarchive.org/"
-  }
-  additional_sensitive_django_vars = {
-    DJANGO_DANDI_DOI_API_PASSWORD = var.doi_api_password
-  }
+    additional_django_vars = {
+        CLOUDFRONT_BASE_URL                            = "lincbrain.org"
+        CLOUDFRONT_NEUROGLANCER_URL                    = "https://neuroglancer.lincbrain.org"
+        CLOUDFRONT_PEM_KEY_ID                          = "K3OG4MF62CGEDN"
+        CLOUDFRONT_PRIVATE_PEM_S3_LOCATION             = "cloudfront/private_key_prod_new.pem"
+        DJANGO_CONFIGURATION                           = "HerokuProductionConfiguration"
+        DJANGO_DANDI_DANDISETS_BUCKET_NAME             = module.sponsored_lincset_bucket_us_east_2.bucket_name
+        DJANGO_DANDI_DANDISETS_BUCKET_PREFIX           = ""
+        DJANGO_DANDI_DANDISETS_EMBARGO_BUCKET_NAME     = module.sponsored_embargo_bucket_us_east_2.bucket_name
+        DJANGO_DANDI_DANDISETS_EMBARGO_BUCKET_PREFIX   = ""
+        DJANGO_DANDI_DANDISETS_LOG_BUCKET_NAME         = module.sponsored_lincset_bucket_us_east_2.log_bucket_name
+        DJANGO_DANDI_DANDISETS_EMBARGO_LOG_BUCKET_NAME = module.sponsored_embargo_bucket_us_east_2.log_bucket_name
+        DJANGO_DANDI_DOI_API_URL                       = "https://api.datacite.org/dois"
+        DJANGO_DANDI_DOI_API_USER                      = "temp.dandi"
+        DJANGO_DANDI_DOI_API_PREFIX                    = "temp"
+        DJANGO_DANDI_DOI_PUBLISH                       = "true"
+        DJANGO_SENTRY_DSN                              = "https://833c159dc622528b21b4ce4adef6dbf8@o4506237212033024.ingest.sentry.io/4506237213212672"
+        DJANGO_SENTRY_ENVIRONMENT                      = "production"
+        DJANGO_CELERY_WORKER_CONCURRENCY               = "4"
+        DJANGO_DANDI_WEB_APP_URL                       = "https://lincbrain.org"
+        DJANGO_DANDI_API_URL                           = "https://api.lincbrain.org"
+        DJANGO_DANDI_JUPYTERHUB_URL                    = "https://hub.lincbrain.org"
+        WEBKNOSSOS_API_URL                             = "https://webknossos.lincbrain.org"
+        WEBKNOSSOS_ORGANIZATION_DISPLAY_NAME           = "LINC"
+        WEBKNOSSOS_ORGANIZATION_NAME                   = "LINC"
+      }
+      additional_sensitive_django_vars = {
+        DJANGO_DANDI_DOI_API_PASSWORD = "temp"
+      }
 }
 
 resource "heroku_formation" "api_checksum_worker" {
@@ -64,4 +71,4 @@ resource "heroku_formation" "api_analytics_worker" {
 
 data "aws_iam_user" "api" {
   user_name = module.api.heroku_iam_user_id
-}
+}

terraform/domain.tf

@@ -1,41 +1,61 @@
-resource "aws_route53_zone" "dandi" {
-  name = "dandiarchive.org"
-}
-
-resource "aws_route53_record" "acm_validation" {
-  zone_id = aws_route53_zone.dandi.zone_id
-  name    = "_cbe41dfe1888c2bb5c157cacc35e1722"
-  type    = "CNAME"
-  ttl     = "300"
-  records = ["_46df7ee9a9c17698aedbb737f220c63a.mzlfeqexyx.acm-validations.aws"]
+resource "aws_route53_zone" "linc-brain-mit" {
+  name = "lincbrain.org"
 }
 
 resource "aws_route53_record" "gui" {
-  zone_id = aws_route53_zone.dandi.zone_id
+  zone_id = aws_route53_zone.linc-brain-mit.zone_id
   name    = "" # apex
   type    = "A"
   ttl     = "300"
-  records = ["75.2.60.5"] # Netlify's load balancer, which will proxy to our app
+  records = ["75.2.60.5"] # Netlify's load balancer,  which will proxy to our app -- https://docs.netlify.com/domains-https/custom-domains/configure-external-dns/#configure-an-apex-domain
 }
 
-resource "aws_route53_record" "gui-staging" {
-  zone_id = aws_route53_zone.dandi.zone_id
-  name    = "gui-staging"
-  type    = "CNAME"
-  ttl     = "300"
-  records = ["gui-staging-dandiarchive-org.netlify.com"]
+# resource "aws_route53_record" "gui-staging" {
+#   zone_id = aws_route53_zone.linc-brain-mit.zone_id
+#   name    = "gui-staging"
+#   type    = "CNAME"
+#   ttl     = "300"
+#   records = ["staging--gui-staging-lincbrain-org.netlify.app"]
+# }
+
+resource "aws_acm_certificate" "cert" {
+  domain_name        = "lincbrain.org"
+  validation_method  = "DNS"
+
+  subject_alternative_names = [
+    "*.lincbrain.org"
+  ]
 }
 
-resource "aws_route53_record" "www" {
-  zone_id = aws_route53_zone.dandi.zone_id
-  name    = "www"
-  type    = "CNAME"
+
+resource "aws_route53_record" "validation" {
+  for_each = {
+    for domain_validation_option in aws_acm_certificate.cert.domain_validation_options : domain_validation_option.domain_name => {
+      name   = domain_validation_option.resource_record_name
+      record = domain_validation_option.resource_record_value
+      type   = domain_validation_option.resource_record_type
+    }
+  }
+
+  zone_id = aws_route53_zone.linc-brain-mit.zone_id
+  name    = each.value.name
+  type    = each.value.type
+  records = [each.value.record]
   ttl     = "300"
-  records = ["dandi.github.io"]
+
+  lifecycle {
+    create_before_destroy = true
+    ignore_changes = [records, name, type]
+  }
+}
+
+resource "aws_acm_certificate_validation" "cert" {
+  certificate_arn         = aws_acm_certificate.cert.arn
+  validation_record_fqdns = [for record in aws_route53_record.validation : record.fqdn]
 }
 
 resource "aws_route53_record" "email" {
-  zone_id = aws_route53_zone.dandi.zone_id
+  zone_id = aws_route53_zone.linc-brain-mit.zone_id
   name    = "" # apex
   type    = "MX"
   ttl     = "300"
@@ -46,7 +66,7 @@ resource "aws_route53_record" "email" {
 }
 
 resource "aws_route53_record" "email-spf" {
-  zone_id = aws_route53_zone.dandi.zone_id
+  zone_id = aws_route53_zone.linc-brain-mit.zone_id
   name    = "" # apex
   type    = "TXT"
   ttl     = "300"

terraform/main.tf

@@ -1,37 +1,49 @@
 terraform {
   backend "remote" {
-    organization = "dandi"
+    organization = "linc-brain-mit"
 
     workspaces {
-      name = "dandi-prod"
+      name = "linc-archive-terraform"
     }
   }
 }
 
-// This is the "project" account, the primary account with most resources
 provider "aws" {
-  region              = "us-east-2"
-  allowed_account_ids = ["278212569472"]
-  # Must set AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY envvars
+  region              = "us-east-1"
+  allowed_account_ids = ["151312473579"]
+
+  assume_role {
+      role_arn = "arn:aws:iam::151312473579:role/linc-infrastructure"
+   }
+}
+
+provider "aws" {
+  region = "us-east-2"
+  alias  = "target"
+  allowed_account_ids = ["151312473579"]
+
+  assume_role {
+      role_arn = "arn:aws:iam::151312473579:role/linc-infrastructure"
+  }
 }
 
 // The "sponsored" account, the Amazon-sponsored account with the public bucket
 provider "aws" {
   alias               = "sponsored"
-  region              = "us-east-2"
-  allowed_account_ids = ["769362853226"]
+  region              = "us-east-1"
+  allowed_account_ids = ["151312473579"]  # TODO: Aaron make new ID
 
   // This will authenticate using credentials from the project account, then assume the
-  // "dandi-infrastructure" role from the sponsored account to manage resources there
+  // "linc-infrastructure" role from the sponsored account to manage resources there
   assume_role {
-    role_arn = "arn:aws:iam::769362853226:role/dandi-infrastructure"
+    role_arn = "arn:aws:iam::151312473579:role/linc-infrastructure"
   }
 
   # Must set AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY envvars for project account
 }
 
 provider "heroku" {
-  # Must set HEROKU_EMAIL, HEROKU_API_KEY envvars
+
 }
 
 provider "sentry" {