diff --git a/services/terraform/remote/aws_iam.tf b/services/terraform/remote/aws_iam.tf --- a/services/terraform/remote/aws_iam.tf +++ b/services/terraform/remote/aws_iam.tf @@ -70,6 +70,18 @@ } } +# Role for keyserver service nodes +# Allows for ecs exec +resource "aws_iam_role" "keyserver_node_ecs_task_role" { + name = "ecs-iam_role" + description = "Allows to SSH into ECS containers" + assume_role_policy = data.aws_iam_policy_document.assume_role_ecs_ec2.json + + managed_policy_arns = [ + aws_iam_policy.allow_ecs_exec.arn, + ] +} + # Allows ECS Exec to SSH into service task containers resource "aws_iam_policy" "allow_ecs_exec" { name = "allow-ecs-exec" diff --git a/services/terraform/remote/secrets.json b/services/terraform/remote/secrets.json --- a/services/terraform/remote/secrets.json +++ b/services/terraform/remote/secrets.json @@ -1,28 +1,82 @@ { "accountIDs": { - "production": "ENC[AES256_GCM,data:bFvAqsaeaK63a89t,iv:DItiKGCI6RPfkjQPSrUWhddvJQKOTnYEeyzgHfckrXw=,tag:5NTw9AuEXhU9eOKzd2wvtw==,type:str]", - "staging": "ENC[AES256_GCM,data:qoJZWlb2BusLjLJV,iv:cRt9S8qKZ8qz3q41Xc1o+giTTHA0jWkTLQDFHUHFR2U=,tag:EbZKVX7NkxDmx1s1PIjIeg==,type:str]" + "production": "ENC[AES256_GCM,data:7IFfLPfwCMbVtQ0l,iv:k2YUjcdeS5zfra7MNT+lBWeyRDqRm/+jXnOEHzasGfM=,tag:6+kJ8UmBegInaL0U1qWp2Q==,type:str]", + "staging": "ENC[AES256_GCM,data:Zb+8XOWcyOqM2THe,iv:fDe9Z7kLzdEgmIZlZHGkESn+YMW/7ukphx28vhte1L8=,tag:TyaixW9C57Ty2htFEogg3w==,type:str]" }, - "keyserverPublicKey": "ENC[AES256_GCM,data:6QnxnmA21WMjsqFJHgSxh4UkzoR1LMQuoK+F4uj5cxZPqsvverDjf9OfJg==,iv:gScxT+OOcnIrnc32S/Skk1/y15k2yhMVkCjuCUkQ3Y8=,tag:ZzP+7sgxZoJHD/XpMwwxWg==,type:str]", + "keyserverPublicKey": "ENC[AES256_GCM,data:kISIHWgvPLMlIFDEgwkMH4l35T30rP8cAxjp2X8LOVCJ0TTGXfLP8OvpsQ==,iv:dvUGQaG8d1uqYSykXSDzpI8Ob3LQsy/ZEaNItznBPkg=,tag:g88JxTnfk3ExqaS3PRIgDQ==,type:str]", "emailConfig": { - "postmarkToken": "ENC[AES256_GCM,data:9LHtrcnsPjSQ9taGbM984vHubERZZxvVrrEu0EmpSxA3fABH,iv:IGvphb6l6sCfeY6liOcmLaVsEtNKO97kSuB3YUMQVAg=,tag:+2F/or6vbv90kD1T1h+ZHA==,type:str]", - "senderEmail": "ENC[AES256_GCM,data:TtXiJwxtgqSfJw8Lht1o89i0aNwjHLHO70v7SlAUJWJXg2sMoz8Weg==,iv:g9a/QNXyDorilDdh6GQjWmO4iZ8ngYqjMmws8O64T9M=,tag:5QrBdNY011OTvZPr9FVqEg==,type:str]", + "postmarkToken": "ENC[AES256_GCM,data:BbtKG+s1jd6UAeDxZaEr/mu4uIVGeZGXZXi1dE2FkS0BIMNc,iv:0xnv4+R7UqDz2c6y6ysOM80dqiG8sbRrfTP01K1in8w=,tag:tdGnDjRXkN2JJ6TjboJ+4w==,type:str]", + "senderEmail": "ENC[AES256_GCM,data:deC9KkfrFH8I6mVWVMJBZr2w6KInNKrdVrdTJRvn3XXllX8gWpGY0w==,iv:7CxEU3W7vVKOfjT/OxDdi66FG9tgqNU5IWsZ8vdaEAo=,tag:JaQ2oDI/Ups7JWZT6Cvy7A==,type:str]", "mailingGroups": { - "inconsistencyReports": "ENC[AES256_GCM,data:WpfRg05ey0NqXD7xsJM4em2QxwBTZf1A/dhZJmll,iv:nSH3oPSmja6lvEqGLpNrpPqVmMrD8OqAU3gvMIlm68E=,tag:vIi5G+3F3eIoZP6zma7rZw==,type:str]", - "mediaReports": "ENC[AES256_GCM,data:ayhONEdMxKQgJKtVzkcJUMWy30y/hw==,iv:Cr/vcQ/HObcbSfoKXZ8hiGwSdTETsAoohJCargaWadM=,tag:WCpfrV0SSBM+DoYIahIkpw==,type:str]", - "errorReports": "ENC[AES256_GCM,data:5IfELwZmEvDgIalp3M4oxh8jgiJKuA==,iv:YCuAsQMiIE+ahatbc+GcJAwfr//aoGsfb6VCUeeXZh0=,tag:06RAnL4s2sFsvBJqH5IZuQ==,type:str]" + "inconsistencyReports": "ENC[AES256_GCM,data:xa5CZVgtN+aHg5+RnwMY7ATH27UrRT+2JqOKPT3C,iv:WeBytCB7C8hb+IFDc7C3Nw4sRjej5zJR3MQccs1yMW0=,tag:fxdGkYUyUnUyy4R1A4Z/yw==,type:str]", + "mediaReports": "ENC[AES256_GCM,data:qohrB1LFt1gkXIpJQf15X6GJxBJYrQ==,iv:FdFOib8l5r3LHzq69WcrNal6Oapj8KpP3u8ntiKtjMY=,tag:RFvakkOLVPn8U2gvLS01ZA==,type:str]", + "errorReports": "ENC[AES256_GCM,data:y4ow1pkmfa99Q5svRgOvNACNArddYA==,iv:2b1SW/f2N77g6phgzJvTwqZABakN+Tb12y+0A3wQqSw=,tag:8bBAYCEdMbA3oydBcvS9HA==,type:str]" } }, "amqpPassword": { - "production": "ENC[AES256_GCM,data:HGWWEwKhNeIAYqqyzAo=,iv:JwsXBZwyrzvO7KvfmyE2RUmo23n+zXedS0HZpHUgg1U=,tag:CCk7MgUKbwREy9cSdJNtig==,type:str]", - "staging": "ENC[AES256_GCM,data:DULoLDulN6rSeHVf+g0=,iv:DOPgUu1P+1c6YXYbYona3Q/rCN2X9Gs8sMiOaJgLu1A=,tag:h35i33gOmBgFAtbjFiQgWw==,type:str]" + "production": "ENC[AES256_GCM,data:UvF1DhPQ3lLrJYj32No=,iv:QNPmqKxpGTrmZVgWmtNDtRWxSoVHIim2ckHyUrAuz0M=,tag:oNZRnFDxBVd2yGbwX7xSKw==,type:str]", + "staging": "ENC[AES256_GCM,data:DDZjkGqHPWlCOGrdLwo=,iv:Z7jQDL1iMXj2YdW7wKI3MiRBrUUrrBvDH8RHuAzWCh8=,tag:u0PAf4sGWDNVXcNt9dOaUA==,type:str]" + }, + "webappLandingEnvVars": { + "COMM_JSONCONFIG_facts_keyserver_url": { + "baseDomain": "ENC[AES256_GCM,data:+GcgIOcSSNTX3NnmvbXFd37yMTk=,iv:lMm4j7HgSBw3wmYZJMHMfUfd5sDi0xgKH9wK38EHVCk=,tag:8zQyNn7hU9R/PhArVBXNFw==,type:str]", + "basePath": "ENC[AES256_GCM,data:Fg==,iv:gDFfX9WUBJcNeyVft5HLeHZt8Xi7oJSfGFQbJxvf9tM=,tag:GfiSxHv2hpCFuAV9t9jLjA==,type:str]", + "baseRoutePath": "ENC[AES256_GCM,data:Ig==,iv:/gf72cUemCOi4l1ba9tfrmzgKFNioM4ANt9FrIQmf2s=,tag:gozyFjcN6JShKIFqjEyhlg==,type:str]", + "https": "ENC[AES256_GCM,data:l/2Bag==,iv:+4iAKRVe2eU4aPGneHQbtK747N039ZN/Ih+LZqLm6y8=,tag:+J5sXye6biqxo6e7n7nKFQ==,type:bool]", + "proxy": "ENC[AES256_GCM,data:CJKU,iv:CYJg7H+OxAMRoWNCa4QPYYsSRrdE7SvrhyIWp8JlfKA=,tag:2fbwoy+zMPQohovX10pihg==,type:str]" + }, + "COMM_JSONCONFIG_secrets_alchemy": { + "key": "ENC[AES256_GCM,data:gWcNWqhgHPQHDr5IH5f1Q2GTXk6CH5sB5rdFYVZevWA=,iv:jPwycRvSe/QjjG6Hv7da4xRVZoQktL7afSygGUo4uzU=,tag:9YmQRZfUMuB85oyp9fxj0w==,type:str]" + }, + "COMM_JSONCONFIG_secrets_walletconnect": { + "key": "ENC[AES256_GCM,data:qpjWmEYBBWCywgJexhZNHJvALaXE/W4UGHz9NZ0DsVA=,iv:Z+EgXtkKu4CEu+BZcbH+CXX3tsknUbyrkQDk4Utb9O0=,tag:jC4MRw0e0+dEdTeZiShHYg==,type:str]" + }, + "COMM_JSONCONFIG_secrets_geoip_license": { + "key": "ENC[AES256_GCM,data:izLdCBxInOon8Ig1zQ3TCg==,iv:U0OCacer7ndhXxvz7jsVLqZsHbN7YtyIL4dOF7XO9Og=,tag:Hc1cqvkFr5np6cQc0PfbLg==,type:str]" + }, + "COMM_JSONCONFIG_secrets_postmark": { + "apiToken": "ENC[AES256_GCM,data:VYDjTfJbx8DpmYOcaYH7204AF1BwEO0GHt2YbOMkG1Gq/OH8,iv:ab0qvpWtmSSjK9MgnWJv81CJLrrqjZgyFIND9anGdJs=,tag:ojwv2ibPEHzagQdbGEpJpg==,type:str]" + }, + "COMM_JSONCONFIG_secrets_neynar": { + "key": "ENC[AES256_GCM,data:tZJcGhqmrfmcI4HesJDRfgsIfDG5kkBM1GoDdFp4KuqwAB6Q,iv:RXhGcXMu0iV0ZH3AdYIYDTLiLg53TT6VYZOeGkM1OWg=,tag:G7wKiASk4O6BW9PwNrWl6Q==,type:str]" + } + }, + "webappLandingStagingEnvVars": { + "COMM_JSONCONFIG_facts_webapp_url": { + "baseDomain": "ENC[AES256_GCM,data:o+EpVdZA23K1uYqzBmxygvzZeVj3,iv:WxEfd8J0i+KPqZ4I38TjS7oNKhWypicXXgtMArlDadM=,tag:p3BrsAh617hh3IdyHSbc6Q==,type:str]", + "basePath": "ENC[AES256_GCM,data:+w==,iv:hAPYvTBpBuL8XwvRNVXaMdVh45Kcmr2peuSR+TLYcYE=,tag:TY3rTAmARFQ6pIKy6Mi/rg==,type:str]", + "baseRoutePath": "ENC[AES256_GCM,data:RQ==,iv:RXGLhUo6utp81Wm9sA6EHI7wDQ963yUMhFecQvuVCCA=,tag:vdYqpRD8UA3nzTQ2FxyeZQ==,type:str]", + "https": "ENC[AES256_GCM,data:5lUNcA==,iv:VSAbJS3Pl36NLjJYAmUP9gYxR5Jb8jM8ka807z2dJX8=,tag:wKnYvt13JgWtu8C3adTqFA==,type:bool]", + "proxy": "ENC[AES256_GCM,data:A9HH,iv:BGXVa4aOsNjX0y1LLXLRDqx6k0CCW9U/poAKK8KBFs4=,tag:HMSXWIZrc9Ks8QxhLHGIVA==,type:str]" + }, + "COMM_JSONCONFIG_facts_landing_url": { + "baseDomain": "ENC[AES256_GCM,data:NX+COqXbFbK1JuaWa7lJTXNCLTen,iv:C6+YAkU0oXxOQR8jz3NhFgGN1RWY8mLCARB7i+j15Uw=,tag:UFnDyJc4+6TDKJvMeg/4ng==,type:str]", + "basePath": "ENC[AES256_GCM,data:wA==,iv:AV1Ld5U7jdo7xie//iTZB+wjPibswDw3okLhDTqcuHI=,tag:XIiuMXzAGK975FAGA8ShSQ==,type:str]", + "baseRoutePath": "ENC[AES256_GCM,data:GA==,iv:19x9COVTcr5YXrIy03LQ8TQNl1KfWZxmK5IU5NDl/r4=,tag:0ZuqykTszTVcwLMV28FasA==,type:str]", + "https": "ENC[AES256_GCM,data:OrEisQ==,iv:3wy5MSzhB5Ti48J3evBsD6LwvH+u5TbHnLV1bChNJVI=,tag:1PPSHV8W4r1SvsSWAj4lNA==,type:bool]" + } + }, + "webappLandingProdEnvVars": { + "COMM_JSONCONFIG_facts_webapp_url": { + "baseDomain": "ENC[AES256_GCM,data:PkQCRBTN+k3UmdWrJx5apl8swfo=,iv:PGEXm7BKR4mazT0O6bK0ZgYZ1N769olqxv+9MdIj06A=,tag:ISSpIZfTjBhkX7+jwxO5XQ==,type:str]", + "basePath": "ENC[AES256_GCM,data:Mg==,iv:k0mZrlNJvUFwJ0Nv0nnj/ngEBpcry22ygFUK0aIb7rs=,tag:P2QBvKphr3Nv1UFgX5gJyw==,type:str]", + "baseRoutePath": "ENC[AES256_GCM,data:Tg==,iv:m1NIh3/swrVhHDBXdKy0JApSTIx4Sv9+Yl3RZiBGcEI=,tag:UZgFVcZQwcAcpfP/KE395w==,type:str]", + "https": "ENC[AES256_GCM,data:enK/KA==,iv:GJNsCjVVE7ksFuOgTmed5/IOfAPY/G8Aap1rVxi3Ljc=,tag:/18SDiWCUW+4qKioUnxnPA==,type:bool]", + "proxy": "ENC[AES256_GCM,data:jwlb,iv:UB6TikOilAESBHMuD9+LIDmNZD4g24o2x0K1a+7xS0w=,tag:E6THOXGN4QMjlg29QW2vwQ==,type:str]" + }, + "COMM_JSONCONFIG_facts_landing_url": { + "baseDomain": "ENC[AES256_GCM,data:dRsAlE/ZERqISxIx7P6aCg==,iv:SLM9tvU/sksjUtj8q6PipBSa8AUXFSwc6DS0P2nDxfE=,tag:xeiTBFC2uz2AXjbyXY7AuA==,type:str]", + "basePath": "ENC[AES256_GCM,data:sQ==,iv:Oz5g4GIyWDvVIigUtaqu3XZ9a4H8J8he0sH4ItmccIU=,tag:FdMzgGH7ZZqMWxubhMGDsA==,type:str]", + "baseRoutePath": "ENC[AES256_GCM,data:yA==,iv:C44lMkHqZvbzqU8whBp0Hym5AxizY0SKVfa4X7PwKj0=,tag:uZmMxA78hdQwKe2gzL5w6Q==,type:str]", + "https": "ENC[AES256_GCM,data:D1gRoQ==,iv:FshkmudzDrEedO51n206Z9RQHjJzXWpkfPe4Njk6pb8=,tag:KBSO1fnTX8vVKk5EV86Lnw==,type:bool]" + } }, "sops": { "kms": [ { "arn": "arn:aws:kms:us-east-2:319076408221:key/2e54d528-50a2-489c-a4d7-d50c7c9f8303", - "created_at": "2023-07-29T15:16:43Z", - "enc": "AQICAHj+McP79InpW8dFM/rPPvaCljIlb0zq8qoMY/a2UlUSewFFXrO432X6dWZfZHFVsgoGAAAAfjB8BgkqhkiG9w0BBwagbzBtAgEAMGgGCSqGSIb3DQEHATAeBglghkgBZQMEAS4wEQQM0LAEze794jBZIKO/AgEQgDuVcwyViTDZoLwGj5icgKlABQFeUofitRD9e19i3Q+0ZyT7sSQ/4t2GuxvVo4cVEIkHCgTNH2RXLoqzPA==", + "created_at": "2024-08-02T19:26:39Z", + "enc": "AQICAHj+McP79InpW8dFM/rPPvaCljIlb0zq8qoMY/a2UlUSewHIbR0u6/Kr+Ftbzjo/wFIxAAAAfjB8BgkqhkiG9w0BBwagbzBtAgEAMGgGCSqGSIb3DQEHATAeBglghkgBZQMEAS4wEQQMTB0popV+0Y/hGcnaAgEQgDskdVFmVlQgvwzmF1rHHdoa3hVzOr4AovjpmYRiapGrSn8DUhyKKVh/LhH8M+dL3FDAp7mBoRA26facEg==", "aws_profile": "" } ], @@ -30,10 +84,10 @@ "azure_kv": null, "hc_vault": null, "age": null, - "lastmodified": "2023-09-12T09:29:09Z", - "mac": "ENC[AES256_GCM,data:q0leMf7J7MBHoQQ6h82eT4xUsIHC6j1DKolRYn/USJsZ4+rt2EEICzD7J8tLUIzv2IqHnTV9hYMt+8Q0qAfOl87Z8VI0TwzXiAx3b2pdAfCheozz6vE1F/94XVz8S6v/YZpVGT9u1lwPISdXYfd/7QqK3u8hZJM/PVVn5djNcj8=,iv:pb1Ii6BfZMgz6S3R+xEehycArHeBz2wzNHJLms9Jby0=,tag:s8sCtTexTs7Qb6magRWzSw==,type:str]", + "lastmodified": "2024-08-02T19:26:39Z", + "mac": "ENC[AES256_GCM,data:S6LREk1Bahu+R92V+j6KBfmzb0GjjxXRQCHGoX8w7dDZHiDx+aTeag269vK+gfjZUwsGgMqYVuY5qBemj3j5Szcd9hHZ4t6sFN0XQ/jVhggRK3dlMwpNR7c4wmPNNlf/fj5q1NoNx3CItDkQlLL6kGkUFqOWJV7JHBZSRZxsYek=,iv:lYbRENzq+K6sjwQ/snwGe8GP2wR0ypgcTaz6XaJLtZs=,tag:hG9AOht9XEwtjTm5bfLV8Q==,type:str]", "pgp": null, "unencrypted_suffix": "_unencrypted", - "version": "3.7.3" + "version": "3.8.1" } } diff --git a/services/terraform/remote/service_webapp.tf b/services/terraform/remote/service_webapp.tf new file mode 100644 --- /dev/null +++ b/services/terraform/remote/service_webapp.tf @@ -0,0 +1,54 @@ +locals { + webapp_image_tag = "1.0.103" + webapp_service_image = "commapp/keyserver:${local.webapp_image_tag}" + webapp_container_name = "webapp" + + webapp_run_server_config = jsonencode({ + runKeyserver = false + runWebApp = true + runLanding = false + }) + + webapp_landing_environment_vars = local.secrets["webappLandingEnvVars"] + + webapp_landing_environment_vars_encoded = { + for key, value in local.webapp_landing_environment_vars : key => jsonencode(value) + } + + stage_specific_environment_vars = (local.is_staging ? + local.secrets["webappLandingStagingEnvVars"] : + local.secrets["webappLandingProdEnvVars"]) + + stage_specific_environment_vars_encoded = { + for key, value in local.stage_specific_environment_vars : key => jsonencode(value) + } + + webapp_environment_vars = merge( + local.webapp_landing_environment_vars_encoded, + local.stage_specific_environment_vars_encoded, + { + "COMM_LISTEN_ADDR" = "0.0.0.0", + "COMM_NODE_ROLE" = "webapp", + "COMM_JSONCONFIG_facts_run_server_config" = local.webapp_run_server_config + }) +} + +module "webapp_service" { + source = "../modules/keyserver_node_service" + + container_name = "webapp" + image = local.webapp_service_image + service_name = "webapp" + cluster_id = aws_ecs_cluster.comm_services.id + domain_name = local.is_staging ? "comm.software" : "web.comm.app" + vpc_id = aws_vpc.default.id + vpc_subnets = [aws_subnet.public_a.id, aws_subnet.public_b.id] + region = "us-east-2" + environment_vars = local.webapp_environment_vars + ecs_task_role_arn = aws_iam_role.keyserver_node_ecs_task_role.arn + ecs_task_execution_role_arn = aws_iam_role.ecs_task_execution.arn +} + +output "webapp_service_load_balancer_dns_name" { + value = module.webapp_service.service_load_balancer_dns_name +}