Page MenuHomePhabricator

D12928.diff
No OneTemporary

D12928.diff

diff --git a/services/terraform/remote/aws_iam.tf b/services/terraform/remote/aws_iam.tf
--- a/services/terraform/remote/aws_iam.tf
+++ b/services/terraform/remote/aws_iam.tf
@@ -70,6 +70,18 @@
}
}
+# Role for keyserver service nodes
+# Allows for ecs exec
+resource "aws_iam_role" "keyserver_node_ecs_task_role" {
+ name = "ecs-iam_role"
+ description = "Allows to SSH into ECS containers"
+ assume_role_policy = data.aws_iam_policy_document.assume_role_ecs_ec2.json
+
+ managed_policy_arns = [
+ aws_iam_policy.allow_ecs_exec.arn,
+ ]
+}
+
# Allows ECS Exec to SSH into service task containers
resource "aws_iam_policy" "allow_ecs_exec" {
name = "allow-ecs-exec"
diff --git a/services/terraform/remote/secrets.json b/services/terraform/remote/secrets.json
--- a/services/terraform/remote/secrets.json
+++ b/services/terraform/remote/secrets.json
@@ -1,28 +1,82 @@
{
"accountIDs": {
- "production": "ENC[AES256_GCM,data:bFvAqsaeaK63a89t,iv:DItiKGCI6RPfkjQPSrUWhddvJQKOTnYEeyzgHfckrXw=,tag:5NTw9AuEXhU9eOKzd2wvtw==,type:str]",
- "staging": "ENC[AES256_GCM,data:qoJZWlb2BusLjLJV,iv:cRt9S8qKZ8qz3q41Xc1o+giTTHA0jWkTLQDFHUHFR2U=,tag:EbZKVX7NkxDmx1s1PIjIeg==,type:str]"
+ "production": "ENC[AES256_GCM,data:7IFfLPfwCMbVtQ0l,iv:k2YUjcdeS5zfra7MNT+lBWeyRDqRm/+jXnOEHzasGfM=,tag:6+kJ8UmBegInaL0U1qWp2Q==,type:str]",
+ "staging": "ENC[AES256_GCM,data:Zb+8XOWcyOqM2THe,iv:fDe9Z7kLzdEgmIZlZHGkESn+YMW/7ukphx28vhte1L8=,tag:TyaixW9C57Ty2htFEogg3w==,type:str]"
},
- "keyserverPublicKey": "ENC[AES256_GCM,data:6QnxnmA21WMjsqFJHgSxh4UkzoR1LMQuoK+F4uj5cxZPqsvverDjf9OfJg==,iv:gScxT+OOcnIrnc32S/Skk1/y15k2yhMVkCjuCUkQ3Y8=,tag:ZzP+7sgxZoJHD/XpMwwxWg==,type:str]",
+ "keyserverPublicKey": "ENC[AES256_GCM,data:kISIHWgvPLMlIFDEgwkMH4l35T30rP8cAxjp2X8LOVCJ0TTGXfLP8OvpsQ==,iv:dvUGQaG8d1uqYSykXSDzpI8Ob3LQsy/ZEaNItznBPkg=,tag:g88JxTnfk3ExqaS3PRIgDQ==,type:str]",
"emailConfig": {
- "postmarkToken": "ENC[AES256_GCM,data:9LHtrcnsPjSQ9taGbM984vHubERZZxvVrrEu0EmpSxA3fABH,iv:IGvphb6l6sCfeY6liOcmLaVsEtNKO97kSuB3YUMQVAg=,tag:+2F/or6vbv90kD1T1h+ZHA==,type:str]",
- "senderEmail": "ENC[AES256_GCM,data:TtXiJwxtgqSfJw8Lht1o89i0aNwjHLHO70v7SlAUJWJXg2sMoz8Weg==,iv:g9a/QNXyDorilDdh6GQjWmO4iZ8ngYqjMmws8O64T9M=,tag:5QrBdNY011OTvZPr9FVqEg==,type:str]",
+ "postmarkToken": "ENC[AES256_GCM,data:BbtKG+s1jd6UAeDxZaEr/mu4uIVGeZGXZXi1dE2FkS0BIMNc,iv:0xnv4+R7UqDz2c6y6ysOM80dqiG8sbRrfTP01K1in8w=,tag:tdGnDjRXkN2JJ6TjboJ+4w==,type:str]",
+ "senderEmail": "ENC[AES256_GCM,data:deC9KkfrFH8I6mVWVMJBZr2w6KInNKrdVrdTJRvn3XXllX8gWpGY0w==,iv:7CxEU3W7vVKOfjT/OxDdi66FG9tgqNU5IWsZ8vdaEAo=,tag:JaQ2oDI/Ups7JWZT6Cvy7A==,type:str]",
"mailingGroups": {
- "inconsistencyReports": "ENC[AES256_GCM,data:WpfRg05ey0NqXD7xsJM4em2QxwBTZf1A/dhZJmll,iv:nSH3oPSmja6lvEqGLpNrpPqVmMrD8OqAU3gvMIlm68E=,tag:vIi5G+3F3eIoZP6zma7rZw==,type:str]",
- "mediaReports": "ENC[AES256_GCM,data:ayhONEdMxKQgJKtVzkcJUMWy30y/hw==,iv:Cr/vcQ/HObcbSfoKXZ8hiGwSdTETsAoohJCargaWadM=,tag:WCpfrV0SSBM+DoYIahIkpw==,type:str]",
- "errorReports": "ENC[AES256_GCM,data:5IfELwZmEvDgIalp3M4oxh8jgiJKuA==,iv:YCuAsQMiIE+ahatbc+GcJAwfr//aoGsfb6VCUeeXZh0=,tag:06RAnL4s2sFsvBJqH5IZuQ==,type:str]"
+ "inconsistencyReports": "ENC[AES256_GCM,data:xa5CZVgtN+aHg5+RnwMY7ATH27UrRT+2JqOKPT3C,iv:WeBytCB7C8hb+IFDc7C3Nw4sRjej5zJR3MQccs1yMW0=,tag:fxdGkYUyUnUyy4R1A4Z/yw==,type:str]",
+ "mediaReports": "ENC[AES256_GCM,data:qohrB1LFt1gkXIpJQf15X6GJxBJYrQ==,iv:FdFOib8l5r3LHzq69WcrNal6Oapj8KpP3u8ntiKtjMY=,tag:RFvakkOLVPn8U2gvLS01ZA==,type:str]",
+ "errorReports": "ENC[AES256_GCM,data:y4ow1pkmfa99Q5svRgOvNACNArddYA==,iv:2b1SW/f2N77g6phgzJvTwqZABakN+Tb12y+0A3wQqSw=,tag:8bBAYCEdMbA3oydBcvS9HA==,type:str]"
}
},
"amqpPassword": {
- "production": "ENC[AES256_GCM,data:HGWWEwKhNeIAYqqyzAo=,iv:JwsXBZwyrzvO7KvfmyE2RUmo23n+zXedS0HZpHUgg1U=,tag:CCk7MgUKbwREy9cSdJNtig==,type:str]",
- "staging": "ENC[AES256_GCM,data:DULoLDulN6rSeHVf+g0=,iv:DOPgUu1P+1c6YXYbYona3Q/rCN2X9Gs8sMiOaJgLu1A=,tag:h35i33gOmBgFAtbjFiQgWw==,type:str]"
+ "production": "ENC[AES256_GCM,data:UvF1DhPQ3lLrJYj32No=,iv:QNPmqKxpGTrmZVgWmtNDtRWxSoVHIim2ckHyUrAuz0M=,tag:oNZRnFDxBVd2yGbwX7xSKw==,type:str]",
+ "staging": "ENC[AES256_GCM,data:DDZjkGqHPWlCOGrdLwo=,iv:Z7jQDL1iMXj2YdW7wKI3MiRBrUUrrBvDH8RHuAzWCh8=,tag:u0PAf4sGWDNVXcNt9dOaUA==,type:str]"
+ },
+ "webappLandingEnvVars": {
+ "COMM_JSONCONFIG_facts_keyserver_url": {
+ "baseDomain": "ENC[AES256_GCM,data:+GcgIOcSSNTX3NnmvbXFd37yMTk=,iv:lMm4j7HgSBw3wmYZJMHMfUfd5sDi0xgKH9wK38EHVCk=,tag:8zQyNn7hU9R/PhArVBXNFw==,type:str]",
+ "basePath": "ENC[AES256_GCM,data:Fg==,iv:gDFfX9WUBJcNeyVft5HLeHZt8Xi7oJSfGFQbJxvf9tM=,tag:GfiSxHv2hpCFuAV9t9jLjA==,type:str]",
+ "baseRoutePath": "ENC[AES256_GCM,data:Ig==,iv:/gf72cUemCOi4l1ba9tfrmzgKFNioM4ANt9FrIQmf2s=,tag:gozyFjcN6JShKIFqjEyhlg==,type:str]",
+ "https": "ENC[AES256_GCM,data:l/2Bag==,iv:+4iAKRVe2eU4aPGneHQbtK747N039ZN/Ih+LZqLm6y8=,tag:+J5sXye6biqxo6e7n7nKFQ==,type:bool]",
+ "proxy": "ENC[AES256_GCM,data:CJKU,iv:CYJg7H+OxAMRoWNCa4QPYYsSRrdE7SvrhyIWp8JlfKA=,tag:2fbwoy+zMPQohovX10pihg==,type:str]"
+ },
+ "COMM_JSONCONFIG_secrets_alchemy": {
+ "key": "ENC[AES256_GCM,data:gWcNWqhgHPQHDr5IH5f1Q2GTXk6CH5sB5rdFYVZevWA=,iv:jPwycRvSe/QjjG6Hv7da4xRVZoQktL7afSygGUo4uzU=,tag:9YmQRZfUMuB85oyp9fxj0w==,type:str]"
+ },
+ "COMM_JSONCONFIG_secrets_walletconnect": {
+ "key": "ENC[AES256_GCM,data:qpjWmEYBBWCywgJexhZNHJvALaXE/W4UGHz9NZ0DsVA=,iv:Z+EgXtkKu4CEu+BZcbH+CXX3tsknUbyrkQDk4Utb9O0=,tag:jC4MRw0e0+dEdTeZiShHYg==,type:str]"
+ },
+ "COMM_JSONCONFIG_secrets_geoip_license": {
+ "key": "ENC[AES256_GCM,data:izLdCBxInOon8Ig1zQ3TCg==,iv:U0OCacer7ndhXxvz7jsVLqZsHbN7YtyIL4dOF7XO9Og=,tag:Hc1cqvkFr5np6cQc0PfbLg==,type:str]"
+ },
+ "COMM_JSONCONFIG_secrets_postmark": {
+ "apiToken": "ENC[AES256_GCM,data:VYDjTfJbx8DpmYOcaYH7204AF1BwEO0GHt2YbOMkG1Gq/OH8,iv:ab0qvpWtmSSjK9MgnWJv81CJLrrqjZgyFIND9anGdJs=,tag:ojwv2ibPEHzagQdbGEpJpg==,type:str]"
+ },
+ "COMM_JSONCONFIG_secrets_neynar": {
+ "key": "ENC[AES256_GCM,data:tZJcGhqmrfmcI4HesJDRfgsIfDG5kkBM1GoDdFp4KuqwAB6Q,iv:RXhGcXMu0iV0ZH3AdYIYDTLiLg53TT6VYZOeGkM1OWg=,tag:G7wKiASk4O6BW9PwNrWl6Q==,type:str]"
+ }
+ },
+ "webappLandingStagingEnvVars": {
+ "COMM_JSONCONFIG_facts_webapp_url": {
+ "baseDomain": "ENC[AES256_GCM,data:o+EpVdZA23K1uYqzBmxygvzZeVj3,iv:WxEfd8J0i+KPqZ4I38TjS7oNKhWypicXXgtMArlDadM=,tag:p3BrsAh617hh3IdyHSbc6Q==,type:str]",
+ "basePath": "ENC[AES256_GCM,data:+w==,iv:hAPYvTBpBuL8XwvRNVXaMdVh45Kcmr2peuSR+TLYcYE=,tag:TY3rTAmARFQ6pIKy6Mi/rg==,type:str]",
+ "baseRoutePath": "ENC[AES256_GCM,data:RQ==,iv:RXGLhUo6utp81Wm9sA6EHI7wDQ963yUMhFecQvuVCCA=,tag:vdYqpRD8UA3nzTQ2FxyeZQ==,type:str]",
+ "https": "ENC[AES256_GCM,data:5lUNcA==,iv:VSAbJS3Pl36NLjJYAmUP9gYxR5Jb8jM8ka807z2dJX8=,tag:wKnYvt13JgWtu8C3adTqFA==,type:bool]",
+ "proxy": "ENC[AES256_GCM,data:A9HH,iv:BGXVa4aOsNjX0y1LLXLRDqx6k0CCW9U/poAKK8KBFs4=,tag:HMSXWIZrc9Ks8QxhLHGIVA==,type:str]"
+ },
+ "COMM_JSONCONFIG_facts_landing_url": {
+ "baseDomain": "ENC[AES256_GCM,data:NX+COqXbFbK1JuaWa7lJTXNCLTen,iv:C6+YAkU0oXxOQR8jz3NhFgGN1RWY8mLCARB7i+j15Uw=,tag:UFnDyJc4+6TDKJvMeg/4ng==,type:str]",
+ "basePath": "ENC[AES256_GCM,data:wA==,iv:AV1Ld5U7jdo7xie//iTZB+wjPibswDw3okLhDTqcuHI=,tag:XIiuMXzAGK975FAGA8ShSQ==,type:str]",
+ "baseRoutePath": "ENC[AES256_GCM,data:GA==,iv:19x9COVTcr5YXrIy03LQ8TQNl1KfWZxmK5IU5NDl/r4=,tag:0ZuqykTszTVcwLMV28FasA==,type:str]",
+ "https": "ENC[AES256_GCM,data:OrEisQ==,iv:3wy5MSzhB5Ti48J3evBsD6LwvH+u5TbHnLV1bChNJVI=,tag:1PPSHV8W4r1SvsSWAj4lNA==,type:bool]"
+ }
+ },
+ "webappLandingProdEnvVars": {
+ "COMM_JSONCONFIG_facts_webapp_url": {
+ "baseDomain": "ENC[AES256_GCM,data:PkQCRBTN+k3UmdWrJx5apl8swfo=,iv:PGEXm7BKR4mazT0O6bK0ZgYZ1N769olqxv+9MdIj06A=,tag:ISSpIZfTjBhkX7+jwxO5XQ==,type:str]",
+ "basePath": "ENC[AES256_GCM,data:Mg==,iv:k0mZrlNJvUFwJ0Nv0nnj/ngEBpcry22ygFUK0aIb7rs=,tag:P2QBvKphr3Nv1UFgX5gJyw==,type:str]",
+ "baseRoutePath": "ENC[AES256_GCM,data:Tg==,iv:m1NIh3/swrVhHDBXdKy0JApSTIx4Sv9+Yl3RZiBGcEI=,tag:UZgFVcZQwcAcpfP/KE395w==,type:str]",
+ "https": "ENC[AES256_GCM,data:enK/KA==,iv:GJNsCjVVE7ksFuOgTmed5/IOfAPY/G8Aap1rVxi3Ljc=,tag:/18SDiWCUW+4qKioUnxnPA==,type:bool]",
+ "proxy": "ENC[AES256_GCM,data:jwlb,iv:UB6TikOilAESBHMuD9+LIDmNZD4g24o2x0K1a+7xS0w=,tag:E6THOXGN4QMjlg29QW2vwQ==,type:str]"
+ },
+ "COMM_JSONCONFIG_facts_landing_url": {
+ "baseDomain": "ENC[AES256_GCM,data:dRsAlE/ZERqISxIx7P6aCg==,iv:SLM9tvU/sksjUtj8q6PipBSa8AUXFSwc6DS0P2nDxfE=,tag:xeiTBFC2uz2AXjbyXY7AuA==,type:str]",
+ "basePath": "ENC[AES256_GCM,data:sQ==,iv:Oz5g4GIyWDvVIigUtaqu3XZ9a4H8J8he0sH4ItmccIU=,tag:FdMzgGH7ZZqMWxubhMGDsA==,type:str]",
+ "baseRoutePath": "ENC[AES256_GCM,data:yA==,iv:C44lMkHqZvbzqU8whBp0Hym5AxizY0SKVfa4X7PwKj0=,tag:uZmMxA78hdQwKe2gzL5w6Q==,type:str]",
+ "https": "ENC[AES256_GCM,data:D1gRoQ==,iv:FshkmudzDrEedO51n206Z9RQHjJzXWpkfPe4Njk6pb8=,tag:KBSO1fnTX8vVKk5EV86Lnw==,type:bool]"
+ }
},
"sops": {
"kms": [
{
"arn": "arn:aws:kms:us-east-2:319076408221:key/2e54d528-50a2-489c-a4d7-d50c7c9f8303",
- "created_at": "2023-07-29T15:16:43Z",
- "enc": "AQICAHj+McP79InpW8dFM/rPPvaCljIlb0zq8qoMY/a2UlUSewFFXrO432X6dWZfZHFVsgoGAAAAfjB8BgkqhkiG9w0BBwagbzBtAgEAMGgGCSqGSIb3DQEHATAeBglghkgBZQMEAS4wEQQM0LAEze794jBZIKO/AgEQgDuVcwyViTDZoLwGj5icgKlABQFeUofitRD9e19i3Q+0ZyT7sSQ/4t2GuxvVo4cVEIkHCgTNH2RXLoqzPA==",
+ "created_at": "2024-08-02T19:26:39Z",
+ "enc": "AQICAHj+McP79InpW8dFM/rPPvaCljIlb0zq8qoMY/a2UlUSewHIbR0u6/Kr+Ftbzjo/wFIxAAAAfjB8BgkqhkiG9w0BBwagbzBtAgEAMGgGCSqGSIb3DQEHATAeBglghkgBZQMEAS4wEQQMTB0popV+0Y/hGcnaAgEQgDskdVFmVlQgvwzmF1rHHdoa3hVzOr4AovjpmYRiapGrSn8DUhyKKVh/LhH8M+dL3FDAp7mBoRA26facEg==",
"aws_profile": ""
}
],
@@ -30,10 +84,10 @@
"azure_kv": null,
"hc_vault": null,
"age": null,
- "lastmodified": "2023-09-12T09:29:09Z",
- "mac": "ENC[AES256_GCM,data:q0leMf7J7MBHoQQ6h82eT4xUsIHC6j1DKolRYn/USJsZ4+rt2EEICzD7J8tLUIzv2IqHnTV9hYMt+8Q0qAfOl87Z8VI0TwzXiAx3b2pdAfCheozz6vE1F/94XVz8S6v/YZpVGT9u1lwPISdXYfd/7QqK3u8hZJM/PVVn5djNcj8=,iv:pb1Ii6BfZMgz6S3R+xEehycArHeBz2wzNHJLms9Jby0=,tag:s8sCtTexTs7Qb6magRWzSw==,type:str]",
+ "lastmodified": "2024-08-02T19:26:39Z",
+ "mac": "ENC[AES256_GCM,data:S6LREk1Bahu+R92V+j6KBfmzb0GjjxXRQCHGoX8w7dDZHiDx+aTeag269vK+gfjZUwsGgMqYVuY5qBemj3j5Szcd9hHZ4t6sFN0XQ/jVhggRK3dlMwpNR7c4wmPNNlf/fj5q1NoNx3CItDkQlLL6kGkUFqOWJV7JHBZSRZxsYek=,iv:lYbRENzq+K6sjwQ/snwGe8GP2wR0ypgcTaz6XaJLtZs=,tag:hG9AOht9XEwtjTm5bfLV8Q==,type:str]",
"pgp": null,
"unencrypted_suffix": "_unencrypted",
- "version": "3.7.3"
+ "version": "3.8.1"
}
}
diff --git a/services/terraform/remote/service_webapp.tf b/services/terraform/remote/service_webapp.tf
new file mode 100644
--- /dev/null
+++ b/services/terraform/remote/service_webapp.tf
@@ -0,0 +1,54 @@
+locals {
+ webapp_image_tag = "1.0.103"
+ webapp_service_image = "commapp/keyserver:${local.webapp_image_tag}"
+ webapp_container_name = "webapp"
+
+ webapp_run_server_config = jsonencode({
+ runKeyserver = false
+ runWebApp = true
+ runLanding = false
+ })
+
+ webapp_landing_environment_vars = local.secrets["webappLandingEnvVars"]
+
+ webapp_landing_environment_vars_encoded = {
+ for key, value in local.webapp_landing_environment_vars : key => jsonencode(value)
+ }
+
+ stage_specific_environment_vars = (local.is_staging ?
+ local.secrets["webappLandingStagingEnvVars"] :
+ local.secrets["webappLandingProdEnvVars"])
+
+ stage_specific_environment_vars_encoded = {
+ for key, value in local.stage_specific_environment_vars : key => jsonencode(value)
+ }
+
+ webapp_environment_vars = merge(
+ local.webapp_landing_environment_vars_encoded,
+ local.stage_specific_environment_vars_encoded,
+ {
+ "COMM_LISTEN_ADDR" = "0.0.0.0",
+ "COMM_NODE_ROLE" = "webapp",
+ "COMM_JSONCONFIG_facts_run_server_config" = local.webapp_run_server_config
+ })
+}
+
+module "webapp_service" {
+ source = "../modules/keyserver_node_service"
+
+ container_name = "webapp"
+ image = local.webapp_service_image
+ service_name = "webapp"
+ cluster_id = aws_ecs_cluster.comm_services.id
+ domain_name = local.is_staging ? "comm.software" : "web.comm.app"
+ vpc_id = aws_vpc.default.id
+ vpc_subnets = [aws_subnet.public_a.id, aws_subnet.public_b.id]
+ region = "us-east-2"
+ environment_vars = local.webapp_environment_vars
+ ecs_task_role_arn = aws_iam_role.keyserver_node_ecs_task_role.arn
+ ecs_task_execution_role_arn = aws_iam_role.ecs_task_execution.arn
+}
+
+output "webapp_service_load_balancer_dns_name" {
+ value = module.webapp_service.service_load_balancer_dns_name
+}

File Metadata

Mime Type
text/plain
Expires
Tue, Dec 17, 10:08 PM (1 h, 9 m)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
2671451
Default Alt Text
D12928.diff (12 KB)

Event Timeline