Page MenuHomePhabricator
Files F3480477

D12928.id42920.diff
No OneTemporary
Actions

D12928.id42920.diff
View Options

diff --git a/.dockerignore b/.dockerignore
--- a/.dockerignore
+++ b/.dockerignore
@@ -45,6 +45,7 @@
services/reports/email-config.json
services/terraform/self-host/*.env
services/terraform/self-host/*.env.*
+services/terraform/remote/*.env
native/cpp/**/build
diff --git a/.sops.yaml b/.sops.yaml
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -4,3 +4,6 @@
kms: 'arn:aws:kms:us-east-2:319076408221:key/2e54d528-50a2-489c-a4d7-d50c7c9f8303'
# We can potentially re-use this KMS key for other SOPS-encrypted files
# by either copying the 'kms' value or modifying the path regex
+ # Terraform WebApp and Landing env file
+ - path_regex: services/terraform/remote/.env\.enc$
+ kms: 'arn:aws:kms:us-east-2:319076408221:key/2e54d528-50a2-489c-a4d7-d50c7c9f8303'
diff --git a/services/terraform/remote/.env.enc b/services/terraform/remote/.env.enc
new file mode 100644
--- /dev/null
+++ b/services/terraform/remote/.env.enc
@@ -0,0 +1,22 @@
+{
+ "data": "ENC[AES256_GCM,data:BgT5dpp4ooubzbNtqg03j+7CuJSUcTyO2b0LCr+UtszYDDVTHd9o8GbtUxSSLRMWZf8qaK1Cny/ex2ng737R6gZwwfXpvlTsuM91fDLD/0nCOCWcBYB7UXL6OrajWYOSO8s1sYYYc2WEj4qfHRhv0YQwEhePIAyoGC+TkLP7rcxDEeALXF7sNjtRHc3umMpbtJlOW6ZPEogWgMLzEE7CazjqYGsmB+pwFgYpRy1YQmcgbF0bDfnhlwP3BfYNVsNA+n+d6fsNpPnns/NiFiu6NeMVdaSAG3AGqHri3gcKUDgnf2aVq2KdCwPUAq/uhptduJwKaOdpH5raSR+242U0Sj9zTaWU2UiDpql6crZo6UhLr15u+ktbYc6KMXgJyJXNWmQCuRw0Jw1sn1nvKkpiLfPLmIZWEx76cmY1E2UKW9TNLcmaLHHTNeuf0MnaUF4EAtQyIp9Kx9Sfrw05vmlNJG2GHLkdpI9XioJSnTQYAS2n3+Hj2nZntEay3XVUbDP6OArZVdnoaCCf1ulYiRAzuK3ZUYbP9T6NVX8ziaAG+aSxCkfLQGuT6XBwo3qDLPF6kEVG8QV7Sx6K0kDJzEgLR5dCPFiBaxdpqvUYCxx7/zRXm9zPrFa/n0sOIUELZln6qplL+T/jAWZqBRzPusnoUTbSKdasExViqCkLZF97Yt4nbe/9c93YYKGpLV+yKwlgC4zrvRonvIDkDCajnT6yN3Kf8xQLEvyyQYik8+JOvRBRmx2Sd0XESK6afUESHjOl1NwDu3dFYRtn9CmiS3asRhMi4qg=,iv:cRws5u96gPiksTohYu8hrPvh1WM2iWklH2+zZr1ZoDc=,tag:FBPAhEsiC5mJ5fjmvW/04w==,type:str]",
+ "sops": {
+ "kms": [
+ {
+ "arn": "arn:aws:kms:us-east-2:319076408221:key/2e54d528-50a2-489c-a4d7-d50c7c9f8303",
+ "created_at": "2024-07-30T02:36:19Z",
+ "enc": "AQICAHj+McP79InpW8dFM/rPPvaCljIlb0zq8qoMY/a2UlUSewHIBpm7ei2INoXwEsK7J8ZaAAAAfjB8BgkqhkiG9w0BBwagbzBtAgEAMGgGCSqGSIb3DQEHATAeBglghkgBZQMEAS4wEQQMYiRTiZIodjCLPggLAgEQgDvTv+Ktd1LyxzScJeRuon0J+srPn/7ubHXyr8I56nD2hO6hgrqG4+DSdPixbppNAc6VApwLCqJBBWsXxQ==",
+ "aws_profile": ""
+ }
+ ],
+ "gcp_kms": null,
+ "azure_kv": null,
+ "hc_vault": null,
+ "age": null,
+ "lastmodified": "2024-07-30T02:36:19Z",
+ "mac": "ENC[AES256_GCM,data:SWTFWuXqspfHpPkiOuvuaWmpQpM89oqByE96MQjL6/8ox8HmnODHI0JzoiSnhque67BZlkKVEodoRpC/Y+EcnFq7pBWF0NfDxtWKpWcOgYPEyh+xqrKeqsUodVAOvgM6IoLgkkzuztHyO5PdnelqyR4EIHdqLhtfGZzDmF0X3SE=,iv:4t90LN2/NRjdZkEXhc+LD1td7Ly6rRpqPaDp5V9czxA=,tag:iBitiOkJjKALN37+rpC8AQ==,type:str]",
+ "pgp": null,
+ "unencrypted_suffix": "_unencrypted",
+ "version": "3.8.1"
+ }
+}
diff --git a/services/terraform/remote/.gitignore b/services/terraform/remote/.gitignore
--- a/services/terraform/remote/.gitignore
+++ b/services/terraform/remote/.gitignore
@@ -5,6 +5,9 @@
*.tfstate
*.tfstate.*
+# Dotenv
+.env
+
# Crash log files
crash.log
crash.*.log
diff --git a/services/terraform/remote/.terraform.lock.hcl b/services/terraform/remote/.terraform.lock.hcl
--- a/services/terraform/remote/.terraform.lock.hcl
+++ b/services/terraform/remote/.terraform.lock.hcl
@@ -17,6 +17,29 @@
]
}
+provider "registry.terraform.io/germanbrew/dotenv" {
+ version = "1.1.2"
+ constraints = "1.1.2"
+ hashes = [
+ "h1:rbzMuE2/HHDvrVRUaHabvG5c7y2TMfyoBl4ZOpp0mPw=",
+ "zh:179e7f19a66205b74b76d76dffc20287a03c68c76356bc9b894d52bf7702767d",
+ "zh:22f772f4380cb5cde5e3751dc47920c99943aa99f661b123f11bb6022471e976",
+ "zh:269a023043bd1cd4a6e231e9394d27ebf93df5e0a08751b4e18ff1a745e58cf4",
+ "zh:2b41bfbfb615a5ecbc1bfc195262e1dedf0e8d59ddae2995dbc308c2fb0fe62c",
+ "zh:3eeaa46fcf39719ff499b5b7d03dee4b7bfadd5f81549288c4d2640b4e6c3581",
+ "zh:4d428dc138bdebc69eecc53b2a87d7b7bfa485d3d6b7a651c8f1e97bc4408efc",
+ "zh:5870a658b75e8909e60beaacbbe9d42f957596a034af6e0d9e1780f96ee09e13",
+ "zh:7a7eb852fdad76077429b6bc624858df13a7e0571d7f9ee3ad6512b811ca5438",
+ "zh:890df766e9b839623b1f0437355032a3c006226a6c200cd911e15ee1a9014e9f",
+ "zh:954b97dc6a3d84c637ceb3ab0b0f1b6eacf68200da62871b41c58c2356d2b722",
+ "zh:9ba67c1edfb9f4c83e0532c151fa3c1d13169e467b065d63465712f2050952a3",
+ "zh:a55998a075527c36fb4d8a9224c04b10383c8eabe0b8e9c3283c1e527bd9d2b8",
+ "zh:afa596b5103275ba75dd248bee68349de3ca535a3f8e28d95de8c52e42e438b3",
+ "zh:dc5312c982d3e24eab579f94f5b395b57fd65536369f6bcc8b3fd0f4bc78bdd0",
+ "zh:ea4c5db0d92a6e157ac84e7221da1dc42031d143418d3b719f8c7cbfc2a616d3",
+ ]
+}
+
provider "registry.terraform.io/hashicorp/aws" {
version = "5.7.0"
constraints = ">= 4.67.0, ~> 5.7.0"
@@ -41,6 +64,25 @@
]
}
+provider "registry.terraform.io/hashicorp/null" {
+ version = "3.2.2"
+ hashes = [
+ "h1:IMVAUHKoydFrlPrl9OzasDnw/8ntZFerCC9iXw1rXQY=",
+ "zh:3248aae6a2198f3ec8394218d05bd5e42be59f43a3a7c0b71c66ec0df08b69e7",
+ "zh:32b1aaa1c3013d33c245493f4a65465eab9436b454d250102729321a44c8ab9a",
+ "zh:38eff7e470acb48f66380a73a5c7cdd76cc9b9c9ba9a7249c7991488abe22fe3",
+ "zh:4c2f1faee67af104f5f9e711c4574ff4d298afaa8a420680b0cb55d7bbc65606",
+ "zh:544b33b757c0b954dbb87db83a5ad921edd61f02f1dc86c6186a5ea86465b546",
+ "zh:696cf785090e1e8cf1587499516b0494f47413b43cb99877ad97f5d0de3dc539",
+ "zh:6e301f34757b5d265ae44467d95306d61bef5e41930be1365f5a8dcf80f59452",
+ "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3",
+ "zh:913a929070c819e59e94bb37a2a253c228f83921136ff4a7aa1a178c7cce5422",
+ "zh:aa9015926cd152425dbf86d1abdbc74bfe0e1ba3d26b3db35051d7b9ca9f72ae",
+ "zh:bb04798b016e1e1d49bcc76d62c53b56c88c63d6f2dfe38821afef17c416a0e1",
+ "zh:c23084e1b23577de22603cff752e59128d83cfecc2e6819edadd8cf7a10af11e",
+ ]
+}
+
provider "registry.terraform.io/hashicorp/random" {
version = "3.5.1"
constraints = "3.5.1"
diff --git a/services/terraform/remote/aws_iam.tf b/services/terraform/remote/aws_iam.tf
--- a/services/terraform/remote/aws_iam.tf
+++ b/services/terraform/remote/aws_iam.tf
@@ -70,6 +70,17 @@
}
}
+# Role with allow ecs exec
+resource "aws_iam_role" "ecs_task_role" {
+ name = "ecs-iam_role"
+ description = "Allows to SSH into ECS containers"
+ assume_role_policy = data.aws_iam_policy_document.assume_role_ecs_ec2.json
+
+ managed_policy_arns = [
+ aws_iam_policy.allow_ecs_exec.arn,
+ ]
+}
+
# Allows ECS Exec to SSH into service task containers
resource "aws_iam_policy" "allow_ecs_exec" {
name = "allow-ecs-exec"
diff --git a/services/terraform/remote/providers.tf b/services/terraform/remote/providers.tf
--- a/services/terraform/remote/providers.tf
+++ b/services/terraform/remote/providers.tf
@@ -14,5 +14,10 @@
source = "hashicorp/random"
version = "3.5.1"
}
+
+ dotenv = {
+ source = "germanbrew/dotenv"
+ version = "1.1.2"
+ }
}
}
diff --git a/services/terraform/remote/service_webapp.tf b/services/terraform/remote/service_webapp.tf
new file mode 100644
--- /dev/null
+++ b/services/terraform/remote/service_webapp.tf
@@ -0,0 +1,58 @@
+locals {
+ webapp_image_tag = "1.0.102"
+ webapp_service_image = "commapp/keyserver:${local.webapp_image_tag}"
+ webapp_container_name = "webapp"
+
+ webapp_run_server_config = jsonencode({
+ runKeyserver = false
+ runWebApp = true
+ runLanding = false
+ })
+
+ webapp_environment_vars = merge(data.dotenv.local.entries,
+ {
+ "COMM_NODE_ROLE" = "webapp",
+ "COMM_JSONCONFIG_facts_run_server_config" = local.webapp_run_server_config
+ })
+}
+
+resource "null_resource" "create_env_file" {
+ provisioner "local-exec" {
+ interpreter = ["bash", "-c"]
+ command = <<EOT
+ sops -d ${path.module}/.env.enc > ${path.module}/.env
+ EOT
+ }
+
+ triggers = {
+ # Trigger if the .env.enc file changes
+ env_enc_checksum = filemd5("${path.module}/.env.enc")
+ # Triggers if dev doesn't have the .env file decrypted from .env.enc
+ env_not_exists = fileexists("${path.module}/.env")
+ }
+}
+
+# Use null_resource to ensure the dotenv provider uses the file
+data "dotenv" "local" {
+ depends_on = [null_resource.create_env_file]
+}
+
+module "webapp_service" {
+ source = "../modules/node_service"
+
+ container_name = "webapp"
+ image = local.webapp_service_image
+ service_name = "webapp"
+ cluster_id = aws_ecs_cluster.comm_services.id
+ domain_name = local.is_staging ? "comm.software" : "web.comm.app"
+ vpc_id = aws_vpc.default.id
+ vpc_subnets = [aws_subnet.public_a.id, aws_subnet.public_b.id]
+ region = "us-east-2"
+ environment_vars = local.webapp_environment_vars
+ ecs_task_role_arn = aws_iam_role.ecs_task_role.arn
+ ecs_task_execution_role_arn = aws_iam_role.ecs_task_execution.arn
+}
+
+output "webapp_service_load_balancer_dns_name" {
+ value = module.webapp_service.service_load_balancer_dns_name
+}

File Metadata

Mime Type
text/plain
Expires
Tue, Dec 17, 10:09 PM (1 h, 27 m)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
2671466
Default Alt Text
D12928.id42920.diff (8 KB)

Event Timeline