Page Menu
Home
Phabricator
Search
Configure Global Search
Log In
Files
F3480478
D12928.id42922.diff
No One
Temporary
Actions
View File
Edit File
Delete File
View Transforms
Subscribe
Mute Notifications
Award Token
Flag For Later
Size
9 KB
Referenced Files
None
Subscribers
None
D12928.id42922.diff
View Options
diff --git a/.dockerignore b/.dockerignore
--- a/.dockerignore
+++ b/.dockerignore
@@ -45,6 +45,7 @@
services/reports/email-config.json
services/terraform/self-host/*.env
services/terraform/self-host/*.env.*
+services/terraform/remote/*.env
native/cpp/**/build
diff --git a/.sops.yaml b/.sops.yaml
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -4,3 +4,6 @@
kms: 'arn:aws:kms:us-east-2:319076408221:key/2e54d528-50a2-489c-a4d7-d50c7c9f8303'
# We can potentially re-use this KMS key for other SOPS-encrypted files
# by either copying the 'kms' value or modifying the path regex
+ # Terraform WebApp and Landing env file
+ - path_regex: services/terraform/remote/.env\.enc$
+ kms: 'arn:aws:kms:us-east-2:319076408221:key/2e54d528-50a2-489c-a4d7-d50c7c9f8303'
diff --git a/services/terraform/remote/.env.enc b/services/terraform/remote/.env.enc
new file mode 100644
--- /dev/null
+++ b/services/terraform/remote/.env.enc
@@ -0,0 +1,22 @@
+{
+ "data": "ENC[AES256_GCM,data:BgT5dpp4ooubzbNtqg03j+7CuJSUcTyO2b0LCr+UtszYDDVTHd9o8GbtUxSSLRMWZf8qaK1Cny/ex2ng737R6gZwwfXpvlTsuM91fDLD/0nCOCWcBYB7UXL6OrajWYOSO8s1sYYYc2WEj4qfHRhv0YQwEhePIAyoGC+TkLP7rcxDEeALXF7sNjtRHc3umMpbtJlOW6ZPEogWgMLzEE7CazjqYGsmB+pwFgYpRy1YQmcgbF0bDfnhlwP3BfYNVsNA+n+d6fsNpPnns/NiFiu6NeMVdaSAG3AGqHri3gcKUDgnf2aVq2KdCwPUAq/uhptduJwKaOdpH5raSR+242U0Sj9zTaWU2UiDpql6crZo6UhLr15u+ktbYc6KMXgJyJXNWmQCuRw0Jw1sn1nvKkpiLfPLmIZWEx76cmY1E2UKW9TNLcmaLHHTNeuf0MnaUF4EAtQyIp9Kx9Sfrw05vmlNJG2GHLkdpI9XioJSnTQYAS2n3+Hj2nZntEay3XVUbDP6OArZVdnoaCCf1ulYiRAzuK3ZUYbP9T6NVX8ziaAG+aSxCkfLQGuT6XBwo3qDLPF6kEVG8QV7Sx6K0kDJzEgLR5dCPFiBaxdpqvUYCxx7/zRXm9zPrFa/n0sOIUELZln6qplL+T/jAWZqBRzPusnoUTbSKdasExViqCkLZF97Yt4nbe/9c93YYKGpLV+yKwlgC4zrvRonvIDkDCajnT6yN3Kf8xQLEvyyQYik8+JOvRBRmx2Sd0XESK6afUESHjOl1NwDu3dFYRtn9CmiS3asRhMi4qg=,iv:cRws5u96gPiksTohYu8hrPvh1WM2iWklH2+zZr1ZoDc=,tag:FBPAhEsiC5mJ5fjmvW/04w==,type:str]",
+ "sops": {
+ "kms": [
+ {
+ "arn": "arn:aws:kms:us-east-2:319076408221:key/2e54d528-50a2-489c-a4d7-d50c7c9f8303",
+ "created_at": "2024-07-30T02:36:19Z",
+ "enc": "AQICAHj+McP79InpW8dFM/rPPvaCljIlb0zq8qoMY/a2UlUSewHIBpm7ei2INoXwEsK7J8ZaAAAAfjB8BgkqhkiG9w0BBwagbzBtAgEAMGgGCSqGSIb3DQEHATAeBglghkgBZQMEAS4wEQQMYiRTiZIodjCLPggLAgEQgDvTv+Ktd1LyxzScJeRuon0J+srPn/7ubHXyr8I56nD2hO6hgrqG4+DSdPixbppNAc6VApwLCqJBBWsXxQ==",
+ "aws_profile": ""
+ }
+ ],
+ "gcp_kms": null,
+ "azure_kv": null,
+ "hc_vault": null,
+ "age": null,
+ "lastmodified": "2024-07-30T02:36:19Z",
+ "mac": "ENC[AES256_GCM,data:SWTFWuXqspfHpPkiOuvuaWmpQpM89oqByE96MQjL6/8ox8HmnODHI0JzoiSnhque67BZlkKVEodoRpC/Y+EcnFq7pBWF0NfDxtWKpWcOgYPEyh+xqrKeqsUodVAOvgM6IoLgkkzuztHyO5PdnelqyR4EIHdqLhtfGZzDmF0X3SE=,iv:4t90LN2/NRjdZkEXhc+LD1td7Ly6rRpqPaDp5V9czxA=,tag:iBitiOkJjKALN37+rpC8AQ==,type:str]",
+ "pgp": null,
+ "unencrypted_suffix": "_unencrypted",
+ "version": "3.8.1"
+ }
+}
diff --git a/services/terraform/remote/.gitignore b/services/terraform/remote/.gitignore
--- a/services/terraform/remote/.gitignore
+++ b/services/terraform/remote/.gitignore
@@ -5,6 +5,9 @@
*.tfstate
*.tfstate.*
+# Dotenv
+.env
+
# Crash log files
crash.log
crash.*.log
diff --git a/services/terraform/remote/.terraform.lock.hcl b/services/terraform/remote/.terraform.lock.hcl
--- a/services/terraform/remote/.terraform.lock.hcl
+++ b/services/terraform/remote/.terraform.lock.hcl
@@ -17,6 +17,29 @@
]
}
+provider "registry.terraform.io/germanbrew/dotenv" {
+ version = "1.1.2"
+ constraints = "1.1.2"
+ hashes = [
+ "h1:rbzMuE2/HHDvrVRUaHabvG5c7y2TMfyoBl4ZOpp0mPw=",
+ "zh:179e7f19a66205b74b76d76dffc20287a03c68c76356bc9b894d52bf7702767d",
+ "zh:22f772f4380cb5cde5e3751dc47920c99943aa99f661b123f11bb6022471e976",
+ "zh:269a023043bd1cd4a6e231e9394d27ebf93df5e0a08751b4e18ff1a745e58cf4",
+ "zh:2b41bfbfb615a5ecbc1bfc195262e1dedf0e8d59ddae2995dbc308c2fb0fe62c",
+ "zh:3eeaa46fcf39719ff499b5b7d03dee4b7bfadd5f81549288c4d2640b4e6c3581",
+ "zh:4d428dc138bdebc69eecc53b2a87d7b7bfa485d3d6b7a651c8f1e97bc4408efc",
+ "zh:5870a658b75e8909e60beaacbbe9d42f957596a034af6e0d9e1780f96ee09e13",
+ "zh:7a7eb852fdad76077429b6bc624858df13a7e0571d7f9ee3ad6512b811ca5438",
+ "zh:890df766e9b839623b1f0437355032a3c006226a6c200cd911e15ee1a9014e9f",
+ "zh:954b97dc6a3d84c637ceb3ab0b0f1b6eacf68200da62871b41c58c2356d2b722",
+ "zh:9ba67c1edfb9f4c83e0532c151fa3c1d13169e467b065d63465712f2050952a3",
+ "zh:a55998a075527c36fb4d8a9224c04b10383c8eabe0b8e9c3283c1e527bd9d2b8",
+ "zh:afa596b5103275ba75dd248bee68349de3ca535a3f8e28d95de8c52e42e438b3",
+ "zh:dc5312c982d3e24eab579f94f5b395b57fd65536369f6bcc8b3fd0f4bc78bdd0",
+ "zh:ea4c5db0d92a6e157ac84e7221da1dc42031d143418d3b719f8c7cbfc2a616d3",
+ ]
+}
+
provider "registry.terraform.io/hashicorp/aws" {
version = "5.7.0"
constraints = ">= 4.67.0, ~> 5.7.0"
@@ -41,6 +64,25 @@
]
}
+provider "registry.terraform.io/hashicorp/null" {
+ version = "3.2.2"
+ hashes = [
+ "h1:IMVAUHKoydFrlPrl9OzasDnw/8ntZFerCC9iXw1rXQY=",
+ "zh:3248aae6a2198f3ec8394218d05bd5e42be59f43a3a7c0b71c66ec0df08b69e7",
+ "zh:32b1aaa1c3013d33c245493f4a65465eab9436b454d250102729321a44c8ab9a",
+ "zh:38eff7e470acb48f66380a73a5c7cdd76cc9b9c9ba9a7249c7991488abe22fe3",
+ "zh:4c2f1faee67af104f5f9e711c4574ff4d298afaa8a420680b0cb55d7bbc65606",
+ "zh:544b33b757c0b954dbb87db83a5ad921edd61f02f1dc86c6186a5ea86465b546",
+ "zh:696cf785090e1e8cf1587499516b0494f47413b43cb99877ad97f5d0de3dc539",
+ "zh:6e301f34757b5d265ae44467d95306d61bef5e41930be1365f5a8dcf80f59452",
+ "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3",
+ "zh:913a929070c819e59e94bb37a2a253c228f83921136ff4a7aa1a178c7cce5422",
+ "zh:aa9015926cd152425dbf86d1abdbc74bfe0e1ba3d26b3db35051d7b9ca9f72ae",
+ "zh:bb04798b016e1e1d49bcc76d62c53b56c88c63d6f2dfe38821afef17c416a0e1",
+ "zh:c23084e1b23577de22603cff752e59128d83cfecc2e6819edadd8cf7a10af11e",
+ ]
+}
+
provider "registry.terraform.io/hashicorp/random" {
version = "3.5.1"
constraints = "3.5.1"
diff --git a/services/terraform/remote/aws_iam.tf b/services/terraform/remote/aws_iam.tf
--- a/services/terraform/remote/aws_iam.tf
+++ b/services/terraform/remote/aws_iam.tf
@@ -70,6 +70,17 @@
}
}
+# Role with allow ecs exec
+resource "aws_iam_role" "ecs_task_role" {
+ name = "ecs-iam_role"
+ description = "Allows to SSH into ECS containers"
+ assume_role_policy = data.aws_iam_policy_document.assume_role_ecs_ec2.json
+
+ managed_policy_arns = [
+ aws_iam_policy.allow_ecs_exec.arn,
+ ]
+}
+
# Allows ECS Exec to SSH into service task containers
resource "aws_iam_policy" "allow_ecs_exec" {
name = "allow-ecs-exec"
diff --git a/services/terraform/remote/env.tf b/services/terraform/remote/env.tf
new file mode 100644
--- /dev/null
+++ b/services/terraform/remote/env.tf
@@ -0,0 +1,20 @@
+resource "null_resource" "create_env_file" {
+ provisioner "local-exec" {
+ interpreter = ["bash", "-c"]
+ command = <<EOT
+ sops -d ${path.module}/.env.enc > ${path.module}/.env
+ EOT
+ }
+
+ triggers = {
+ # Trigger if the .env.enc file changes
+ env_enc_checksum = filemd5("${path.module}/.env.enc")
+ # Triggers if dev doesn't have the .env file decrypted from .env.enc
+ env_not_exists = fileexists("${path.module}/.env")
+ }
+}
+
+# Use null_resource to ensure the dotenv provider uses the file
+data "dotenv" "local" {
+ depends_on = [null_resource.create_env_file]
+}
diff --git a/services/terraform/remote/providers.tf b/services/terraform/remote/providers.tf
--- a/services/terraform/remote/providers.tf
+++ b/services/terraform/remote/providers.tf
@@ -14,5 +14,10 @@
source = "hashicorp/random"
version = "3.5.1"
}
+
+ dotenv = {
+ source = "germanbrew/dotenv"
+ version = "1.1.2"
+ }
}
}
diff --git a/services/terraform/remote/service_webapp.tf b/services/terraform/remote/service_webapp.tf
new file mode 100644
--- /dev/null
+++ b/services/terraform/remote/service_webapp.tf
@@ -0,0 +1,37 @@
+locals {
+ webapp_image_tag = "1.0.102"
+ webapp_service_image = "commapp/keyserver:${local.webapp_image_tag}"
+ webapp_container_name = "webapp"
+
+ webapp_run_server_config = jsonencode({
+ runKeyserver = false
+ runWebApp = true
+ runLanding = false
+ })
+
+ webapp_environment_vars = merge(data.dotenv.local.entries,
+ {
+ "COMM_NODE_ROLE" = "webapp",
+ "COMM_JSONCONFIG_facts_run_server_config" = local.webapp_run_server_config
+ })
+}
+
+module "webapp_service" {
+ source = "../modules/node_service"
+
+ container_name = "webapp"
+ image = local.webapp_service_image
+ service_name = "webapp"
+ cluster_id = aws_ecs_cluster.comm_services.id
+ domain_name = local.is_staging ? "comm.software" : "web.comm.app"
+ vpc_id = aws_vpc.default.id
+ vpc_subnets = [aws_subnet.public_a.id, aws_subnet.public_b.id]
+ region = "us-east-2"
+ environment_vars = local.webapp_environment_vars
+ ecs_task_role_arn = aws_iam_role.ecs_task_role.arn
+ ecs_task_execution_role_arn = aws_iam_role.ecs_task_execution.arn
+}
+
+output "webapp_service_load_balancer_dns_name" {
+ value = module.webapp_service.service_load_balancer_dns_name
+}
File Metadata
Details
Attached
Mime Type
text/plain
Expires
Tue, Dec 17, 10:09 PM (1 h, 22 m)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
2671467
Default Alt Text
D12928.id42922.diff (9 KB)
Attached To
Mode
D12928: [keyserver] Run webapp through comm services cluster
Attached
Detach File
Event Timeline
Log In to Comment