feat: push to new account

byu-oit · Apr 23, 2024 · 2303910 · 2303910
1 parent b940adc
commit 2303910
Show file tree

Hide file tree

Showing 18 changed files with 190 additions and 256 deletions.
diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
@@ -22,14 +22,14 @@ jobs:
           matrix='{
             "env":[
               {
-                "aws_account":"632558792265",
+                "aws_account":"637423550675",
                 "aws_gha_role":"web-cdn-dev-gha",
                 "rfc_key_name":"standard_change_sandbox_client_key",
                 "rfc_secret_name":"standard_change_sandbox_client_secret",
                 "rfc_template_id":"Codepipeline-Standard-Change",
-                "assembler_ecr_repo_name" : "cdn-terraform-assembler-dev",
-                "webhooks_ecr_repo_name" : "cdn-terraform-webhooks-dev",
-                "log_sorter_ecr_repo_name" : "cdn-terraform-log-sorter-dev",
+                "assembler_ecr_repo_name" : "web-cdn-dev-terraform-assembler-dev",
+                "webhooks_ecr_repo_name" : "web-cdn-dev-terraform-webhooks-dev",
+                "log_sorter_ecr_repo_name" : "web-cdn-dev-terraform-log-sorter",
                 "tf_working_dir":"./iac/dev/app"
               }
             ]
@@ -48,9 +48,9 @@ jobs:
                 "rfc_key_name":"standard_change_production_client_key",
                 "rfc_secret_name":"standard_change_production_client_secret",
                 "rfc_template_id":"Codepipeline-Standard-Change",
-                "assembler_ecr_repo_name" : "cdn-terraform-assembler-prd",
-                "webhooks_ecr_repo_name" : "cdn-terraform-webhooks-dev",
-                "log_sorter_ecr_repo_name" : "cdn-terraform-log-sorter-prd"
+                "assembler_ecr_repo_name" : "web-cdn-dev-terraform-assembler-prd",
+                "webhooks_ecr_repo_name" : "web-cdn-dev-terraform-webhooks-dev",
+                "log_sorter_ecr_repo_name" : "web-cdn-dev-terraform-log-sorter-prd"
                 "tf_working_dir":"./iac/prd/app"
               }
             ]
@@ -89,14 +89,22 @@ jobs:
         with:
           node-version: ${{ env.node_version }}
 
+      # this is necessary because Lambda@Edge functions cannot be pulled from AWS ECR, so we cannot use a Dockerfile to deploy :(
+      # this step installs the node_modules for the lambda, the terraform apply zips it up
+      # see https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/lambda-at-edge-function-restrictions.html
       - name: npm install in enhanced-headers
         working-directory:  edge-lambdas/enhanced-headers
         run: npm ci --prefer-offline
 
+      # this is necessary because Lambda@Edge functions cannot be pulled from AWS ECR, so we cannot use a Dockerfile to deploy :(
+      # this step installs the node_modules for the lambda, the terraform apply zips it up
+      # see https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/lambda-at-edge-function-restrictions.html
       - name: npm install in eager-redirect
         working-directory: edge-lambdas/eager-redirect
         run: npm ci --prefer-offline
 
+      # both the webhook (assembler trigger) lambda and the assembler need this file, but in order to keep the context of our docker builds simple, we copy it into both places here
+      # a better implementation of the webhook lambda might not need the main-config.yml file if we authenticated the github repos calling the lambda in a better way, but that is beyond the scope of the current work
       - name: Copy main-config.yml to /webhooks and /assembler
         run: cp ./main-config.yml ./assembler/main-config.yml && cp ./main-config.yml ./webhooks/main-config.yml
 
@@ -132,7 +140,7 @@ jobs:
         uses: docker/build-push-action@v3
         with:
           context: log-analyzer/sorter-lambda
-          provenance: false
+          provenance: false  # see https://github.com/orgs/byu-oit/discussions/56
           push: true
           tags: ${{ env.ANALYZER_ECR_REGISTRY }}/${{ env.ANALYZER_ECR_REPO }}:${{ env.ANALYZER_IMAGE_TAG }}
           cache-from: type=gha
@@ -146,7 +154,7 @@ jobs:
         uses: docker/build-push-action@v3
         with:
           context: webhooks
-          provenance: false
+          provenance: false # see https://github.com/orgs/byu-oit/discussions/56
           push: true
           tags: ${{ env.WEBHOOKS_ECR_REGISTRY }}/${{ env.WEBHOOKS_ECR_REPO }}:${{ env.WEBHOOKS_IMAGE_TAG }}
           cache-from: type=gha

diff --git a/assembler/src/util/load-github-credentials.js b/assembler/src/util/load-github-credentials.js
@@ -57,27 +57,3 @@ async function fromLocalFile() {
 function fromEnvironment() {
   return {user: process.env.GITHUB_USER, token: process.env.GITHUB_TOKEN};
 }
-
-async function fromParameterStore(env) {
-    let prefix = `cdn-terraform/${env}`;
-    let userParam = `${prefix}/github.user`;
-    let tokenParam = `${prefix}/github.token`;
-
-    let data = await ssm.getParameters({
-        Names: [
-            userParam, tokenParam
-        ],
-        WithDecryption: true
-    }).promise();
-
-    let invalid = data.InvalidParameters;
-    if (invalid && invalid.length > 0) {
-        log.warn(`Unable to look up Github credentials from AWS SSM: Invalid Parameters ${invalid.join(', ')}`);
-        return null;
-    }
-
-    let user = data.Parameters.find(val => val.Name === userParam);
-    let token = data.Parameters.find(val => val.Name === tokenParam);
-
-    return {user: user.Value, token: token.Value};
-}
diff --git a/iac/dev/app/main.tf b/iac/dev/app/main.tf
@@ -1,8 +1,8 @@
 terraform {
   required_version = "1.4.5"
   backend "s3" {
-    bucket         = "terraform-state-storage-632558792265"
-    dynamodb_table = "terraform-state-lock-632558792265"
+    bucket         = "terraform-state-storage-637423550675"
+    dynamodb_table = "terraform-state-lock-637423550675"
     key            = "web-cdn/dev/app.tfstate"
     region         = "us-west-2"
   }
@@ -24,8 +24,8 @@ variable "image_tag" {
 
 locals {
   env           = "dev"
-  cdn_name      = "cdn-terraform"
-  config_branch = "terraform" //TODO: change me
+  name          = "web-cdn"
+  config_branch = "terraform" //TODO: change me to dev when we cutover
   stage_name    = "dev"
 }
 
@@ -45,16 +45,15 @@ provider "aws" {
 module "app" {
   source              = "../../modules/app/"
   env                 = local.env
-  cdn_name            = local.cdn_name
+  name                = local.name
   image_tag           = var.image_tag
-  s3_bucket_name      = "${local.cdn_name}-${local.env}-contents"
   index_document_name = "index.html"
   error_document_name = "error.html"
-  site_url            = "https://${local.cdn_name}.byu-oit-fullstack-trn.amazon.byu.edu"
   default_ttl         = 30
   max_ttl             = 60
   min_ttl             = 0
   force_destroy       = true
   config_branch       = local.config_branch
   stage_name          = local.stage_name
+  cdn_url             = "byu-oit-cdn-dev.amazon.byu.edu"
 }
diff --git a/iac/dev/setup/setup.tf b/iac/dev/setup/setup.tf
@@ -1,8 +1,8 @@
 terraform {
   required_version = "1.4.5"
   backend "s3" {
-    bucket         = "terraform-state-storage-632558792265"
-    dynamodb_table = "terraform-state-lock-632558792265"
+    bucket         = "terraform-state-storage-637423550675"
+    dynamodb_table = "terraform-state-lock-637423550675"
     key            = "web-cdn/dev/setup.tfstate"
     region         = "us-west-2"
   }
@@ -38,5 +38,6 @@ provider "aws" {
 module "setup" {
   source   = "../../modules/setup/"
   env      = local.env
-  cdn_name = "cdn-terraform"
+  name     = "web-cdn"
+  cdn_url  = "cdn-dev.byu.edu"
 }
diff --git a/iac/modules/app/assembler.tf b/iac/modules/app/assembler.tf
@@ -1,22 +1,22 @@
 module "assembler" {
   source = "github.com/byu-oit/terraform-aws-scheduled-fargate?ref=v4.0.0"
 
-  app_name    = "${var.cdn_name}-${var.env}-assembler"
+  app_name    = "${local.app_name}-assembler"
   task_cpu    = 4096
   task_memory = 8192
 
   primary_container_definition = {
-    name  = "${var.cdn_name}-${var.env}-assembler"
+    name  = "${local.app_name}-assembler"
     image = "${data.aws_ecr_repository.assembler_ecr_repo.repository_url}:${var.image_tag}"
     environment_variables = {
       "DESTINATION_S3_BUCKET" = aws_s3_bucket_website_configuration.cdn_content_bucket.id,
       "BUILD_ENV"             = var.env,
-      "CDN_HOST"              = "${var.cdn_name}-${var.env}.${local.root_dns_name}",
+      "CDN_HOST"              = var.cdn_url,
     }
 
     secrets = {
-      GITHUB_TOKEN = "/${var.cdn_name}/${var.env}/github.token"
-      GITHUB_USER  = "/${var.cdn_name}/${var.env}/github.user"
+      GITHUB_TOKEN = "/${var.name}/${var.env}/GITHUB_TOKEN"
+      GITHUB_USER  = "/${var.name}/${var.env}/GITHUB_USER"
     }
   }
 
@@ -79,3 +79,22 @@ resource "aws_iam_policy" "allow_builder_access_s3" {
     ]
   })
 }
+
+resource "aws_iam_policy" "allow_cloudfront_invalidation" {
+  name        = "AllowCloudFrontInvalidation"
+  description = "Allows CloudFront invalidation"
+  policy = jsonencode({
+    "Version" : "2012-10-17",
+    "Statement" : [
+      {
+        "Effect" : "Allow",
+        "Action" : [
+          "cloudfront:CreateInvalidation",
+          "cloudfront:GetInvalidation",
+          "cloudfront:ListInvalidations"
+        ],
+        "Resource" : "*"
+      }
+    ]
+  })
+}
diff --git a/iac/modules/app/cloudfront.tf b/iac/modules/app/cloudfront.tf
@@ -1,52 +1,37 @@
-
-variable "index_document_name" {
-  type        = string
-  default     = "index.html"
-  description = "The index document of the site."
-}
-
-variable "error_document_name" {
-  type        = string
-  default     = "index.html"
-  description = "The error document (e.g. 404 page) of the site."
-}
-
-variable "site_url" {
-  type        = string
-  description = "The URL for the site."
-}
-
-variable "default_ttl" {
-  type        = string
-  description = "Cloudfront cache default ttl"
-}
-
-variable "max_ttl" {
-  type        = string
-  description = "Cloudfront cache max ttl"
-}
-
-variable "min_ttl" {
-  type        = string
-  description = "Cloudfront cache min ttl"
-}
-
-# ==================== HTTPS cert ====================
-#resource "aws_acm_certificate" "new_cert" {
-#  domain_name               = "${var.cdn_name}.${local.root_dns_name}" # TODO change when we use the real domain instead of the account domain
+## ==================== HTTPS cert ====================
+#resource "aws_acm_certificate" "cert" {
+#  domain_name               = var.cdn_url
 #  validation_method         = "DNS"
-#  subject_alternative_names = ["*.${var.cdn_name}.${local.root_dns_name}"]
+#  subject_alternative_names = ["*.${var.cdn_url}"]
+#}
+#
+#resource "aws_acm_certificate_validation" "cert" {
+#  certificate_arn         = aws_acm_certificate.cert.arn
+#  validation_record_fqdns = [for record in aws_route53_record.cert_validation : record.fqdn]
 #}
-#resource "aws_acm_certificate_validation" "new_cert" {
-#  certificate_arn         = aws_acm_certificate.new_cert.arn
-#  validation_record_fqdns = [for record in aws_route53_record.new_cert_validation : record.fqdn]
+#
+#resource "aws_route53_record" "cert_validation" {
+#  for_each = {
+#    for dvo in aws_acm_certificate.cert.domain_validation_options : dvo.domain_name => {
+#      name   = dvo.resource_record_name
+#      record = dvo.resource_record_value
+#      type   = dvo.resource_record_type
+#    }
+#  }
+#
+#  allow_overwrite = true
+#  name            = each.value.name
+#  type            = each.value.type
+#  zone_id         = data.aws_route53_zone.cdn_zone.id
+#  records         = [each.value.record]
+#  ttl             = 60
 #}
 
 # ==================== Route53 ====================
 resource "aws_route53_record" "a_record" {
-  name            = "${var.cdn_name}-${var.env}"
+  name            = "${local.app_name}-${var.env}"
   type            = "A"
-  zone_id         = local.root_dns_id
+  zone_id         = data.aws_route53_zone.cdn_zone.id
   allow_overwrite = false
   alias {
     name                   = aws_cloudfront_distribution.website_cloudfront.domain_name
@@ -56,9 +41,9 @@ resource "aws_route53_record" "a_record" {
 }
 
 resource "aws_route53_record" "aaaa_record" {
-  name            = "${var.cdn_name}-${var.env}"
+  name            = "${local.app_name}-${var.env}"
   type            = "AAAA"
-  zone_id         = local.root_dns_id
+  zone_id         = data.aws_route53_zone.cdn_zone.id
   allow_overwrite = false
   alias {
     name                   = aws_cloudfront_distribution.website_cloudfront.domain_name
@@ -67,29 +52,6 @@ resource "aws_route53_record" "aaaa_record" {
   }
 }
 
-#resource "aws_route53_record" "new_cert_validation" {
-#  for_each = {
-#    for dvo in aws_acm_certificate.new_cert.domain_validation_options : dvo.domain_name => {
-#      name   = dvo.resource_record_name
-#      record = dvo.resource_record_value
-#      type   = dvo.resource_record_type
-#    }
-#  }
-#
-#  allow_overwrite = true
-#  name            = each.value.name
-#  type            = each.value.type
-#  zone_id         = local.root_dns_id
-#  records         = [each.value.record]
-#  ttl             = 60
-#}
-#
-# data "aws_route53_record" "existing_record" {
-#   zone_id = local.root_dns_id
-#   name    = "_3c077e2b2d1354f739d9880494eaec9b.byu-oit-fullstack-trn.amazon.byu.edu"
-#   type    = "CNAME"
-# }
-
 resource "aws_iam_policy" "allow_cdn_parameter_store_access" {
   name        = "AllowCdnParameterStoreAccess"
   description = "Allows access to CDN parameter store"
@@ -102,41 +64,22 @@ resource "aws_iam_policy" "allow_cdn_parameter_store_access" {
           "ssm:DescribeParameters",
           "ssm:GetParameters"
         ],
-        "Resource" : "arn:aws:ssm:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:parameter/${var.cdn_name}/*"
-      }
-    ]
-  })
-}
-
-resource "aws_iam_policy" "allow_cloudfront_invalidation" {
-  name        = "AllowCloudFrontInvalidation"
-  description = "Allows CloudFront invalidation"
-  policy = jsonencode({
-    "Version" : "2012-10-17",
-    "Statement" : [
-      {
-        "Effect" : "Allow",
-        "Action" : [
-          "cloudfront:CreateInvalidation",
-          "cloudfront:GetInvalidation",
-          "cloudfront:ListInvalidations"
-        ],
-        "Resource" : "*"
+        "Resource" : "arn:aws:ssm:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:parameter/${var.name}/${var.env}*"
       }
     ]
   })
 }
 
 resource "aws_cloudfront_distribution" "website_cloudfront" {
-  comment      = "${local.root_dns_name} - ${var.cdn_name} ${var.env}"
-  aliases      = ["${var.cdn_name}-${var.env}.${local.root_dns_name}"]
+  comment      = "${var.cdn_url} - ${var.name} ${var.env}"
+  aliases      = ["${local.app_name}.${var.cdn_url}"]
   enabled      = true
   http_version = "http2"
 
   viewer_certificate {
     acm_certificate_arn      = module.acs.certificate_virginia.arn # aws_acm_certificate.new_cert.arn
     ssl_support_method       = "sni-only"
-    minimum_protocol_version = "TLSv1" # TLSv1.2_2019
+    minimum_protocol_version = "TLSv1"
   }
 
   default_cache_behavior {

diff --git a/iac/modules/app/content-bucket.tf b/iac/modules/app/content-bucket.tf
@@ -1,10 +1,5 @@
-
-variable "s3_bucket_name" {
-  description = "Name of S3 bucket for website"
-}
-
 resource "aws_s3_bucket" "cdn_content_bucket" {
-  bucket = "${var.cdn_name}-${var.env}-contents-${data.aws_region.current.name}-${data.aws_caller_identity.current.account_id}"
+  bucket = "${local.app_name}-contents"
 }
 
 resource "aws_s3_bucket_website_configuration" "cdn_content_bucket" {