Merge branch 'master' of https://github.com/input-output-hk/plutus in…

…to jmchapman/red-ck-eq

.buildkite/pipeline.yml

@@ -1,9 +1,17 @@
 steps:
-  - label: 'morph deploy 🚀'
+  - label: 'deploy (staging) 🚀'
     command:
       - "./.buildkite/deploy.sh alpha"
     branches: "master"
     concurrency: 1
     concurrency_group: "plutus-alpha-deploy"
     agents:
       system: x86_64-linux
+  - label: 'deploy (production) 🚀'
+    command:
+      - "./.buildkite/deploy.sh production"
+    branches: "production"
+    concurrency: 1
+    concurrency_group: "plutus-production-deploy"
+    agents:
+      system: x86_64-linux

CONTRIBUTING.adoc

@@ -28,6 +28,7 @@ NOTE: You may want to consider using https://github.com/target/lorri[lorri] as a
 === How to use helper scripts to fix some common issues
 
 The shell comes with some tools for fixing various simple problems that the CI will complain about. Specifically:
+
 - `fix-stylish-haskell` will re-format all the Haskell sources correctly.
 - `fix-purty` will re-format all the Purescript sources correctly.
 - `fix-png-optimization` will optimize all PNGs in the repository.
@@ -277,6 +278,7 @@ So please do use this ability where it helps, for example:
 * Add low-effort or WIP commits to fix review comments, and then squash them away before merging the PR.
 * If you have already had a PR review, don't rebase away the old commits until the PR is ready to merge, so that the reviewer only has to look at the "new" commits.
 * Rewrite the commits to make the story clearer where possible.
+* Always prefer `git push --force-with-lease` to just `git push --force` to ensure that no work gets accidentally deleted.
 
 Don't be obsessive about history though: a little bit of effort making the history clear is nice, but you can rapidly hit diminishing returns.
 Use your judgement, but probably don't merge a PR that has commits called "WIP" or "fix"!
@@ -306,6 +308,7 @@ to spend time explaining or clarifying something in advance than for them to puz
 === Continuous integration
 
 We have two sources of CI checks at the moment:
+
 - Hydra
 - ReadTheDocs
 

default.nix

@@ -78,6 +78,8 @@ rec {
     }) client;
   };
 
+  marlowe-web = pkgs.callPackage ./marlowe-website { inherit (plutus.lib) npmlock2nix gitignore-nix; };
+
   plutus-pab = pkgs.recurseIntoAttrs (pkgs.callPackage ./plutus-pab-client {
     inherit (plutus.lib) buildPursPackage buildNodeModules gitignore-nix filterNpm;
     inherit haskell webCommon webCommonPlutus;
@@ -98,7 +100,7 @@ rec {
   deployment = pkgs.recurseIntoAttrs (pkgs.callPackage ./deployment/morph {
     plutus = {
       inherit plutus-pab marlowe-app marlowe-companion-app marlowe-follow-app
-        marlowe-dashboard marlowe-playground plutus-playground web-ghc docs;
+        marlowe-dashboard marlowe-playground plutus-playground web-ghc docs marlowe-web;
     };
   });
 

deployment/README.md

@@ -58,3 +58,11 @@ To log in use `aws-mfa-login` which is provided by the top-level shell.nix:
 ```
 $ eval $(aws-mfa-login <username> <mfa-code>)
 ```
+
+The first time you login to AWS using the client it is necessary to create a local profile for `dev-mantis`, this can be done by writing:
+
+```
+$ aws configure --profile "dev-mantis"
+```
+
+See https://stackoverflow.com/questions/34134879/aws-the-config-profile-myname-could-not-be-found.

deployment/envs.nix

@@ -1,7 +1,7 @@
 {
   alpha = { region = "eu-west-2"; };
+  production = { region = "eu-west-1"; };
   pablo = { region = "eu-west-3"; };
-  playground = { region = "us-west-1"; };
   testing = { region = "eu-west-3"; };
   hernan = { region = "us-west-2"; };
   tobias = { region = "eu-west-1"; };

deployment/morph/machines/playground.nix

@@ -8,7 +8,7 @@
   ];
 
   networking = {
-    firewall.allowedTCPPorts = [ 22 80 8080 9080 ];
+    firewall.allowedTCPPorts = [ 22 80 8080 8181 9080 ];
   };
 
   services.marlowe-playground = {
@@ -59,6 +59,17 @@
         marlowe-playground.servers."127.0.0.1:4001" = { };
       };
       virtualHosts = {
+        "marlowe-web" = {
+          listen = [{ addr = "0.0.0.0"; port = 8181; }];
+          locations = {
+            "/" = {
+              root = "${pkgs.marlowe-web}";
+              extraConfig = ''
+                ${staticFileCacheControl}
+              '';
+            };
+          };
+        };
         "plutus-playground" = {
           listen = [{ addr = "0.0.0.0"; port = 8080; }];
           locations = {

deployment/morph/mk-machine.nix

@@ -30,6 +30,7 @@
               marlowe-follow-app = plutus.marlowe-follow-app;
               marlowe-dashboard = plutus.marlowe-dashboard;
               marlowe-playground = plutus.marlowe-playground;
+              marlowe-web = plutus.marlowe-web;
               plutus-playground = plutus.plutus-playground;
               web-ghc = plutus.web-ghc;
               plutus-docs = plutus.docs;

deployment/terraform/certificates.tf

@@ -82,3 +82,63 @@ resource "aws_acm_certificate_validation" "marlowe_dash_private" {
   certificate_arn         = aws_acm_certificate.marlowe_dash_private.arn
   validation_record_fqdns = [for record in aws_route53_record.marlowe_dash_private : record.fqdn]
 }
+
+# Marlowe Web SSL Certificate
+resource "aws_acm_certificate" "marlowe_web_private" {
+  domain_name       = "*.${var.marlowe_web_tld}"
+  validation_method = "DNS"
+}
+
+resource "aws_route53_record" "marlowe_web_private" {
+  for_each = {
+    for dvo in aws_acm_certificate.marlowe_web_private.domain_validation_options : dvo.domain_name => {
+      name   = dvo.resource_record_name
+      record = dvo.resource_record_value
+      type   = dvo.resource_record_type
+    }
+  }
+
+  allow_overwrite = true
+  name            = each.value.name
+  records         = [each.value.record]
+  ttl             = 60
+  type            = each.value.type
+  zone_id         = var.marlowe_web_public_zone
+}
+
+resource "aws_acm_certificate_validation" "marlowe_web_private" {
+  certificate_arn         = aws_acm_certificate.marlowe_web_private.arn
+  validation_record_fqdns = [for record in aws_route53_record.marlowe_web_private : record.fqdn]
+}
+
+#
+# marlowe-finance.io certificates
+#
+
+resource "aws_acm_certificate" "marlowe_finance_io" {
+  domain_name               = "marlowe-finance.io"
+  validation_method         = "DNS"
+  subject_alternative_names = ["*.marlowe-finance.io"]
+}
+
+resource "aws_route53_record" "marlowe_finance_io" {
+  for_each = {
+    for dvo in aws_acm_certificate.marlowe_finance_io.domain_validation_options : dvo.domain_name => {
+      name   = dvo.resource_record_name
+      record = dvo.resource_record_value
+      type   = dvo.resource_record_type
+    }
+  }
+
+  allow_overwrite = true
+  name            = each.value.name
+  records         = [each.value.record]
+  ttl             = 60
+  type            = each.value.type
+  zone_id         = var.marlowe_finance_io_public_zone
+}
+
+resource "aws_acm_certificate_validation" "marlowe_finance_io" {
+  certificate_arn         = aws_acm_certificate.marlowe_finance_io.arn
+  validation_record_fqdns = [for record in aws_route53_record.marlowe_finance_io : record.fqdn]
+}

deployment/terraform/loadbalancing.tf

@@ -50,6 +50,13 @@ resource "aws_security_group" "public_alb" {
     cidr_blocks = var.private_subnet_cidrs
   }
 
+  egress {
+    from_port   = local.marlowe_web_port
+    to_port     = local.marlowe_web_port
+    protocol    = "TCP"
+    cidr_blocks = var.private_subnet_cidrs
+  }
+
   tags = {
     Name        = "${local.project}_${var.env}_public_alb"
     Project     = local.project
@@ -97,6 +104,16 @@ resource "aws_alb_listener" "playground" {
   }
 }
 
+resource "aws_lb_listener_certificate" "marlowe_finance_io" {
+  listener_arn    = aws_alb_listener.playground.arn
+  certificate_arn = aws_acm_certificate.marlowe_finance_io.arn
+}
+
+resource "aws_lb_listener_certificate" "marlowe_web" {
+  listener_arn    = aws_alb_listener.playground.arn
+  certificate_arn = aws_acm_certificate.marlowe_web_private.arn
+}
+
 resource "aws_lb_listener_certificate" "marlowe" {
   listener_arn    = aws_alb_listener.playground.arn
   certificate_arn = aws_acm_certificate.marlowe_private.arn
@@ -107,6 +124,44 @@ resource "aws_lb_listener_certificate" "marlowe_dash" {
   certificate_arn = aws_acm_certificate.marlowe_dash_private.arn
 }
 
+resource "aws_alb_listener_rule" "marlowe-web" {
+  listener_arn = aws_alb_listener.playground.arn
+  action {
+    type             = "forward"
+    target_group_arn = aws_alb_target_group.marlowe_web.id
+  }
+
+  condition {
+    host_header {
+      values = [local.marlowe_web_domain_name]
+    }
+  }
+}
+
+resource "aws_alb_target_group" "marlowe_web" {
+  port     = "80"
+  protocol = "HTTP"
+  vpc_id   = aws_vpc.plutus.id
+}
+
+resource "aws_alb_target_group_attachment" "marlowe_web" {
+  target_group_arn = aws_alb_target_group.marlowe_web.arn
+  target_id        = aws_instance.playgrounds_a.id
+  port             = local.marlowe_web_port
+}
+
+resource "aws_route53_record" "marlowe_web_alb" {
+  zone_id = var.marlowe_web_public_zone
+  name    = local.marlowe_web_domain_name
+  type    = "A"
+
+  alias {
+    name                   = aws_alb.plutus.dns_name
+    zone_id                = aws_alb.plutus.zone_id
+    evaluate_target_health = true
+  }
+}
+
 ## ALB rule for web-ghc
 resource "aws_alb_target_group" "webghc" {
   # ALB is taking care of SSL termination so we listen to port 80 here
@@ -298,3 +353,55 @@ resource "aws_route53_record" "plutus_playground_alb" {
     evaluate_target_health = true
   }
 }
+
+
+#
+# Production: marlowe-finance.io forwarding
+#
+
+resource "aws_alb_listener_rule" "marlowe-finance-marlowe-web" {
+  listener_arn = aws_alb_listener.playground.arn
+  action {
+    type             = "forward"
+    target_group_arn = aws_alb_target_group.marlowe_web.id
+  }
+
+  condition {
+    host_header {
+      values = ["marlowe-finance.io"]
+    }
+  }
+}
+
+resource "aws_alb_listener_rule" "marlowe-finance-marlowe-dash" {
+  depends_on   = [aws_alb_target_group.marlowe_dash]
+  listener_arn = aws_alb_listener.playground.arn
+
+  action {
+    type             = "forward"
+    target_group_arn = aws_alb_target_group.marlowe_dash.id
+  }
+
+  condition {
+    host_header {
+      values = ["run.marlowe-finance.io"]
+    }
+  }
+}
+
+resource "aws_alb_listener_rule" "marlowe-finance-marlowe-playground" {
+  depends_on   = [aws_alb_target_group.marlowe_playground]
+  listener_arn = aws_alb_listener.playground.arn
+
+  action {
+    type             = "forward"
+    target_group_arn = aws_alb_target_group.marlowe_playground.id
+  }
+
+  condition {
+    host_header {
+      values = ["play.marlowe-finance.io"]
+    }
+  }
+}
+

deployment/terraform/locals.tf

@@ -8,7 +8,9 @@ locals {
   marlowe_domain_name      = "${var.marlowe_full_domain != "" ? var.marlowe_full_domain : "${var.env}.${var.marlowe_tld}"}"
   plutus_domain_name       = "${var.plutus_full_domain != "" ? var.plutus_full_domain : "${var.env}.${var.plutus_tld}"}"
   marlowe_dash_domain_name = "${var.env}.${var.marlowe_dash_tld}"
+  marlowe_web_domain_name  = "${var.env}.${var.marlowe_web_tld}"
 
+  marlowe_web_port        = 8181
   plutus_playground_port  = 8080
   marlowe_playground_port = 9080
   pab_port                = 9080
@@ -27,7 +29,7 @@ locals {
   bastion_ssh_keys_ks = {
     alpha      = ["pablo", "tobias", "ci-deployer"]
     pablo      = ["pablo"]
-    prod       = ["tobias"]
+    production = ["tobias", "ci-deployer"]
     playground = ["tobias"]
     testing    = ["pablo", "tobias", "bozhidar", "dimitar"]
     hernan     = ["hernan"]
@@ -39,8 +41,7 @@ locals {
   root_ssh_keys_ks = {
     alpha      = ["pablo", "tobias", "ci-deployer"]
     pablo      = ["pablo"]
-    prod       = []
-    playground = []
+    production = ["tobias", "ci-deployer"]
     testing    = ["pablo", "tobias", "bozhidar", "dimitar"]
     hernan     = ["hernan"]
     tobias     = ["tobias", "ci-deployer"]