Deploy production application in eu-west-1 (#286)

* Deploy production application in eu-west-1

* Update S3 buckets in docker-compose.ci.yml
* Update S3 buckets in Jenkinsfile
* Update AWS Region in README.md and deployment/README.md
* Update S3 buckets in Vagrantfile
* Update Ansible group_vars S3 bucket
* Use 1.0.0 of terraform-aws-acm-certificate to provision a separate certificate for CloudFront in us-east-1
* Use db.t3.micro as default RDS instance
* Use eu-west-1 ECS-optimized AMI for Batch
* Update S3 bucket in research/dedupe/bootstrap
* Update AWS region reference in ecsmanage.py

* Temporary change to Jenkinsfile

Needed to test CI pipeline.

* Temporary change to Jenkinsfile

Needed to test CI pipeline.

* Show me the env

* Temporary change to Jenkinsfile

Needed to test CI pipeline.

* Add CloudFront certificate comment

* Revert change to Jenkinsfile

Jenkinsfile

@@ -8,9 +8,9 @@ node {
 		}
 
 		env.AWS_PROFILE = 'open-apparel-registry'
-		env.AWS_DEFAULT_REGION = 'us-east-1'
+		env.AWS_DEFAULT_REGION = 'eu-west-1'
 
-		env.OAR_SETTINGS_BUCKET = 'openapparelregistry-testing-config-us-east-1'
+		env.OAR_SETTINGS_BUCKET = 'openapparelregistry-testing-config-eu-west-1'
 
 	    // Execute `setup` wrapped within a plugin that translates
 	    // ANSI color codes to something that renders inside the Jenkins
@@ -27,7 +27,7 @@ node {
 			}
 		}
 
-		env.OAR_SETTINGS_BUCKET = 'openapparelregistry-staging-config-us-east-1'
+		env.OAR_SETTINGS_BUCKET = 'openapparelregistry-staging-config-eu-west-1'
 
 		if (env.BRANCH_NAME == 'develop' || env.BRANCH_NAME.startsWith('release/') || env.BRANCH_NAME.startsWith('test/')) {
 			// Publish container images built and tested during `cibuild`

README.md

@@ -25,7 +25,7 @@ First, configure a local AWS profile with access to an S3 bucket with files cont
 $ aws configure --profile open-apparel-registry
 AWS Access Key ID [None]: AKIAIOSFODNN7EXAMPLE
 AWS Secret Access Key [None]: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
-Default region name [None]: us-east-1
+Default region name [None]: eu-west-1
 Default output format [None]:
 ```
 
@@ -67,7 +67,7 @@ To start this version of OAR, first, bootstrap the database:
 $ vagrant ssh
 
 # Import database dumps from Sourcemap and run ElasticSearch indexing
-vagrant@vagrant:/vagrant$ export OAR_SETTINGS_BUCKET=openapparelregistry-development-config-us-east-1
+vagrant@vagrant:/vagrant$ export OAR_SETTINGS_BUCKET=openapparelregistry-development-config-eu-west-1
 vagrant@vagrant:/vagrant$ ./scripts/bootstrap --restify
 ```
 

Vagrantfile

@@ -44,7 +44,7 @@ Vagrant.configure("2") do |config|
     fi
 
     export AWS_PROFILE=open-apparel-registry
-    export OAR_SETTINGS_BUCKET=openapparelregistry-development-config-us-east-1
+    export OAR_SETTINGS_BUCKET=openapparelregistry-development-config-eu-west-1
 
     cd /vagrant
     su vagrant ./scripts/bootstrap

deployment/README.md

@@ -12,7 +12,7 @@ Using the AWS CLI, create an AWS profile named `open-apparel-registry`:
 $ aws configure --profile open-apparel-registry
 AWS Access Key ID [None]: AKIAIOSFODNN7EXAMPLE
 AWS Secret Access Key [None]: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
-Default region name [None]: us-east-1
+Default region name [None]: eu-west-1
 Default output format [None]:
 ```
 
@@ -29,7 +29,7 @@ To do this, we can use the `cibuild` and `cipublish` scripts:
 
 ```bash
 $ vagrant ssh
-vagrant@vagrant:/vagrant$ export OAR_AWS_ECR_ENDPOINT=123456789012.dkr.ecr.us-east-1.amazonaws.com
+vagrant@vagrant:/vagrant$ export OAR_AWS_ECR_ENDPOINT=123456789012.dkr.ecr.eu-west-1.amazonaws.com
 vagrant@vagrant:/vagrant$ ./scripts/cibuild
 ...
 Successfully built 20dcf93f6907
@@ -73,7 +73,7 @@ rds_database_username = "openapparelregistry"
 rds_database_password = "password"
 ```
 
-This file lives at `s3://openapparelregistry-staging-config-us-east-1/terraform/terraform.tfvars`.
+This file lives at `s3://openapparelregistry-staging-config-eu-west-1/terraform/terraform.tfvars`.
 
 To deploy this project's core infrastructure, use the `infra` wrapper script to lookup the remote state of the infrastructure and assemble a plan for work to be done:
 

deployment/ansible/group_vars/all

@@ -2,7 +2,7 @@
 aws_cli_version: "1.16.*"
 aws_profile: "open-apparel-registry"
 
-oar_settings_bucket: "openapparelregistry-development-config-us-east-1"
+oar_settings_bucket: "openapparelregistry-development-config-eu-west-1"
 
 docker_version: "18.*"
 docker_compose_version: "1.21.*"

deployment/terraform/cdn.tf

@@ -73,7 +73,7 @@ resource "aws_cloudfront_distribution" "cdn" {
   }
 
   viewer_certificate {
-    acm_certificate_arn      = "${module.cert.arn}"
+    acm_certificate_arn      = "${module.cert_cdn.arn}"
     minimum_protocol_version = "TLSv1.2_2018"
     ssl_support_method       = "sni-only"
   }

deployment/terraform/certificate.tf

@@ -1,8 +1,27 @@
 #
 # ACM resources
 #
-module "cert" {
-  source = "github.com/azavea/terraform-aws-acm-certificate?ref=0.1.0"
+module "cert_cdn" {
+  source = "github.com/azavea/terraform-aws-acm-certificate?ref=1.0.0"
+
+  providers = {
+    aws.acm_account     = "aws.certificates"
+    aws.route53_account = "aws"
+  }
+
+  domain_name               = "${var.r53_public_hosted_zone}"
+  subject_alternative_names = ["*.${var.r53_public_hosted_zone}"]
+  hosted_zone_id            = "${aws_route53_zone.external.zone_id}"
+  validation_record_ttl     = "60"
+}
+
+module "cert_lb" {
+  source = "github.com/azavea/terraform-aws-acm-certificate?ref=1.0.0"
+
+  providers = {
+    aws.acm_account     = "aws"
+    aws.route53_account = "aws"
+  }
 
   domain_name               = "${var.r53_public_hosted_zone}"
   subject_alternative_names = ["*.${var.r53_public_hosted_zone}"]

deployment/terraform/config.tf

@@ -3,13 +3,28 @@ provider "aws" {
   version = "~> 1.56.0"
 }
 
+/**
+* To use an ACM Certificate with Amazon CloudFront, you must 
+* request or import the certificate in the US East (N. Virginia) region. 
+* ACM Certificates in this region that are associated with a CloudFront 
+* distribution are distributed to all the geographic locations configured 
+* for that distribution.
+*
+* https://docs.aws.amazon.com/acm/latest/userguide/acm-regions.html
+*/
+provider "aws" {
+  alias   = "certificates"
+  region  = "us-east-1"
+  version = "~> 1.56.0"
+}
+
 provider "template" {
   version = "~> 1.0.0"
 }
 
 terraform {
   backend "s3" {
-    region  = "us-east-1"
+    region  = "eu-west-1"
     encrypt = "true"
   }
 }

deployment/terraform/container_service.tf

@@ -80,7 +80,7 @@ resource "aws_lb_listener" "app" {
   load_balancer_arn = "${aws_lb.app.id}"
   port              = "443"
   protocol          = "HTTPS"
-  certificate_arn   = "${module.cert.arn}"
+  certificate_arn   = "${module.cert_lb.arn}"
 
   default_action {
     target_group_arn = "${aws_lb_target_group.app.id}"

deployment/terraform/iam.tf

@@ -51,12 +51,13 @@ data "aws_iam_policy_document" "batch_describe_and_submit" {
     effect = "Allow"
 
     resources = ["*"]
+
     actions = [
       "batch:DescribeJobQueues",
       "batch:DescribeJobs",
       "batch:DescribeJobDefinitions",
       "batch:DescribeComputeEnvironments",
-      "batch:SubmitJob"
+      "batch:SubmitJob",
     ]
   }
 }
@@ -67,7 +68,6 @@ resource "aws_iam_role_policy" "batch_describe_and_submit" {
   policy = "${data.aws_iam_policy_document.batch_describe_and_submit.json}"
 }
 
-
 #
 # EC2 IAM resources
 #

deployment/terraform/variables.tf

@@ -7,11 +7,11 @@ variable "environment" {
 }
 
 variable "aws_region" {
-  default = "us-east-1"
+  default = "eu-west-1"
 }
 
 variable "aws_availability_zones" {
-  default = ["us-east-1a", "us-east-1b"]
+  default = ["eu-west-1a", "eu-west-1b"]
 }
 
 variable "aws_key_name" {}
@@ -89,7 +89,7 @@ variable "rds_parameter_group_family" {
 }
 
 variable "rds_instance_type" {
-  default = "db.t2.micro"
+  default = "db.t3.micro"
 }
 
 variable "rds_storage_type" {
@@ -213,9 +213,9 @@ variable "batch_default_ce_spot_fleet_bid_percentage" {
 }
 
 variable "batch_ami_id" {
-  # Latest ECS-optimized Amazon Linux AMI in us-east-1
+  # Latest ECS-optimized Amazon Linux AMI in eu-west-1
   # See: https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-optimized_AMI.html
-  default = "ami-0bf2fb355727b7faf"
+  default = "ami-00921cd1ce43d567a"
 }
 
 variable "batch_default_ce_min_vcpus" {

docker-compose.ci.yml

@@ -12,7 +12,7 @@ services:
       - AWS_PROFILE=${AWS_PROFILE:-open-apparel-registry}
       - GIT_COMMIT=${GIT_COMMIT:-latest}
       - OAR_DEBUG=1
-      - OAR_SETTINGS_BUCKET=openapparelregistry-staging-config-us-east-1
+      - OAR_SETTINGS_BUCKET=openapparelregistry-staging-config-eu-west-1
       - OAR_ROLLBAR_ACCESS_TOKEN
       - OAR_DEPLOYMENT_ENVIRONMENT=${OAR_DEPLOYMENT_ENVIRONMENT:-staging}
     working_dir: /usr/local/src

research/dedupe/bootstrap

@@ -2,8 +2,8 @@
 
 mkdir -p data
 aws s3 sync \
-    s3://openapparelregistry-development-data-us-east-1/clean-supplier-lists-2019-01-08 \
+    s3://openapparelregistry-development-data-eu-west-1/clean-supplier-lists-2019-01-08 \
     data/supplier-lists
 aws s3 cp \
-    s3://openapparelregistry-development-data-us-east-1/rubota_facilities_2018-02-26.csv \
+    s3://openapparelregistry-development-data-eu-west-1/rubota_facilities_2018-02-26.csv \
     data/rubota_facilities.csv

src/django/api/management/commands/ecsmanage.py

@@ -42,7 +42,7 @@ def handle(self, *args, **options):
                                 cmd)
 
         url = (
-            f'https://console.aws.amazon.com/ecs/home?region=us-east-1#'
+            f'https://console.aws.amazon.com/ecs/home?region=eu-west-1#'
             f'/clusters/ecs{self.env}Cluster/tasks/{task_id}/details'
         )