Time to parameterize

.github/workflows/deploy.yml

@@ -26,13 +26,13 @@ jobs:
         with:
           mask-password: "false"
 
-      - name: Build, tag, and push docker image to Amazon ECR
+      - name: Build, tag, and push cube api docker image to Amazon ECR
         env:
           REGISTRY: ${{ steps.login-ecr.outputs.registry }}
-          REPOSITORY: sync-svc-cube
+          REPOSITORY: prod-sync-cube-ecr
           IMAGE_TAG: "${{ github.sha }}"
         run: |
-          docker build -t $REGISTRY/$REPOSITORY:$IMAGE_TAG .
+          docker build -t $REGISTRY/$REPOSITORY:$IMAGE_TAG -f docker/cube/Dockerfile .
           docker push $REGISTRY/$REPOSITORY:$IMAGE_TAG
 
       - name: Update cube-api Task Definition with latest image
@@ -41,28 +41,28 @@ jobs:
         with:
           task-definition-family: cube_api
           container-name: cube-api
-          image: ${{ steps.login-ecr.outputs.registry }}/sync-svc-cube:${{ github.sha }}
+          image: ${{ steps.login-ecr.outputs.registry }}/prod-sync-cube-ecr:${{ github.sha }}
 
       - name: Update cube-refresh-worker Task Definition with latest image
         id: cube-refresh-worker-task-def
         uses: aws-actions/amazon-ecs-render-task-definition@v1.6.2
         with:
           task-definition-family: cube_refresh_worker
           container-name: cube-refresh-worker
-          image: ${{ steps.login-ecr.outputs.registry }}/sync-svc-cube:${{ github.sha }}
+          image: ${{ steps.login-ecr.outputs.registry }}/prod-sync-cube-ecr:${{ github.sha }}
 
       - name: Deploy cube-api task definition
         uses: aws-actions/amazon-ecs-deploy-task-definition@v2.3.0
         with:
           task-definition: ${{ steps.cube-api-task-def.outputs.task-definition }}
           service: cube_api
-          cluster: production
+          cluster: prod-sync_cluster
           wait-for-service-stability: true
 
       - name: Deploy cube-refresh-worker task definition
         uses: aws-actions/amazon-ecs-deploy-task-definition@v2.3.0
         with:
           task-definition: ${{ steps.cube-refresh-worker-task-def.outputs.task-definition }}
           service: cube_refresh_worker
-          cluster: production
+          cluster: prod-sync_cluster
           wait-for-service-stability: true

deploy_cubestore.sh

@@ -0,0 +1,17 @@
+#!/bin/bash
+
+set -e
+
+AWS_REGION="us-east-1"
+ECR_REPOSITORY="prod-sync-cubestore-ecr"
+
+AWS_ACCOUNT_ID=$(aws sts get-caller-identity --query "Account" --output text)
+REGISTRY="${AWS_ACCOUNT_ID}.dkr.ecr.${AWS_REGION}.amazonaws.com"
+IMAGE_TAG=$(git rev-parse --short HEAD 2>/dev/null || date +%s)
+
+aws ecr get-login-password --region $AWS_REGION | docker login --username AWS --password-stdin $REGISTRY
+
+docker build --platform linux/amd64 -t $REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG -f docker/cubestore/Dockerfile .
+docker push $REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG
+
+echo "New cubestore image pushed to ECR: $REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG. Please update terraform cubestore services task definitions accordingly."

docker/cube/Dockerfile

@@ -0,0 +1,11 @@
+FROM cubejs/cube:v1.1.9
+
+RUN apt-get update \
+        && apt-get install -y --no-install-recommends curl \
+        && apt-get clean \
+        && rm -rf /var/lib/apt/lists/*
+
+COPY cube.js cube.js
+COPY fetch.js fetch.js
+RUN mkdir model
+COPY model/ model/

docker/cubestore/Dockerfile

@@ -0,0 +1,3 @@
+FROM cubejs/cubestore:latest
+
+RUN apt-get update && apt-get install -y curl

terraform/main.tf

@@ -7,3 +7,120 @@ provider "aws" {
     }
   }
 }
+
+module "vpc" {
+  source  = "terraform-aws-modules/vpc/aws"
+  version = ">=5.7.1"
+
+  name = "production-vpc"
+  cidr = "10.0.0.0/16"
+
+  azs                  = ["us-east-1a", "us-east-1b", "us-east-1d", "us-east-1c"]
+  private_subnets      = ["10.0.1.0/24", "10.0.2.0/24", "10.0.3.0/24", "10.0.4.0/24"]
+  public_subnets       = ["10.0.101.0/24", "10.0.102.0/24", "10.0.103.0/24", "10.0.104.0/24"]
+  enable_dns_hostnames = true
+  enable_dns_support   = true
+  enable_nat_gateway   = true
+  create_igw           = true
+}
+
+module "production_cube_cluster" {
+  source = "./modules/cube-cluster"
+
+  cluster_prefix       = "prod-sync"
+  vpc                  = module.vpc
+  cube_api_domain_name = "cube-api.synccomputing.com"
+  cube_shared_env = [
+    {
+      name  = "CUBEJS_DB_SSL"
+      value = "true"
+    },
+    {
+      name  = "CUBEJS_DB_TYPE"
+      value = "postgres"
+    },
+    {
+      name  = "CUBEJS_DB_HOST"
+      value = "ec2-3-221-59-105.compute-1.amazonaws.com"
+    },
+    {
+      name  = "CUBEJS_DB_PORT"
+      value = "5432"
+    },
+    {
+      name  = "CUBEJS_DB_USER"
+      value = "cube"
+    },
+    {
+      name  = "CUBEJS_DB_NAME"
+      value = "d20nhfliefb6aa"
+    },
+    {
+      name  = "CUBEJS_SCHEMA_PATH"
+      value = "model"
+    },
+    {
+      name  = "CUBEJS_DEV_MODE"
+      value = "false"
+    },
+    {
+      name  = "NODE_ENV",
+      value = "production"
+    },
+    {
+      name  = "CUBEJS_JWK_URL"
+      value = "https://sync-prod.us.auth0.com/.well-known/jwks.json"
+    },
+    {
+      name  = "CUBEJS_JWT_AUDIENCE"
+      value = "https://api.synccomputing.com"
+    },
+    {
+      name  = "CUBEJS_JWT_ISSUER"
+      value = "https://login.app.synccomputing.com/"
+    },
+    {
+      name  = "CUBEJS_JWT_ALGS"
+      value = "RS256"
+    },
+    {
+      name  = "CUBEJS_JWT_CLAIMS_NAMESPACE"
+      value = "https://synccomputing.com/"
+    }
+  ]
+  cube_shared_secrets = [
+    { name = "CUBEJS_DB_PASS", valueFrom = aws_secretsmanager_secret.postgres_cube_user_pw.arn },
+    { name = "CUBEJS_JWT_KEY", valueFrom = aws_secretsmanager_secret.auth0_jwt_key.arn },
+  ]
+}
+
+resource "aws_secretsmanager_secret" "postgres_cube_user_pw" {
+  name = "production/postgres-cube-user-pw"
+}
+
+resource "aws_secretsmanager_secret" "auth0_jwt_key" {
+  name = "production/auth0-jwt-key"
+}
+
+resource "aws_iam_openid_connect_provider" "github_openid" {
+  url = "https://token.actions.githubusercontent.com"
+
+  client_id_list = [
+    "sts.amazonaws.com",
+  ]
+
+  thumbprint_list = ["cf23df2207d99a74fbe169e3eba035e633b65d94"]
+}
+
+module "iam_github_oidc_role" {
+  source      = "terraform-aws-modules/iam/aws//modules/iam-github-oidc-role"
+  name        = "github_actions_role"
+  path        = "/system/"
+  description = "GitHub IAM role for GitHub actions"
+
+  subjects = ["synccomputingcode/sync-svc-cube-v2:*"]
+
+  policies = {
+    GitHubActionsPolicy = module.production_cube_cluster.cube_repo_ecr_policy.arn
+  }
+}

terraform/cloudfront.tf → terraform/modules/cube-cluster/cloudfront.tf

@@ -14,8 +14,8 @@ data "aws_cloudfront_origin_request_policy" "all_viewers" {
   name = "Managed-AllViewer"
 }
 
-resource "aws_cloudfront_distribution" "sync_svc_cube_cdn" {
-  aliases         = [local.domain_name, "www.${local.domain_name}"]
+resource "aws_cloudfront_distribution" "cube_cdn" {
+  aliases         = [var.cube_api_domain_name]
   comment         = "Cloudfront distribution for cube.dev api"
   price_class     = "PriceClass_100"
   is_ipv6_enabled = true
@@ -25,12 +25,6 @@ resource "aws_cloudfront_distribution" "sync_svc_cube_cdn" {
     domain_name = local.api_domain_name
     origin_id   = local.api_domain_name
 
-    # vpc_origin_config {
-    #   vpc_origin_id            = aws_cloudfront_vpc_origin.alb.id
-    #   origin_keepalive_timeout = 5
-    #   origin_read_timeout      = 30
-    # }
-
     custom_origin_config {
       http_port                = 80
       https_port               = 443
@@ -64,4 +58,4 @@ resource "aws_cloudfront_distribution" "sync_svc_cube_cdn" {
       locations        = []
     }
   }
-}
+}

terraform/cloudwatch.tf → terraform/modules/cube-cluster/cloudwatch.tf

@@ -1,4 +1,4 @@
 resource "aws_cloudwatch_log_group" "main" {
-  name              = "/ecs/sync-svc-cube/production"
+  name              = "/ecs/${var.cluster_prefix}-cube-logs"
   retention_in_days = 14
 }

terraform/modules/cube-cluster/ecr.tf

@@ -0,0 +1,65 @@
+resource "aws_ecr_repository" "cube_repo" {
+  name                 = "${var.cluster_prefix}-cube-ecr"
+  image_tag_mutability = "IMMUTABLE"
+
+  image_scanning_configuration {
+    scan_on_push = true
+  }
+}
+
+resource "aws_ecr_lifecycle_policy" "cube_lf_policy" {
+  repository = aws_ecr_repository.cube_repo.name
+
+  policy = <<EOF
+{
+    "rules": [
+        {
+            "rulePriority": 1,
+            "description": "Keep last 30 images",
+            "selection": {
+                "tagStatus": "tagged",
+                "tagPrefixList": ["v"],
+                "countType": "imageCountMoreThan",
+                "countNumber": 30
+            },
+            "action": {
+                "type": "expire"
+            }
+        }
+    ]
+}
+EOF
+}
+
+resource "aws_ecr_repository" "cubestore_repo" {
+  name                 = "${var.cluster_prefix}-cubestore-ecr"
+  image_tag_mutability = "IMMUTABLE"
+
+  image_scanning_configuration {
+    scan_on_push = true
+  }
+}
+
+resource "aws_ecr_lifecycle_policy" "cubestore_lf_policy" {
+  repository = aws_ecr_repository.cubestore_repo.name
+
+  policy = <<EOF
+{
+    "rules": [
+        {
+            "rulePriority": 1,
+            "description": "Keep last 30 images",
+            "selection": {
+                "tagStatus": "tagged",
+                "tagPrefixList": ["v"],
+                "countType": "imageCountMoreThan",
+                "countNumber": 30
+            },
+            "action": {
+                "type": "expire"
+            }
+        }
+    ]
+}
+EOF
+}