Initial infrastructure setup

xsalazar · Sep 30, 2023 · fc32282 · fc32282
1 parent 9e688ae
commit fc32282
Show file tree

Hide file tree

Showing 16 changed files with 365 additions and 0 deletions.
diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json
@@ -0,0 +1,18 @@
+{
+  "image": "node:18",
+  "customizations": {
+    "vscode": {
+      "extensions": [
+        "esbenp.prettier-vscode",
+        "hashicorp.terraform",
+        "streetsidesoftware.code-spell-checker",
+        "GitHub.vscode-github-actions"
+      ]
+    }
+  },
+  "features": {
+    "ghcr.io/devcontainers/features/terraform": {
+      "version": "1.1.2"
+    }
+  }
+}
diff --git a/.github/FUNDING.yml b/.github/FUNDING.yml
@@ -0,0 +1 @@
+github: xsalazar
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -0,0 +1,21 @@
+version: 2
+updates:
+  # Main application
+  - package-ecosystem: "npm"
+    directory: "/app"
+    labels:
+      - "dependabot :robot:"
+    reviewers:
+      - "xsalazar"
+    schedule:
+      interval: "daily"
+
+  # GitHub Actions
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    labels:
+      - "dependabot :robot:"
+    reviewers:
+      - "xsalazar"
+    schedule:
+      interval: "daily"
diff --git a/.github/workflows/auto_merge_dependabot.yml b/.github/workflows/auto_merge_dependabot.yml
@@ -0,0 +1,37 @@
+name: Auto Merge Dependabot PRs
+
+on:
+  pull_request_target:
+  workflow_dispatch:
+
+permissions:
+  pull-requests: write
+  contents: write
+
+jobs:
+  auto-merge:
+    runs-on: ubuntu-latest
+
+    # Checking the actor will prevent your Action run failing on non-Dependabot PRs
+    if: ${{ github.actor == 'dependabot[bot]' }}
+
+    steps:
+      - name: Fetch Dependabot PR metadata 🎣
+        id: dependabot-metadata
+        uses: dependabot/fetch-metadata@v1.6.0
+        with:
+          github-token: "${{ secrets.GITHUB_TOKEN }}"
+
+      - name: Approve Dependabot PR ✅
+        if: ${{steps.dependabot-metadata.outputs.update-type == 'version-update:semver-minor' || steps.dependabot-metadata.outputs.update-type == 'version-update:semver-patch'}}
+        run: gh pr review --approve "$PR_URL"
+        env:
+          PR_URL: ${{github.event.pull_request.html_url}}
+          GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
+
+      - name: Auto-merge Dependabot PR 🪄
+        if: ${{steps.dependabot-metadata.outputs.update-type == 'version-update:semver-minor' || steps.dependabot-metadata.outputs.update-type == 'version-update:semver-patch'}}
+        run: gh pr merge --merge "$PR_URL"
+        env:
+          PR_URL: ${{github.event.pull_request.html_url}}
+          GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
diff --git a/.github/workflows/deploy_application.yml b/.github/workflows/deploy_application.yml
@@ -0,0 +1,59 @@
+name: Deploy Application
+
+on:
+  push:
+    branches:
+      - main
+    paths:
+      - "app/**"
+  workflow_dispatch:
+
+jobs:
+  Bootstrap:
+    name: Deploy Application
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout Repository 📦
+        uses: actions/checkout@v3
+
+      - name: Configure AWS Credentials 🔑
+        uses: aws-actions/configure-aws-credentials@v2
+        with:
+          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
+          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          aws-region: us-west-2
+
+      - name: Setup Terraform 🏗
+        uses: hashicorp/setup-terraform@v2.0.3
+        with:
+          terraform_version: 1.1.2
+          terraform_wrapper: false # Necessary to access output
+
+      - name: Terraform Init ✨
+        id: init
+        run: terraform init -upgrade -var 'library_api_key=${{ secrets.LIBRARY_API_KEY }}'
+        working-directory: ./terraform
+
+      - name: Save Lambda function name to Environment Variables 💾
+        run: echo "LAMBDA_FUNCTION_NAME=$(terraform output -raw lambda_function)" >> $GITHUB_ENV
+        working-directory: ./terraform
+
+      - name: Setup Node 🏗
+        uses: actions/setup-node@v3
+        with:
+          node-version: "18"
+
+      - name: Install packages 📀
+        run: npm ci
+        working-directory: ./app
+
+      - name: Create Deployment Package 🎁
+        run: zip -r lambda.zip .
+        working-directory: ./app
+
+      - name: Deploy Lambda Function 🚀
+        env:
+          LAMBDA_FUNCTION_NAME: ${{ env.LAMBDA_FUNCTION_NAME }}
+        run: aws lambda update-function-code --function-name $LAMBDA_FUNCTION_NAME --zip-file fileb://lambda.zip
+        working-directory: ./app
diff --git a/.github/workflows/deploy_infrastructure.yml b/.github/workflows/deploy_infrastructure.yml
@@ -0,0 +1,41 @@
+name: Deploy Infrastructure
+
+on:
+  push:
+    branches:
+      - main
+    paths:
+      - "terraform/**"
+  workflow_dispatch:
+
+jobs:
+  Bootstrap:
+    name: Deploy Infrastructure
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout Repository 📦
+        uses: actions/checkout@v3
+
+      - name: Configure AWS Credentials 🔑
+        uses: aws-actions/configure-aws-credentials@v2
+        with:
+          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
+          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          aws-region: us-west-2
+
+      - name: Setup Terraform 🏗
+        uses: hashicorp/setup-terraform@v2.0.3
+        with:
+          terraform_version: 1.1.2
+          terraform_wrapper: false # Necessary to access output
+
+      - name: Terraform Init ✨
+        id: init
+        run: terraform init -upgrade -var 'library_api_key=${{ secrets.LIBRARY_API_KEY }}'
+        working-directory: ./terraform
+
+      - name: Terraform Apply 🚀
+        id: apply
+        run: terraform apply -auto-approve -var 'library_api_key=${{ secrets.LIBRARY_API_KEY }}'
+        working-directory: ./terraform
diff --git a/.gitignore b/.gitignore
diff --git a/.vscode/extensions.json b/.vscode/extensions.json
@@ -0,0 +1,3 @@
+{
+  "recommendations": ["hediet.vscode-drawio"]
+}
diff --git a/.vscode/settings.json b/.vscode/settings.json
@@ -0,0 +1,7 @@
+{
+  "editor.formatOnSave": true,
+  "[terraform]": {
+    "editor.formatOnSave": true,
+    "editor.defaultFormatter": "hashicorp.terraform"
+  }
+}
diff --git a/terraform/dummy-lambda-package/app.js b/terraform/dummy-lambda-package/app.js
@@ -0,0 +1,3 @@
+exports.handler = async (event, context) => {
+  return "👋 Hello World";
+};
diff --git a/terraform/dummy-lambda-package/lambda.zip b/terraform/dummy-lambda-package/lambda.zip
diff --git a/terraform/gateway.tf b/terraform/gateway.tf
@@ -0,0 +1,55 @@
+resource "aws_apigatewayv2_api" "instance" {
+  name                         = "emoji-kitchen-api-gateway"
+  protocol_type                = "HTTP"
+  disable_execute_api_endpoint = true
+
+  cors_configuration {
+    allow_origins = ["https://emojikitchen.dev"]
+    allow_methods = ["GET"]
+    allow_headers = ["*"]
+  }
+}
+
+resource "aws_apigatewayv2_api_mapping" "instance" {
+  api_id      = aws_apigatewayv2_api.instance.id
+  domain_name = aws_apigatewayv2_domain_name.instance.id
+  stage       = "$default"
+}
+
+resource "aws_apigatewayv2_domain_name" "instance" {
+  domain_name = "backend.emojikitchen.dev"
+
+  domain_name_configuration {
+    certificate_arn = data.aws_acm_certificate.instance.arn
+    endpoint_type   = "REGIONAL"
+    security_policy = "TLS_1_2"
+  }
+}
+
+data "aws_acm_certificate" "instance" {
+  domain = "*.emojikitchen.dev"
+}
+
+resource "aws_apigatewayv2_integration" "instance" {
+  api_id                 = aws_apigatewayv2_api.instance.id
+  integration_type       = "AWS_PROXY"
+  integration_uri        = aws_lambda_function.instance.invoke_arn
+  payload_format_version = "2.0"
+}
+
+resource "aws_apigatewayv2_route" "get_instance" {
+  api_id    = aws_apigatewayv2_api.instance.id
+  route_key = "GET /"
+  target    = "integrations/${aws_apigatewayv2_integration.instance.id}"
+}
+
+resource "aws_apigatewayv2_stage" "instance" {
+  api_id      = aws_apigatewayv2_api.instance.id
+  name        = "$default"
+  auto_deploy = true
+
+  default_route_settings {
+    throttling_burst_limit = 50
+    throttling_rate_limit  = 50
+  }
+}
diff --git a/terraform/iam.tf b/terraform/iam.tf
@@ -0,0 +1,67 @@
+data "aws_iam_policy_document" "assume_role_policy_document" {
+  version = "2012-10-17"
+  statement {
+    effect  = "Allow"
+    actions = ["sts:AssumeRole"]
+    principals {
+      identifiers = ["lambda.amazonaws.com"]
+      type        = "Service"
+    }
+  }
+}
+
+data "aws_iam_policy_document" "lambda_access_policy_document" {
+  version = "2012-10-17"
+
+  // From AWSLambdaVPCAccessExecutionRole
+  statement {
+    effect = "Allow"
+    actions = [
+      "logs:CreateLogGroup",
+      "logs:CreateLogStream",
+      "logs:PutLogEvents",
+      "ec2:CreateNetworkInterface",
+      "ec2:DescribeNetworkInterfaces",
+      "ec2:DeleteNetworkInterface",
+      "ec2:AssignPrivateIpAddresses",
+      "ec2:UnassignPrivateIpAddresses"
+    ]
+    resources = ["*"]
+  }
+
+  // For S3 access
+  statement {
+    effect    = "Allow"
+    actions   = ["s3:*"]
+    resources = ["${aws_s3_bucket.instance.arn}", "${aws_s3_bucket.instance.arn}/*"]
+  }
+}
+
+resource "aws_iam_role" "instance" {
+  name               = "lambda-iam-role-emoji-kitchen"
+  assume_role_policy = data.aws_iam_policy_document.assume_role_policy_document.json
+}
+
+resource "aws_iam_policy" "instance" {
+  name   = "lambda-emoji-kitchen-iam-policy"
+  policy = data.aws_iam_policy_document.lambda_access_policy_document.json
+}
+
+resource "aws_iam_role_policy_attachment" "instance" {
+  role       = aws_iam_role.instance.id
+  policy_arn = aws_iam_policy.instance.arn
+}
+
+resource "aws_lambda_permission" "lambda_root_permission" {
+  action        = "lambda:InvokeFunction"
+  function_name = aws_lambda_function.instance.function_name
+  principal     = "apigateway.amazonaws.com"
+  source_arn    = "${aws_apigatewayv2_api.instance.execution_arn}/*/*/"
+}
+
+resource "aws_lambda_permission" "lambda_proxy_permission" {
+  action        = "lambda:InvokeFunction"
+  function_name = aws_lambda_function.instance.function_name
+  principal     = "apigateway.amazonaws.com"
+  source_arn    = "${aws_apigatewayv2_api.instance.execution_arn}/*/*/*"
+}
diff --git a/terraform/lambda.tf b/terraform/lambda.tf
@@ -0,0 +1,23 @@
+resource "aws_lambda_function" "instance" {
+  function_name = "emoji-kitchen"
+  filename      = "${path.module}/dummy-lambda-package/lambda.zip" // Simple hello world application
+  role          = aws_iam_role.instance.arn
+  handler       = "app.handler"
+  runtime       = "nodejs18.x"
+  timeout       = 60  // seconds
+  memory_size   = 512 // MB
+
+  // Since CI/CD will deploy this application externally, these do not need to be tracked after creation
+  lifecycle {
+    ignore_changes = [
+      last_modified,
+      source_code_hash,
+      source_code_size
+    ]
+  }
+}
+
+resource "aws_cloudwatch_log_group" "instance" {
+  name              = "/aws/lambda/${aws_lambda_function.instance.function_name}"
+  retention_in_days = 30 // days
+}
diff --git a/terraform/main.tf b/terraform/main.tf
@@ -0,0 +1,27 @@
+terraform {
+  required_version = "~> 1.1.2"
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 4.65.0"
+    }
+  }
+  backend "s3" {
+    bucket = "xsalazar-terraform-state"
+    key    = "emoji-kitchen/terraform.tfstate"
+    region = "us-west-2"
+  }
+}
+
+provider "aws" {
+  region = "us-west-2"
+  default_tags {
+    tags = {
+      CreatedBy = "terraform"
+    }
+  }
+}
+
+output "lambda_function" {
+  value = aws_lambda_function.instance.function_name
+}
diff --git a/terraform/s3.tf b/terraform/s3.tf
@@ -0,0 +1,3 @@
+resource "aws_s3_bucket" "instance" {
+  bucket = "xsalazar-emoji-kitchen-data"
+}