fix(infra): fix infra

luke-h1 · Jan 2, 2025 · f3e1716 · f3e1716
1 parent ecce942
commit f3e1716
Show file tree

Hide file tree

Showing 7 changed files with 205 additions and 5 deletions.
diff --git a/docker/api/Dockerfile b/docker/api/Dockerfile
@@ -2,7 +2,8 @@ FROM --platform=linux/amd64 node:20.11.0-alpine AS base
 
 ENV PNPM_HOME="/pnpm"
 ENV PATH="$PNPM_HOME:$PATH"
-
+ENV COREPACK_ENABLE_NETWORK=0
+RUN npm config set strict-ssl false
 RUN npm i -g pnpm@9.7.0
 
 WORKDIR /app
@@ -42,6 +43,9 @@ COPY --from=builder /app/tsconfig.json .
 COPY --from=builder /app/apps/api ./apps/api/
 COPY --from=builder /app/packages/validation ./packages/validation/
 
+ENV COREPACK_ENABLE_NETWORK=0
+RUN npm config set strict-ssl false
+
 RUN npm i -g pnpm@9.7.0
 
 WORKDIR /app/apps/api

diff --git a/terraform/.terraform.lock.hcl b/terraform/.terraform.lock.hcl
diff --git a/terraform/app-runner.tf b/terraform/app-runner.tf
@@ -19,7 +19,7 @@ resource "aws_default_subnet" "application_subnet_c" {
   availability_zone = "eu-west-2c"
 }
 
-resource "aws_security_group" "sg" {
+resource "aws_security_group" "app_runner_sg" {
   name   = "${var.project_name}-${var.env}-app-runner-security-group"
   vpc_id = aws_default_vpc.default_vpc.id
   ingress {
@@ -195,9 +195,9 @@ resource "aws_apprunner_service" "app_runner_service" {
       image_configuration {
         port = 8000
 
+
         runtime_environment_secrets = {
           REDIS_URL                   = aws_ssm_parameter.redis_url.arn
-          DATABASE_URL                = aws_ssm_parameter.database_url.arn
           SESSION_SECRET              = aws_ssm_parameter.session_secret.arn
           S3_ASSETS_BUCKET            = aws_ssm_parameter.s3_assets_bucket.arn
           S3_ASSETS_BUCKET_REGION     = aws_ssm_parameter.s3_assets_region.arn
@@ -207,6 +207,7 @@ resource "aws_apprunner_service" "app_runner_service" {
         }
 
         runtime_environment_variables = {
+          DATABASE_URL = var.database_url
           API_BASE_URL = "${var.api_base_url}"
           DEPLOYED_BY  = "${var.deployed_by}"
           DEPLOYED_AT  = "${var.deployed_at}"
@@ -256,6 +257,6 @@ resource "aws_apprunner_vpc_connector" "app_runner_vpc_connector" {
     aws_default_subnet.application_subnet_b.id,
     aws_default_subnet.application_subnet_c.id
   ]
-  security_groups = [aws_security_group.sg.id]
+  security_groups = [aws_security_group.app_runner_sg.id]
 
 }
diff --git a/terraform/db-vpc.tf b/terraform/db-vpc.tf
@@ -0,0 +1,104 @@
+locals {
+  vpc_az_a                              = "eu-west-2a"
+  vpc_az_b                              = "eu-west-2b"
+  vpc_cidr                              = "10.0.0.0/16"
+  vpc_public_az_a_subnet_cidr           = "10.0.0.0/24"
+  vpc_public_az_a_subnet_app_ip_address = "10.0.0.4"
+  vpc_db_az_a_subnet_cidr               = "10.0.11.0/24"
+  vpc_db_az_b_subnet_cidr               = "10.0.12.0/24"
+}
+
+# see https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/internet_gateway
+resource "aws_internet_gateway" "main" {
+  vpc_id = aws_vpc.db_vpc.id
+  tags = {
+    Name = var.project_name
+  }
+}
+
+# see https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc
+resource "aws_vpc" "db_vpc" {
+  cidr_block = local.vpc_cidr
+  tags = {
+    Name = var.project_name
+  }
+}
+
+# see https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/subnet
+resource "aws_subnet" "public_az_a" {
+  vpc_id            = aws_vpc.db_vpc.id
+  availability_zone = local.vpc_az_a
+  cidr_block        = local.vpc_public_az_a_subnet_cidr
+  tags = {
+    Name = "${var.project_name}-public-az-a"
+  }
+}
+
+# see https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route_table
+resource "aws_route_table" "public" {
+  vpc_id = aws_vpc.db_vpc.id
+  route {
+    cidr_block = "0.0.0.0/0"
+    gateway_id = aws_internet_gateway.main.id
+  }
+  tags = {
+    Name = "${var.project_name}-public"
+  }
+}
+
+# see https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route_table_association
+resource "aws_route_table_association" "public_az_a" {
+  subnet_id      = aws_subnet.public_az_a.id
+  route_table_id = aws_route_table.public.id
+}
+
+# see https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/subnet
+resource "aws_subnet" "db_az_a" {
+  vpc_id            = aws_vpc.db_vpc.id
+  availability_zone = local.vpc_az_a
+  cidr_block        = local.vpc_db_az_a_subnet_cidr
+  tags = {
+    Name = "${var.project_name}-db-az-a"
+  }
+}
+
+# see https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/subnet
+resource "aws_subnet" "db_az_b" {
+  vpc_id            = aws_vpc.db_vpc.id
+  availability_zone = local.vpc_az_b
+  cidr_block        = local.vpc_db_az_b_subnet_cidr
+  tags = {
+    Name = "${var.project_name}-db-az-b"
+  }
+}
+
+# see https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_subnet_group
+resource "aws_db_subnet_group" "db" {
+  name       = "${var.project_name}-db"
+  subnet_ids = [aws_subnet.db_az_a.id, aws_subnet.db_az_b.id]
+  tags = {
+    Name = var.project_name
+  }
+}
+
+# see https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
+resource "aws_security_group" "db" {
+  vpc_id      = aws_vpc.db_vpc.id
+  name        = "db"
+  description = "PostgreSQL Database"
+  tags = {
+    Name = "${var.project_name}-db"
+  }
+}
+
+# see https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_security_group_ingress_rule
+resource "aws_vpc_security_group_ingress_rule" "db_postgresql" {
+  security_group_id = aws_security_group.db.id
+  ip_protocol       = "tcp"
+  cidr_ipv4         = local.vpc_public_az_a_subnet_cidr
+  from_port         = 5432
+  to_port           = 5432
+  tags = {
+    Name = "${var.project_name}-db-postgresql"
+  }
+}
diff --git a/terraform/db.tf b/terraform/db.tf
@@ -0,0 +1,62 @@
+locals {
+  # see https://github.com/porsager/postgres/blob/v3.4.4/src/index.js#L535-L557
+  db_db_admin_connection_string = format(
+    "postgres://%s:%s@%s?sslmode=verify-full",
+    urlencode(aws_rds_cluster.db.master_username),
+    urlencode(aws_rds_cluster.db.master_password),
+    aws_rds_cluster.db.endpoint
+  )
+}
+
+
+data "aws_availability_zones" "available" {}
+
+# see https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/password
+resource "random_password" "db_db_admin_password" {
+  length           = 16 # min 8.
+  min_lower        = 1
+  min_upper        = 1
+  min_numeric      = 1
+  min_special      = 1
+  override_special = "!#$%&*()-_=+[]{}<>:?" # NB cannot contain /'"@
+}
+
+resource "aws_rds_cluster" "db" {
+  cluster_identifier     = "${var.project_name}-${var.env}-db"
+  engine                 = "aurora-postgresql"
+  engine_mode            = "provisioned"
+  engine_version         = "16.2"
+  master_username        = "postgres"
+  master_password        = random_password.db_db_admin_password.result
+  db_subnet_group_name   = aws_db_subnet_group.db.name
+  vpc_security_group_ids = [aws_security_group.db.id]
+  availability_zones     = [local.vpc_az_a]
+  skip_final_snapshot    = true
+  apply_immediately      = true
+
+  serverlessv2_scaling_configuration {
+    min_capacity = 0.5
+    max_capacity = 1.0
+  }
+  tags = {
+    Name = var.project_name
+  }
+  lifecycle {
+    ignore_changes = [
+      availability_zones,
+    ]
+  }
+}
+
+resource "aws_rds_cluster_instance" "db" {
+  count              = 1
+  cluster_identifier = aws_rds_cluster.db.id
+  identifier         = "${var.project_name}-${var.env}-${count.index}"
+  instance_class     = "db.serverless"
+  engine             = aws_rds_cluster.db.engine
+  engine_version     = aws_rds_cluster.db.engine_version
+  apply_immediately  = aws_rds_cluster.db.apply_immediately
+  tags = {
+    Name = "${var.project_name}-${var.env}-${count.index}"
+  }
+}
diff --git a/terraform/outputs.tf b/terraform/outputs.tf
@@ -3,3 +3,13 @@ output "ecr_repo_name" {
   value       = aws_ecr_repository.ecr_repo.name
 }
 
+output "db_connection_string" {
+  description = "DB connection string for API"
+  value = format(
+    "postgres://%s:%s@%s?sslmode=verify-full",
+    urlencode(aws_rds_cluster.db.master_username),
+    urlencode(aws_rds_cluster.db.master_password),
+    aws_rds_cluster.db.endpoint
+  )
+  sensitive = true
+}
diff --git a/terraform/ssm.tf b/terraform/ssm.tf
@@ -5,7 +5,7 @@ resource "aws_ssm_parameter" "redis_url" {
 }
 
 resource "aws_ssm_parameter" "database_url" {
-  name  = "/${var.project_name}-${var.env}/app/database_url"
+  name  = "/${var.project_name}-${var.env}/app/db_url"
   type  = "SecureString"
   value = var.database_url
 }