Deploy vengeful vineyard to AWS Lambda/API Gateway (#662)

See dotkom/vengeful-vineyard#267 Depends on #661
dotkom · Oct 30, 2023 · f1f4c58 · f1f4c58 · vercel · Oct 30, 2023
1 parent 8ea6eab
commit f1f4c58
Show file tree

Hide file tree

Showing 11 changed files with 213 additions and 24 deletions.
diff --git a/infra/.terraform.lock.hcl b/infra/.terraform.lock.hcl
diff --git a/infra/auth.tf b/infra/auth.tf
@@ -17,7 +17,7 @@ module "post_signup_trigger_lambda" {
   ecr_repository_name   = "dispatcher-auth-${terraform.workspace}"
   function_name         = "dispatcher-auth-${terraform.workspace}"
   execution_role_name   = "DispatcherAuthExecuteRole${title(terraform.workspace)}"
-  environment_variables = local.aws_safe_doppler_secrets
+  environment_variables = local.monoweb_aws_safe_doppler_secrets
 
   tags = {
     Project     = "monoweb"

diff --git a/infra/doppler.tf b/infra/doppler.tf
@@ -1,10 +1,32 @@
 data "doppler_secrets" "monoweb" {
   config  = terraform.workspace
   project = "monoweb"
+
+  provider = doppler.monoweb
 }
 
 locals {
-  aws_safe_doppler_secrets = {
-    for key, value in data.doppler_secrets.monoweb.map : key => value if !contains(["AWS_REGION", "AWS_ACCESS_KEY_ID", "AWS_SECRET_ACCESS_KEY"], key)
+  forbidden_aws_lambda_keys = [
+    "AWS_REGION",
+    "AWS_DEFAULT_REGION",
+    "AWS_ACCESS_KEY",
+    "AWS_ACCESS_KEY_ID",
+    "AWS_SECRET_ACCESS_KEY",
+    "AWS_SESSION_TOKEN"
+  ]
+
+  monoweb_aws_safe_doppler_secrets = {
+    for key, value in data.doppler_secrets.monoweb.map : key => value if !contains(local.forbidden_aws_lambda_keys, key)
+  }
+
+  vengeful_aws_safe_doppler_secrets = {
+    for key, value in data.doppler_secrets.vengeful.map : key => value if !contains(local.forbidden_aws_lambda_keys, key)
   }
 }
+
+data "doppler_secrets" "vengeful" {
+  project = "vengeful-vineyard"
+  config  = terraform.workspace
+
+  provider = doppler.vengeful
+}
diff --git a/infra/modules/aws-docker-lambda/lambda.tf b/infra/modules/aws-docker-lambda/lambda.tf
@@ -4,6 +4,7 @@ resource "aws_lambda_function" "this" {
   timeout       = var.function_timeout
   image_uri     = "${aws_ecr_repository.this.repository_url}:latest"
   package_type  = "Image"
+  memory_size   = var.memory
 
   environment {
     variables = var.environment_variables

diff --git a/infra/modules/aws-docker-lambda/variables.tf b/infra/modules/aws-docker-lambda/variables.tf
@@ -9,6 +9,12 @@ variable "function_timeout" {
   default     = 60
 }
 
+variable "memory" {
+  description = "How much memory to allocate to lambda in MB"
+  type        = number
+  default     = 128
+}
+
 variable "environment_variables" {
   description = "Environment variables to attach to the lambda"
   type        = map(string)

diff --git a/infra/modules/aws-s3-public-bucket/cloudfront.tf b/infra/modules/aws-s3-public-bucket/cloudfront.tf
@@ -1,21 +1,20 @@
-resource "aws_cloudfront_origin_access_identity" "this" {
-  comment = "${var.domain_name}/aws-cloudfront-origin-access-identity"
-}
-
 resource "aws_cloudfront_distribution" "this" {
   origin {
-    domain_name = aws_s3_bucket.this.bucket_domain_name
+    domain_name = aws_s3_bucket_website_configuration.this.website_endpoint
     origin_id   = "s3"
 
-    s3_origin_config {
-      origin_access_identity = aws_cloudfront_origin_access_identity.this.cloudfront_access_identity_path
+    custom_origin_config {
+      http_port              = 80
+      https_port             = 443
+      origin_protocol_policy = "http-only"
+      origin_ssl_protocols   = ["TLSv1.2"]
     }
   }
 
   enabled         = true
   is_ipv6_enabled = true
 
-  default_root_object = "_index.html"
+  default_root_object = "index.html"
   aliases             = [var.domain_name]
   price_class         = "PriceClass_100"
 

diff --git a/infra/modules/aws-s3-public-bucket/iam.tf b/infra/modules/aws-s3-public-bucket/iam.tf
@@ -1,13 +1,11 @@
 data "aws_iam_policy_document" "cdn" {
   version = "2008-10-17"
   statement {
-    sid    = "AllowCloudFrontReadOnly"
+    sid    = "AllowPublicRead"
     effect = "Allow"
     principals {
-      type = "AWS"
-      identifiers = [
-        aws_cloudfront_origin_access_identity.this.iam_arn
-      ]
+      type        = "*"
+      identifiers = ["*"]
     }
     actions = ["s3:GetObject"]
     resources = [

diff --git a/infra/modules/aws-s3-public-bucket/outputs.tf b/infra/modules/aws-s3-public-bucket/outputs.tf
@@ -0,0 +1,3 @@
+output "domain_name" {
+  value = aws_cloudfront_distribution.this.domain_name
+}
diff --git a/infra/modules/aws-s3-public-bucket/s3.tf b/infra/modules/aws-s3-public-bucket/s3.tf
@@ -34,9 +34,8 @@ resource "aws_s3_bucket_website_configuration" "this" {
 resource "aws_s3_bucket_public_access_block" "this" {
   bucket = aws_s3_bucket.this.id
 
-  block_public_acls       = true
-  block_public_policy     = true
-  ignore_public_acls      = true
+  block_public_acls       = false
+  block_public_policy     = false
   restrict_public_buckets = false
 }
 

diff --git a/infra/providers.tf b/infra/providers.tf
@@ -37,13 +37,24 @@ provider "vercel" {
   team = "dotkom"
 }
 
-variable "doppler_token" {
-  description = "TF Variable for the doppler token"
+variable "doppler_token_monoweb" {
+  description = "TF Variable for the monoweb doppler token"
   type        = string
 }
 
 provider "doppler" {
-  doppler_token = var.doppler_token
+  doppler_token = var.doppler_token_monoweb
+  alias         = "monoweb"
+}
+
+variable "doppler_token_vengeful" {
+  description = "TF Variable for the vengeful doppler token"
+  type        = string
+}
+
+provider "doppler" {
+  doppler_token = var.doppler_token_vengeful
+  alias         = "vengeful"
 }
 
 provider "neon" {}
diff --git a/infra/vengeful-vineyard.tf b/infra/vengeful-vineyard.tf
@@ -1,9 +1,136 @@
 locals {
-  vengeful_project_name = "vengeful-vineyard-${terraform.workspace}"
+  vengeful_project_name    = "vengeful-vineyard-${terraform.workspace}"
+  vengeful_domain_name     = "${terraform.workspace}.redwine.online.ntnu.no"
+  vengeful_cdn_domain_name = "${terraform.workspace}.redwine-static.online.ntnu.no"
 }
 
 module "vengeful_database" {
-  source       = "./modules/neon-project"
+  source = "./modules/neon-project"
+
   project_name = local.vengeful_project_name
   role_name    = "vengeful"
 }
+
+module "vengeful_lambda" {
+  source = "./modules/aws-docker-lambda"
+
+  ecr_repository_name   = "vengeful-vineyard-${terraform.workspace}"
+  function_name         = "vengeful-vineyard-${terraform.workspace}"
+  execution_role_name   = "VengefulVineyardExecutionRole${title(terraform.workspace)}"
+  iam_inline_policies   = []
+  environment_variables = local.vengeful_aws_safe_doppler_secrets
+  memory                = 1024
+
+  tags = {
+    Project     = "vengeful-vineyard"
+    Environment = terraform.workspace
+  }
+}
+
+module "vengeful_gateway_domain_certificate" {
+  source = "./modules/aws-acm-certificate"
+
+  domain  = local.vengeful_domain_name
+  zone_id = local.zone_id
+
+  tags = {
+    Project     = "vengeful-vineyard"
+    Environment = terraform.workspace
+  }
+
+  providers = {
+    aws.regional = aws.eu-north-1
+  }
+}
+
+module "vengeful_gateway_proxy" {
+  source = "./modules/aws-api-gateway"
+
+  domain          = local.vengeful_domain_name
+  zone_id         = local.zone_id
+  certificate_arn = module.vengeful_gateway_domain_certificate.certificate_arn
+
+  tags = {
+    Project     = "vengeful-vineyard"
+    Environment = terraform.workspace
+  }
+}
+
+# ---------------------------------------------------------------------------------------------------------------------
+# Connect backend lambda to API Gateway
+# ---------------------------------------------------------------------------------------------------------------------
+
+resource "aws_apigatewayv2_integration" "vengeful_backend_lambda" {
+  api_id                 = module.vengeful_gateway_proxy.api_gateway_id
+  integration_type       = "AWS_PROXY"
+  integration_method     = "POST"
+  integration_uri        = module.vengeful_lambda.lambda_invoke_arn
+  payload_format_version = "1.0"
+}
+
+resource "aws_apigatewayv2_route" "vengeful_backend_lambda" {
+  api_id    = module.vengeful_gateway_proxy.api_gateway_id
+  route_key = "ANY /api/{proxy+}"
+  target    = "integrations/${aws_apigatewayv2_integration.vengeful_backend_lambda.id}"
+}
+
+resource "aws_lambda_permission" "vengeful_backend_gateway_lambda" {
+  statement_id  = "APIGatewayExecuteLambda"
+  action        = "lambda:InvokeFunction"
+  principal     = "apigateway.amazonaws.com"
+  function_name = module.vengeful_lambda.lambda_name
+  source_arn    = "${module.vengeful_gateway_proxy.api_gateway_execution_arn}/*/*"
+}
+
+# ---------------------------------------------------------------------------------------------------------------------
+# Define static bucket for frontend Vite app
+# ---------------------------------------------------------------------------------------------------------------------
+
+module "vengeful_cdn_domain_certificate" {
+  source = "./modules/aws-acm-certificate"
+
+  domain  = local.vengeful_cdn_domain_name
+  zone_id = local.zone_id
+
+  tags = {
+    Project     = "vengeful-vineyard"
+    Environment = terraform.workspace
+  }
+
+  providers = {
+    aws.regional = aws.us-east-1
+  }
+}
+
+module "vengeful_cdn_bucket" {
+  source = "./modules/aws-s3-public-bucket"
+
+  certificate_arn = module.vengeful_cdn_domain_certificate.certificate_arn
+  domain_name     = local.vengeful_cdn_domain_name
+  zone_id         = local.zone_id
+
+  tags = {
+    Project     = "vengeful-vineyard"
+    Environment = terraform.workspace
+  }
+
+  depends_on = [module.vengeful_cdn_domain_certificate]
+}
+
+# ---------------------------------------------------------------------------------------------------------------------
+# Connect static bucket CDN to API Gateway
+# ---------------------------------------------------------------------------------------------------------------------
+
+resource "aws_apigatewayv2_integration" "vengeful_cdn" {
+  api_id               = module.vengeful_gateway_proxy.api_gateway_id
+  integration_type     = "HTTP_PROXY"
+  integration_method   = "GET"
+  integration_uri      = "https://${module.vengeful_cdn_bucket.domain_name}"
+  passthrough_behavior = "WHEN_NO_MATCH"
+}
+
+resource "aws_apigatewayv2_route" "vengeful_cdn" {
+  api_id    = module.vengeful_gateway_proxy.api_gateway_id
+  route_key = "$default"
+  target    = "integrations/${aws_apigatewayv2_integration.vengeful_cdn.id}"
+}