Add IaC and CI/CD workflows (issue #7)

.dockerignore

@@ -0,0 +1,18 @@
+**/node_modules
+**/dist
+.redwood
+
+.env
+
+README.md
+LICENSE
+
+.git
+.gitignore
+
+.vscode
+.editorconfig
+
+Dockerfile
+docker-compose*
+.dockerignore

.env.defaults

@@ -0,0 +1,28 @@
+# These environment variables will be used by default if you do not create any
+# yourself in .env. This file should be safe to check into your version control
+# system. Any custom values should go in .env and .env should *not* be checked
+# into version control.
+
+# schema.prisma defaults
+DATABASE_URL=file:./dev.db
+DATABASE_URL_IAM_AUTH=false
+DATABASE_SECRET_SOURCE=''
+DATABASE_SECRET_PARAMETER_PATH=''
+
+# location of the test database for api service scenarios (defaults to ./.redwood/test.db if not set)
+# TEST_DATABASE_URL=file:./.redwood/test.db
+
+# disables Prisma CLI update notifier
+PRISMA_HIDE_UPDATE_MESSAGE=true
+
+# Option to override the current environment's default api-side log level
+# See: https://redwoodjs.com/docs/logger for level options, defaults to "trace" otherwise.
+# Most applications want "debug" or "info" during dev, "trace" when you have issues and "warn" in production.
+# Ordered by how verbose they are: trace | debug | info | warn | error | silent
+LOG_LEVEL=debug
+
+# AWS environment defaults
+AWS_REGION=us-west-2
+AWS_DEFAULT_REGION=us-west-2
+AWS_ACCESS_KEY_ID=test
+AWS_SECRET_ACCESS_KEY=test

.gitattributes

@@ -0,0 +1,21 @@
+# Consider all files text by default; enforce unix line endings
+*                   text eol=lf
+
+# Treat these files as binary so git doesn't show massive diffs
+/.yarn/releases/**  binary
+/.yarn/plugins/**   binary
+
+# Windows-specific files that need windows-style endings to work
+*.bat               text eol=crlf
+
+# Files that are actually binary
+*.data              binary
+*.eot               binary
+*.gif               binary
+*.ico               binary
+*.jar               binary
+*.jpg               binary
+*.png               binary
+*.ttf               binary
+*.woff              binary
+*.woff2             binary

.github/CODEOWNERS

@@ -0,0 +1,14 @@
+# Require admin approval for GitHub settings and workflow modifications
+/.github/  @usdigitalresponse/grants-admins
+
+# Require admin approval for Terraform IAC modifications
+/terraform/ @usdigitalresponse/grants-admins
+
+# Require admin approval when Postgres root CA bundle is modified
+/api/db/rds-combined-ca-bundle.pem @usdigitalresponse/grants-admins
+
+# Require admin approval for special doc modifications
+README.md  @usdigitalresponse/grants-admins
+LICENSE  @usdigitalresponse/grants-admins
+CODE_OF_CONDUCT.md  @usdigitalresponse/grants-admins
+CONTRIBUTING.md @usdigitalresponse/grants-admins

.github/dependency-review-config.yml

@@ -0,0 +1,14 @@
+# Configuration for https://github.com/actions/dependency-review-action
+# Used in .github/workflows/code-scanning.yml
+
+fail_on_scopes:
+  - runtime
+
+# All allowances should provide details, including rationale.
+allow_ghsas:
+  # Only used during build / development:
+  - GHSA-pfrx-2q88-qq97  # Got allows a redirect to a UNIX socket (moderate severity)
+  - GHSA-9c47-m6qq-7p4h  # Prototype Pollution in JSON5 via Parse Method (high severity)
+  - GHSA-ww39-953v-wcq6  # glob-parent vulnerable to Regular Expression Denial of Service in enclosure regex (high severity)
+  # Last remaining usage of vulnerable semver (7.0.0) is used for dev update notifications:
+  - GHSA-c2qf-rxjj-qqgw  # semver vulnerable to Regular Expression Denial of Service (moderate severity)

.github/next_release_version.bash

@@ -0,0 +1,53 @@
+#! /bin/bash
+
+# Defaults
+next_version_release_year=$(TZ='UTC' date '+%Y')
+next_version_release_number=1
+
+if [[ $1 == 'test' ]]; then
+    echo 'Running tests...' >&2
+    dotest() {
+        result=$(bash $0 "release/${1}" 2> /dev/null | tail -n 1)
+        expect="${2}"
+        if [[ $result != $expect ]]; then
+            printf "Test failed:\n  Expected: $expect\n  Received: $result\n" >&2
+            exit 1
+        fi
+    }
+    dotest 'release/1234.987' "$next_version_release_year.1"
+    dotest 'release/0.0' "$next_version_release_year.1"
+    dotest 'release/0' "$next_version_release_year.1"
+    dotest 'sometag' "$next_version_release_year.1"
+    dotest "release/$next_version_release_year.1" "$next_version_release_year.2"
+    dotest "release/$next_version_release_year.19" "$next_version_release_year.20"
+    dotest "release/$next_version_release_year.399" "$next_version_release_year.400"
+    echo 'Tests complete' >&2
+    exit 0
+fi
+
+if [[ -z $1 ]]; then
+    # Ensure tag history is available
+    git fetch --prune --unshallow
+    tag=$(git describe --tags --match='release/[0-9][0-9][0-9][0-9].[0-9]*' refs/heads/main)
+else
+    tag=$1
+fi
+
+regex='release\/([0-9]{4})\.([0-9]+)'
+if [[ $tag =~ $regex ]]; then
+    echo "Found tag for previous release: $tag" >&2
+    prev_version_release_number="${BASH_REMATCH[2]}"
+    echo "Previous version number: $prev_version_release_number" >&2
+    if [[ $next_version_release_year == "${BASH_REMATCH[1]}" ]]; then
+        ((next_version_release_number=prev_version_release_number+1))
+    else
+        echo "Ignoring previous version number because it pertains to a different year" >&2
+    fi
+else
+    echo "Could not locate a previous release version" >&2
+fi
+
+next_version="$next_version_release_year.$next_version_release_number"
+echo "Next version: $next_version" >&2
+# Output result to stdout
+printf "$next_version"

.github/release-drafter.yml

@@ -0,0 +1,120 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/release-drafter/release-drafter/master/schema.json
+name-template: 'v$RESOLVED_VERSION'
+tag-template: 'release/$RESOLVED_VERSION'
+tag-prefix: 'release/'
+version-template: '2023.$MINOR'
+version-resolver:
+  default: minor
+prerelease: true
+categories:
+  - title: 🚀 New features and enhancements
+    collapse-after: 10
+    labels:
+      - enhancement
+  - title: 🐛 Bug fixes
+    collapse-after: 10
+    labels:
+      - bug
+  - title: 📖 Documentation improvements
+    collapse-after: 10
+    labels:
+      - documentation
+  - title: 🔧 Dependency updates
+    collapse-after: 3
+    labels:
+      - dependencies
+  - title: Other changes
+    labels:
+      - '*'
+category-template: '### $TITLE'
+exclude-labels:
+  - skip-changelog
+exclude-contributors:
+  - dependabot
+  - 'dependabot[bot]'
+  - step-security-bot
+autolabeler:
+  - label: javascript
+    files:
+      - '**/*.js'
+      - '**/*.ts'
+      - '**/package.json'
+      - 'api/**'
+      - 'web/**'
+      - '**/yarn.lock'
+      - '**/.npmrc'
+      - '**/.nvmrc'
+      - '**/.nycrc'
+      - '**/eslintrc.js'
+      - '**/.browserslistrc'
+  - label: database
+    files:
+      - 'api/db/**'
+  - label: terraform
+    files:
+      - 'terraform/**'
+  - label: infra
+    files:
+      - 'terraform/**'
+      - 'Dockerfile'
+      - '**/docker-compose.yml'
+      - '**/docker-compose.yaml'
+      - '**/docker-compose.*.yml'
+      - '**/docker-compose.*.yaml'
+      - 'localstack/**'
+  - label: dependencies
+    files:
+      - '**/yarn.lock'
+      - '**/.terraform.lock.hcl'
+    branch:
+      - '/^dependabot\/.+$/i'
+  - label: documentation
+    files:
+      - README
+      - '**/doc/**'
+      - '**/docs/**'
+      - '**/*.md'
+      - .adr-dir
+    branch:
+      - '/^docs?\/.+$/'
+  - label: bug
+    branch:
+      - '/^fix\/.+$/i'
+      - '/^bug\/.+$/i'
+    title:
+      - '/\bfix(es)?\b/i'
+      - '/\bbug\b/i'
+      - '/\brevert(s)?\b/i'
+  - label: enhancement
+    branch:
+      - '/^feat(ures?)?\/.+$/i'
+      - '/^enhance(s|ments?)?\/.+$/i'
+    title:
+      - '/\b(?<!^chores?\b.*)feat(ures?)?\b/i'
+      - '/\b(?<!^chores?\b.*)enhance(s|ment)?\b/i'
+  - label: github
+    files:
+      - '.github/**'
+      - '**/.gitignore'
+      - '**/.gitattributes'
+      - '**/CODEOWNERS'
+change-template: '- $TITLE @$AUTHOR (#$NUMBER)'
+change-title-escapes: '\<*_&'
+no-contributors-template: >-
+  '*All changes in this release were crafted by robots (and reviewed by humans).*'
+template: |
+  ## 📚 Summary
+
+  The releaser should provide a high-level summary here (or remove this section).
+
+  ## 🛠️ Changes
+
+  $CHANGES
+
+  ## 🤝 Contributors
+
+  We would like to thank the following people who made this release possible:
+
+  $CONTRIBUTORS
+
+  ## Deployment History

.github/workflows/aws-auth.yml

@@ -0,0 +1,69 @@
+name: Configure AWS Credentials
+
+on:
+  workflow_call:
+    inputs:
+      aws-region:
+        type: string
+        required: true
+    secrets:
+      role-to-assume:
+        required: true
+      gpg-passphrase:
+        required: true
+    outputs:
+      aws-access-key-id:
+        value: ${{ jobs.oidc-auth.outputs.aws-access-key-id }}
+      aws-secret-access-key:
+        value: ${{ jobs.oidc-auth.outputs.aws-secret-access-key }}
+      aws-session-token:
+        value: ${{ jobs.oidc-auth.outputs.aws-session-token }}
+
+permissions:
+  contents: read
+  id-token: write
+
+jobs:
+  oidc-auth:
+    name: OIDC Auth
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write
+    outputs:
+      aws-access-key-id: ${{ steps.encrypt-aws-access-key-id.outputs.out }}
+      aws-secret-access-key: ${{ steps.encrypt-aws-secret-access-key.outputs.out }}
+      aws-session-token: ${{ steps.encrypt-aws-session-token.outputs.out }}
+    steps:
+      - uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0
+        with:
+          disable-sudo: true
+          egress-policy: block
+          allowed-endpoints: >
+            sts.us-west-2.amazonaws.com:443
+      - id: auth
+        uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1
+        with:
+          aws-region: us-west-2
+          role-to-assume: "${{ secrets.role-to-assume }}"
+      - name: Encrypt aws-access-key-id
+        id: encrypt-aws-access-key-id
+        run: |
+          encrypted=$(gpg --batch --yes --passphrase "$GPG_PASSPHRASE" -c --cipher-algo AES256 -o - <(echo "$AWS_ACCESS_KEY_ID") | base64 -w0)
+          echo "out=$encrypted" >> $GITHUB_OUTPUT
+        env:
+          GPG_PASSPHRASE: ${{ secrets.gpg-passphrase }}
+      - name: Encrypt aws-secret-access-key
+        id: encrypt-aws-secret-access-key
+        run: |
+          encrypted=$(gpg --batch --yes --passphrase "$GPG_PASSPHRASE" -c --cipher-algo AES256 -o - <(echo "$AWS_SECRET_ACCESS_KEY") | base64 -w0)
+          echo "out=$encrypted" >> $GITHUB_OUTPUT
+        env:
+          GPG_PASSPHRASE: ${{ secrets.gpg-passphrase }}
+      - name: Encrypt aws-session-token
+        id: encrypt-aws-session-token
+        run: |
+          encrypted=$(gpg --batch --yes --passphrase "$GPG_PASSPHRASE" -c --cipher-algo AES256 -o - <(echo "$AWS_SESSION_TOKEN") | base64 -w0)
+          echo "out=$encrypted" >> $GITHUB_OUTPUT
+        env:
+          GPG_PASSPHRASE: ${{ secrets.gpg-passphrase }}