Merge pull request #20 from enricogoerlitz/dev

Dev

.github/workflows/cd-terraform.yml

@@ -0,0 +1,110 @@
+name: Terraform Deployment
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - main
+
+permissions:
+      id-token: write # This is required for aws oidc connection
+      contents: read # This is required for actions/checkout
+      pull-requests: write # This is required for gh bot to comment PR
+
+env:
+  TF_LOG: INFO
+  AWS_REGION: ${{ secrets.AWS_REGION }}
+
+jobs:
+  deploy:
+    runs-on: ubuntu-latest
+
+    defaults:
+      run:
+        shell: bash
+        working-directory: ./terraform
+
+    steps:
+      - name: Git checkout
+        uses: actions/checkout@v3
+
+      - name: Configure AWS credentials from AWS account
+        uses: aws-actions/configure-aws-credentials@v1
+        with:
+          role-to-assume: ${{ secrets.AWS_ROLE }}
+          aws-region: ${{ secrets.AWS_REGION }}
+          role-session-name: GitHub-OIDC-TERRAFORM
+
+      - name: Setup Terraform
+        uses: hashicorp/setup-terraform@v2
+        with:
+          terraform_version: 1.5.7
+
+      - name: Terraform fmt
+        id: fmt
+        run: terraform fmt -check
+        continue-on-error: true
+
+      - name: Terraform Init
+        id: init
+        env:
+          AWS_BUCKET_NAME: ${{ secrets.AWS_BUCKET_NAME }}
+          AWS_BUCKET_KEY_NAME: ${{ secrets.AWS_BUCKET_KEY_NAME }}
+        run: terraform init -backend-config="bucket=${AWS_BUCKET_NAME}" -backend-config="key=${AWS_BUCKET_KEY_NAME}" -backend-config="region=${AWS_REGION}"
+
+      - name: Terraform Validate
+        id: validate
+        run: terraform validate -no-color
+
+      - name: Terraform Plan
+        id: plan
+        run: terraform plan -no-color
+        if: github.event_name == 'pull_request'
+        continue-on-error: true
+
+      - uses: actions/github-script@v6
+        if: github.event_name == 'pull_request'
+        env:
+          PLAN: "terraform\n${{ steps.plan.outputs.stdout }}"
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          script: |
+            const output = `#### Terraform Format and Style 🖌\`${{ steps.fmt.outcome }}\`
+            #### Terraform Initialization ⚙️\`${{ steps.init.outcome }}\`
+            #### Terraform Validation 🤖\`${{ steps.validate.outcome }}\`
+            <details><summary>Validation Output</summary>
+
+            \`\`\`\n
+            ${{ steps.validate.outputs.stdout }}
+            \`\`\`
+
+            </details>
+
+            #### Terraform Plan 📖\`${{ steps.plan.outcome }}\`
+
+            <details><summary>Show Plan</summary>
+
+            \`\`\`\n
+            ${process.env.PLAN}
+            \`\`\`
+
+            </details>
+
+            *Pushed by: @${{ github.actor }}, Action: \`${{ github.event_name }}\`*`;
+
+            github.rest.issues.createComment({
+              issue_number: context.issue.number,
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              body: output
+            })
+
+      - name: Terraform Plan Status
+        if: steps.plan.outcome == 'failure'
+        run: exit 1
+
+      - name: Terraform Apply
+        if: github.ref == 'refs/heads/main' && github.event_name == 'push'
+        run: terraform apply -auto-approve -input=false

.gitignore

@@ -1,2 +1,4 @@
 venv
-*.terraform*
+*.terraform*
+terraform.tfs*
+.pem

README.md

@@ -20,4 +20,42 @@ $ docker push enricogoerlitz/bp2-backend-amd64v2:latest
 
 https://www.youtube.com/watch?v=GowFk_5Rx_I&ab_channel=CloudScalr
 
-deploy terraform on S3 and manage this in S3
+deploy terraform on S3 and manage this in S3
+
+## Doku OpenIDConnect
+
+aws > IAM > Identity Provider > new Identity Provider
+    - url=https://token.actions.githubusercontent.com
+    - audience=sts.amazonaws.com
+
+enricogoerlitz/aws-bp-2-hosting-backend-on-ec2-asg-alb
+
+aws > s3 > create bucket
+    - name
+    - enable enrcyption
+
+aws > IAM > roles > create role > custom trusted policy
+policy:
+{
+    "Version": "2008-10-17",
+    "Statement": [
+        {
+            "Effect": "Allow",
+            "Principal": {
+                "Federated": "arn:aws:iam::YOUR_ACCOUNT_NUMBER:oidc-provider/token.actions.githubusercontent.com"
+            },
+            "Action": "sts:AssumeRoleWithWebIdentity",
+            "Condition": {
+                "StringLike": {
+                    "token.actions.githubusercontent.com:sub": "repo:YOUR_GITHUB_USERNAME/YOUR_REPO_NAME:*"
+                }
+            }
+        }
+    ]
+}
+
+GitHub Secrets:
+- AWS_BUCKET_NAME=bp2-terraform-deployment-state
+- AWS_BUCKET_KEY_NAME=infra.tfstate
+- AWS_REGION=eu-central-1
+- AWS_ROLE=arn:aws:iam::533267024986:role/github-oicd-bp2-terraform-deployment-role

app/tests/test_app.py

@@ -15,29 +15,29 @@ def test_healthcheck(self):
         hostname = os.uname()[1]
 
         # WHEN
-        response = self.app.get('/')
+        response = self.app.get("/")
         data = response.get_json()
 
         # THEN
         self.assertEqual(response.status_code, 200)
-        self.assertEqual(data['healthcheck'], 'ok')
-        self.assertEqual(data['hostname'], hostname)
+        self.assertEqual(data["healthcheck"], "ok")
+        self.assertEqual(data["hostname"], hostname)
 
     def test_host_ip(self):
         # GIVEN
         ip = os.uname()[1]
 
         # WHEN
-        response = self.app.get('/host')
+        response = self.app.get("/host")
         data = response.get_json()
 
         # THEN
         self.assertEqual(response.status_code, 200)
-        self.assertEqual(data['hostname'], ip)
+        self.assertEqual(data["hostname"], ip)
 
     # def test_fail(self):
     #     self.assertEqual(True, False)
 
 
-if __name__ == '__main__':
+if __name__ == "__main__":
     unittest.main()

terraform/config/iam-role-trusted-entity.json

@@ -0,0 +1,17 @@
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Effect": "Allow",
+            "Principal": {
+                "Federated": "arn:aws:iam::533267024986:oidc-provider/token.actions.githubusercontent.com"
+            },
+            "Action": "sts:AssumeRoleWithWebIdentity",
+            "Condition": {
+                "StringLike": {
+                    "token.actions.githubusercontent.com:sub": "repo:enricogoerlitz/aws-bp-2-hosting-backend-on-ec2-asg-alb:ref:refs/heads/main"
+                }
+            }
+        }
+    ]
+}

terraform/config/iam-s3-access-policy.json

@@ -0,0 +1,17 @@
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Effect": "Allow",
+            "Action": [
+                "s3:PutObject",
+                "s3:GetObject",
+                "s3:ListBucket"
+            ],
+            "Resource": [
+                "arn:aws:s3:::bp2-terraform-deployment-state/*",
+                "arn:aws:s3:::bp2-terraform-deployment-state"
+            ]
+        }
+    ]
+}

terraform/config/iam-tf-infrastructure-deployment-policy.json

@@ -0,0 +1,40 @@
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Effect": "Allow",
+            "Action": [
+                "ec2:Describe*",
+                "ec2:RunInstances",
+                "ec2:CreateSecurityGroup",
+                "ec2:AuthorizeSecurityGroupIngress",
+                "ec2:CreateKeyPair",
+                "ec2:CreateLaunchTemplate",
+                "ec2:ModifyLaunchTemplate",
+                "ec2:TerminateInstances",
+                "autoscaling:CreateAutoScalingGroup",
+                "autoscaling:UpdateAutoScalingGroup",
+                "autoscaling:Describe*",
+                "elasticloadbalancing:CreateLoadBalancer",
+                "elasticloadbalancing:CreateTargetGroup",
+                "elasticloadbalancing:CreateListener",
+                "elasticloadbalancing:ModifyListener",
+                "elasticloadbalancing:DeleteListener",
+                "elasticloadbalancing:Describe*",
+                "route53:ChangeResourceRecordSets",
+                "route53:GetHostedZone",
+                "acm:DescribeCertificate",
+                "acm:GetCertificate",
+                "logs:CreateLogGroup",
+                "logs:CreateLogStream",
+                "logs:PutLogEvents"
+            ],
+            "Resource": "*"
+        },
+        {
+            "Effect": "Allow",
+            "Action": "acm:ListCertificates",
+            "Resource": "*"
+        }
+    ]
+}

terraform/config/main.desc.txt

@@ -0,0 +1,56 @@
+CREATE SECURITY GROUP
+  - name=bp2-hosting-backend-sg
+  - allow only http traffic (0.0.0.0) (inbound)
+
+CREATE LAUNCH TEMPLATE (EC2 Launch-Template)
+  - name=ect-bp2-hosting-backend
+  - AMI=ami-00cf59bc9978eb266
+  - t2.micro
+  - no keypair
+  - sg = {bp2-hosting-backend-sg}
+  - default storage
+  - User data = {script below}
+
+CREATE TARGET GROUP FOR LB
+  - name=tg-bp2-hosting-backend
+  - no enrties
+
+CREATE APPLICATION LOAD BALANCER
+  - name=alb-bp2-hosting-backend
+  - internet facing, IPv4
+  - AZ=eu-central-1a + 1b + 1c
+
+CREATE AUTOSCALING GROUP
+  - name=asg-bp2-hosting-backend
+  - vpc=vpc-09e61af5bb6aafa26
+  - AZ=eu-central-1a + 1b + 1c
+  - min=3, should=4, max=5
+
+ADD RECORD IN ROUTE 53
+  - map loadbalancer dns ip to "bp2.enricogoerlitz.com", so we can serve the app at https://bp2.enricogoerlitz.com
+
+
+User Data Script:
+#!/bin/bash
+
+sudo yum update -y
+
+sudo yum install docker -y
+sudo service docker start
+sudo usermod -a -G docker ec2-user
+
+sudo curl -L "https://github.com/docker/compose/releases/download/v2.27.1/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
+
+sudo chmod +x /usr/local/bin/docker-compose
+
+# Create a symbolic link to /usr/bin
+sudo ln -s /usr/local/bin/docker-compose /usr/bin/docker-compose
+
+sudo dnf install libxcrypt-compat -y
+
+cd /home/ec2-user/
+mkdir project
+cd ./project
+curl -L "https://raw.githubusercontent.com/enricogoerlitz/aws-bp-2-hosting-backend-on-ec2-asg-alb/main/docker/prod/docker-compose.yml" -o docker-compose.yml
+
+sudo docker-compose up -d