app-rails: Update template-infra:app to version 0.15.1.post9.dev0+6…

…f071d0
navapbc · Jan 21, 2025 · df9ba72 · df9ba72
1 parent 5dff863
commit df9ba72
Show file tree

Hide file tree

Showing 14 changed files with 106 additions and 164 deletions.
diff --git a/.template-infra/app-app-rails.yml b/.template-infra/app-app-rails.yml
@@ -1,4 +1,5 @@
-_commit: v0.15.0-3-gcb15833
+# Changes here will be overwritten by Copier
+_commit: v0.15.1-9-g6f071d0
 _src_path: https://github.com/navapbc/template-infra
 app_has_dev_env_setup: false
 app_local_port: 3100

diff --git a/infra/app-rails/app-config/env-config/database.tf b/infra/app-rails/app-config/env-config/database.tf
@@ -1,12 +1,7 @@
 locals {
   database_config = var.has_database ? {
-    region                      = var.default_region
-    cluster_name                = "${var.app_name}-${var.environment}"
-    app_username                = "app"
-    migrator_username           = "migrator"
-    schema_name                 = "app"
-    app_access_policy_name      = "${var.app_name}-${var.environment}-app-access"
-    migrator_access_policy_name = "${var.app_name}-${var.environment}-migrator-access"
+    region       = var.default_region
+    cluster_name = "${var.app_name}-${var.environment}"
 
     # Enable extensions that require the rds_superuser role to be created here
     # See docs/infra/set-up-database.md for more information

diff --git a/infra/app-rails/app-config/env-config/domain.tf b/infra/app-rails/app-config/env-config/domain.tf
@@ -0,0 +1,7 @@
+locals {
+  domain_config = {
+    hosted_zone  = local.network_config.domain_config.hosted_zone
+    domain_name  = var.domain_name
+    enable_https = var.enable_https
+  }
+}
diff --git a/infra/app-rails/app-config/env-config/outputs.tf b/infra/app-rails/app-config/env-config/outputs.tf
@@ -16,11 +16,13 @@ output "network_name" {
   value = var.network_name
 }
 
+output "domain_config" {
+  value = local.domain_config
+}
+
 output "service_config" {
   value = {
     service_name             = "${var.app_name}-${var.environment}"
-    domain_name              = var.domain_name
-    enable_https             = var.enable_https
     region                   = var.default_region
     cpu                      = var.service_cpu
     memory                   = var.service_memory

diff --git a/infra/app-rails/database/main.tf b/infra/app-rails/database/main.tf
@@ -1,18 +1,3 @@
-data "aws_vpc" "network" {
-  tags = {
-    project      = module.project_config.project_name
-    network_name = local.environment_config.network_name
-  }
-}
-
-data "aws_subnets" "database" {
-  tags = {
-    project      = module.project_config.project_name
-    network_name = local.environment_config.network_name
-    subnet_type  = "database"
-  }
-}
-
 locals {
   # The prefix key/value pair is used for Terraform Workspaces, which is useful for projects with multiple infrastructure developers.
   # By default, Terraform creates a workspace named “default.” If a non-default workspace is not created this prefix will equal “default”,
@@ -29,7 +14,6 @@ locals {
 
   environment_config = module.app_config.environment_configs[var.environment_name]
   database_config    = local.environment_config.database_config
-  network_config     = module.project_config.network_configs[local.environment_config.network_name]
 }
 
 terraform {
@@ -62,34 +46,13 @@ module "app_config" {
   source = "../app-config"
 }
 
-data "aws_security_groups" "aws_services" {
-  filter {
-    name   = "group-name"
-    values = ["${module.project_config.aws_services_security_group_name_prefix}*"]
-  }
-
-  filter {
-    name   = "vpc-id"
-    values = [data.aws_vpc.network.id]
-  }
-}
-
 module "database" {
-  source = "../../modules/database"
-
-  name                        = "${local.prefix}${local.database_config.cluster_name}"
-  app_access_policy_name      = "${local.prefix}${local.database_config.app_access_policy_name}"
-  migrator_access_policy_name = "${local.prefix}${local.database_config.migrator_access_policy_name}"
-
-  # The following are not AWS infra resources and therefore do not need to be
-  # isolated via the terraform workspace prefix
-  app_username      = local.database_config.app_username
-  migrator_username = local.database_config.migrator_username
-  schema_name       = local.database_config.schema_name
+  source = "../../modules/database/resources"
+  name   = "${local.prefix}${local.database_config.cluster_name}"
 
-  vpc_id                         = data.aws_vpc.network.id
-  database_subnet_group_name     = local.network_config.database_subnet_group_name
-  private_subnet_ids             = data.aws_subnets.database.ids
-  aws_services_security_group_id = data.aws_security_groups.aws_services.ids[0]
+  vpc_id                         = module.network.vpc_id
+  database_subnet_group_name     = module.network.database_subnet_group_name
+  private_subnet_ids             = module.network.database_subnet_ids
+  aws_services_security_group_id = module.network.aws_services_security_group_id
   is_temporary                   = local.is_temporary
 }
diff --git a/infra/app-rails/database/network.tf b/infra/app-rails/database/network.tf
@@ -0,0 +1,5 @@
+module "network" {
+  source       = "../../modules/network/data"
+  project_name = module.project_config.project_name
+  name         = local.environment_config.network_name
+}
diff --git a/infra/app-rails/service/database.tf b/infra/app-rails/service/database.tf
@@ -0,0 +1,9 @@
+locals {
+  database_config = local.environment_config.database_config
+}
+
+module "database" {
+  count  = module.app_config.has_database ? 1 : 0
+  source = "../../modules/database/data"
+  name   = local.database_config.cluster_name
+}
diff --git a/infra/app-rails/service/domain.tf b/infra/app-rails/service/domain.tf
@@ -0,0 +1,11 @@
+locals {
+  domain_config = local.environment_config.domain_config
+}
+
+module "domain" {
+  source = "../../modules/domain/data"
+
+  hosted_zone  = local.domain_config.hosted_zone
+  domain_name  = local.domain_config.domain_name
+  enable_https = local.domain_config.enable_https
+}
diff --git a/infra/app-rails/service/identity_provider.tf b/infra/app-rails/service/identity_provider.tf
@@ -1,4 +1,6 @@
 locals {
+  identity_provider_config = local.environment_config.identity_provider_config
+
   # If this is a temporary environment, re-use an existing Cognito user pool. Otherwise, create a new one.
   identity_provider_user_pool_id = module.app_config.enable_identity_provider ? (
     local.is_temporary ? module.existing_identity_provider[0].user_pool_id : module.identity_provider[0].user_pool_id
@@ -22,7 +24,6 @@ module "identity_provider" {
   temporary_password_validity_days = local.identity_provider_config.password_policy.temporary_password_validity_days
   verification_email_message       = local.identity_provider_config.verification_email.verification_email_message
   verification_email_subject       = local.identity_provider_config.verification_email.verification_email_subject
-  domain_name                      = local.domain_name
   domain_identity_arn              = local.notifications_config == null ? null : local.domain_identity_arn
   sender_email                     = local.notifications_config == null ? null : local.notifications_config.sender_email
   sender_display_name              = local.notifications_config == null ? null : local.notifications_config.sender_display_name

diff --git a/infra/app-rails/service/main.tf b/infra/app-rails/service/main.tf
@@ -1,26 +1,3 @@
-data "aws_vpc" "network" {
-  tags = {
-    project      = module.project_config.project_name
-    network_name = local.environment_config.network_name
-  }
-}
-
-data "aws_subnets" "public" {
-  tags = {
-    project      = module.project_config.project_name
-    network_name = local.environment_config.network_name
-    subnet_type  = "public"
-  }
-}
-
-data "aws_subnets" "private" {
-  tags = {
-    project      = module.project_config.project_name
-    network_name = local.environment_config.network_name
-    subnet_type  = "private"
-  }
-}
-
 locals {
   # The prefix is used to create uniquely named resources per terraform workspace, which
   # are needed in CI/CD for preview environments and tests.
@@ -40,19 +17,11 @@ locals {
   # Examples: pull request preview environments are temporary.
   is_temporary = terraform.workspace != "default"
 
-  build_repository_config                        = module.app_config.build_repository_config
-  environment_config                             = module.app_config.environment_configs[var.environment_name]
-  service_config                                 = local.environment_config.service_config
-  database_config                                = local.environment_config.database_config
-  incident_management_service_integration_config = local.environment_config.incident_management_service_integration
-  identity_provider_config                       = local.environment_config.identity_provider_config
-  notifications_config                           = local.environment_config.notifications_config
-
-  network_config = module.project_config.network_configs[local.environment_config.network_name]
+  build_repository_config = module.app_config.build_repository_config
+  environment_config      = module.app_config.environment_configs[var.environment_name]
+  service_config          = local.environment_config.service_config
 
-  service_name   = "${local.prefix}${local.service_config.service_name}"
-  domain_name    = local.service_config.domain_name
-  hosted_zone_id = local.domain_name != null ? data.aws_route53_zone.zone[0].zone_id : null
+  service_name = "${local.prefix}${local.service_config.service_name}"
 }
 
 terraform {
@@ -85,50 +54,6 @@ module "app_config" {
   source = "../app-config"
 }
 
-data "aws_rds_cluster" "db_cluster" {
-  count              = module.app_config.has_database ? 1 : 0
-  cluster_identifier = local.database_config.cluster_name
-}
-
-data "aws_iam_policy" "app_db_access_policy" {
-  count = module.app_config.has_database ? 1 : 0
-  name  = local.database_config.app_access_policy_name
-}
-
-data "aws_iam_policy" "migrator_db_access_policy" {
-  count = module.app_config.has_database ? 1 : 0
-  name  = local.database_config.migrator_access_policy_name
-}
-
-# Retrieve url for external incident management tool (e.g. Pagerduty, Splunk-On-Call)
-
-data "aws_ssm_parameter" "incident_management_service_integration_url" {
-  count = module.app_config.has_incident_management_service ? 1 : 0
-  name  = local.incident_management_service_integration_config.integration_url_param_name
-}
-
-data "aws_security_groups" "aws_services" {
-  filter {
-    name   = "group-name"
-    values = ["${module.project_config.aws_services_security_group_name_prefix}*"]
-  }
-
-  filter {
-    name   = "vpc-id"
-    values = [data.aws_vpc.network.id]
-  }
-}
-
-data "aws_acm_certificate" "certificate" {
-  count  = local.service_config.enable_https ? 1 : 0
-  domain = local.domain_name
-}
-
-data "aws_route53_zone" "zone" {
-  count = local.domain_name != null ? 1 : 0
-  name  = local.network_config.domain_config.hosted_zone
-}
-
 module "service" {
   source       = "../../modules/service"
   service_name = local.service_name
@@ -138,34 +63,33 @@ module "service" {
 
   image_tag = local.image_tag
 
-  vpc_id             = data.aws_vpc.network.id
-  public_subnet_ids  = data.aws_subnets.public.ids
-  private_subnet_ids = data.aws_subnets.private.ids
+  vpc_id                         = module.network.vpc_id
+  public_subnet_ids              = module.network.public_subnet_ids
+  private_subnet_ids             = module.network.private_subnet_ids
+  aws_services_security_group_id = module.network.aws_services_security_group_id
 
-  domain_name     = local.domain_name
-  hosted_zone_id  = local.hosted_zone_id
-  certificate_arn = local.service_config.enable_https ? data.aws_acm_certificate.certificate[0].arn : null
+  domain_name     = module.domain.domain_name
+  hosted_zone_id  = module.domain.hosted_zone_id
+  certificate_arn = module.domain.certificate_arn
 
   cpu                      = local.service_config.cpu
   memory                   = local.service_config.memory
   desired_instance_count   = local.service_config.desired_instance_count
   enable_command_execution = local.service_config.enable_command_execution
 
-  aws_services_security_group_id = data.aws_security_groups.aws_services.ids[0]
-
   file_upload_jobs = local.service_config.file_upload_jobs
   scheduled_jobs   = local.environment_config.scheduled_jobs
 
   db_vars = module.app_config.has_database ? {
-    security_group_ids         = data.aws_rds_cluster.db_cluster[0].vpc_security_group_ids
-    app_access_policy_arn      = data.aws_iam_policy.app_db_access_policy[0].arn
-    migrator_access_policy_arn = data.aws_iam_policy.migrator_db_access_policy[0].arn
+    security_group_ids         = module.database[0].security_group_ids
+    app_access_policy_arn      = module.database[0].app_access_policy_arn
+    migrator_access_policy_arn = module.database[0].migrator_access_policy_arn
     connection_info = {
-      host        = data.aws_rds_cluster.db_cluster[0].endpoint
-      port        = data.aws_rds_cluster.db_cluster[0].port
-      user        = local.database_config.app_username
-      db_name     = data.aws_rds_cluster.db_cluster[0].database_name
-      schema_name = local.database_config.schema_name
+      host        = module.database[0].host
+      port        = module.database[0].port
+      user        = module.database[0].app_username
+      db_name     = module.database[0].db_name
+      schema_name = module.database[0].schema_name
     }
   } : null
 
@@ -195,7 +119,10 @@ module "service" {
     },
     module.app_config.enable_identity_provider ? {
       identity_provider_access = module.identity_provider_client[0].access_policy_arn,
-    } : {}
+    } : {},
+    module.app_config.enable_notifications ? {
+      notifications_access = module.notifications[0].access_policy_arn,
+    } : {},
   )
 
   is_temporary = local.is_temporary
@@ -204,14 +131,3 @@ module "service" {
   container_read_only = false
   healthcheck_type    = "curl"
 }
-
-module "monitoring" {
-  source = "../../modules/monitoring"
-  #Email subscription list:
-  #email_alerts_subscription_list = ["[email protected]", "[email protected]"]
-
-  # Module takes service and ALB names to link all alerts with corresponding targets
-  service_name                                = local.service_name
-  load_balancer_arn_suffix                    = module.service.load_balancer_arn_suffix
-  incident_management_service_integration_url = module.app_config.has_incident_management_service && !local.is_temporary ? data.aws_ssm_parameter.incident_management_service_integration_url[0].value : null
-}
diff --git a/infra/app-rails/service/monitoring.tf b/infra/app-rails/service/monitoring.tf
@@ -0,0 +1,21 @@
+locals {
+  incident_management_service_integration_config = local.environment_config.incident_management_service_integration
+}
+
+# Retrieve url for external incident management tool (e.g. Pagerduty, Splunk-On-Call)
+
+data "aws_ssm_parameter" "incident_management_service_integration_url" {
+  count = module.app_config.has_incident_management_service ? 1 : 0
+  name  = local.incident_management_service_integration_config.integration_url_param_name
+}
+
+module "monitoring" {
+  source = "../../modules/monitoring"
+  #Email subscription list:
+  #email_alerts_subscription_list = ["[email protected]", "[email protected]"]
+
+  # Module takes service and ALB names to link all alerts with corresponding targets
+  service_name                                = local.service_name
+  load_balancer_arn_suffix                    = module.service.load_balancer_arn_suffix
+  incident_management_service_integration_url = module.app_config.has_incident_management_service && !local.is_temporary ? data.aws_ssm_parameter.incident_management_service_integration_url[0].value : null
+}
diff --git a/infra/app-rails/service/network.tf b/infra/app-rails/service/network.tf
@@ -0,0 +1,5 @@
+module "network" {
+  source       = "../../modules/network/data"
+  project_name = module.project_config.project_name
+  name         = local.environment_config.network_name
+}
diff --git a/infra/app-rails/service/notifications.tf b/infra/app-rails/service/notifications.tf
@@ -1,4 +1,6 @@
 locals {
+  notifications_config = local.environment_config.notifications_config
+
   # If this is a temporary environment, re-use an existing email identity. Otherwise, create a new one.
   domain_identity_arn = local.notifications_config != null ? (
     !local.is_temporary ?
@@ -18,8 +20,8 @@ module "notifications_email_domain" {
   count  = local.notifications_config != null && !local.is_temporary ? 1 : 0
   source = "../../modules/notifications-email-domain/resources"
 
-  domain_name    = local.domain_name
-  hosted_zone_id = local.hosted_zone_id
+  domain_name    = module.domain.domain_name
+  hosted_zone_id = module.domain.hosted_zone_id
 }
 
 # If the app has `enable_notifications` set to true AND this *is* a temporary
@@ -28,7 +30,7 @@ module "existing_notifications_email_domain" {
   count  = local.notifications_config != null && local.is_temporary ? 1 : 0
   source = "../../modules/notifications-email-domain/data"
 
-  domain_name = local.domain_name
+  domain_name = module.domain.domain_name
 }
 
 # If the app has `enable_notifications` set to true, create a new email notification