HHS · coilysiren · Oct 16, 2024 · Oct 15, 2024 · Oct 15, 2024 · Oct 15, 2024
@@ -0,0 +1,3 @@
+node_modules
+**/.terraform/**
+.git
@@ -0,0 +1,3 @@
+node_modules
+**/.terraform/**
+.git
@@ -0,0 +1,19 @@
+FROM hashicorp/terraform:1.9.7 AS base
+
+RUN mkdir -p /app
+WORKDIR /app
+ENTRYPOINT [ "sh", "-c" ]
+
+COPY --from=top-level-directory bin /app/bin
+COPY --from=top-level-directory infra /app/infra
+COPY --from=top-level-directory Makefile /app/Makefile
+
+FROM base AS dev
+
+RUN apk update \
+  && apk upgrade \
+  && apk add --no-cache \
+  coreutils \
+  bash
+
+FROM base AS release
@@ -0,0 +1,47 @@
+#############
+# Constants #
+#############
+
+# Required for CI to work properly
+SHELL = /bin/bash -o pipefail
+
+# Docker user configuration
+# This logic is to avoid issues with permissions and mounting local volumes,
+# which should be owned by the same UID for Linux distros. Mac OS can use root,
+# but it is best practice to run things as with least permission where possible
+
+# Can be set by adding user=<username> and/ or uid=<id> after the make command
+# If variables are not set explicitly: try looking up values from current
+# environment, otherwise fixed defaults.
+# uid= defaults to 0 if user= set (which makes sense if user=root, otherwise you
+# probably want to set uid as well).
+ifeq ($(user),)
+RUN_USER ?= $(or $(strip $(USER)),nodummy)
+RUN_UID ?= $(or $(strip $(shell id -u)),4000)
+else
+RUN_USER = $(user)
+RUN_UID = $(or $(strip $(uid)),0)
+endif
+
+export RUN_USER
+export RUN_UID
+
+##################
+# Build Commands #
+##################
+
+build:
+	docker buildx build \
+		--build-context top-level-directory=../ \
+		--tag $(notdir $(shell pwd)):latest \
+		.
+
+release-build:
+	docker buildx build \
+		--build-context top-level-directory=../ \
+		--target release \
+		--platform=linux/amd64 \
+		--build-arg RUN_USER=$(RUN_USER) \
+		--build-arg RUN_UID=$(RUN_UID) \
+		$(OPTS) \
+		.
@@ -0,0 +1,6 @@
+services:
+  ecs-terraform:
+    build:
+      context: .
+      target: dev
+    container_name: ecs-terraform
@@ -0,0 +1,20 @@
+data "external" "account_ids_by_name" {
+  program = ["${path.module}/../../../bin/account-ids-by-name.sh"]
+}
+
+locals {
+  image_repository_name         = "${local.project_name}-${local.app_name}"
+  image_repository_region       = module.project_config.default_region
+  image_repository_account_name = module.project_config.network_configs[local.shared_network_name].account_name
+  image_repository_account_id   = data.external.account_ids_by_name.result[local.image_repository_account_name]
+
+  build_repository_config = {
+    name           = local.image_repository_name
+    region         = local.image_repository_region
+    network_name   = local.shared_network_name
+    account_name   = local.image_repository_account_name
+    account_id     = local.image_repository_account_id
+    repository_arn = "arn:aws:ecr:${local.image_repository_region}:${local.image_repository_account_id}:repository/${local.image_repository_name}"
+    repository_url = "${local.image_repository_account_id}.dkr.ecr.${local.image_repository_region}.amazonaws.com/${local.image_repository_name}"
+  }
+}
@@ -0,0 +1,7 @@
+module "dev_config" {
+  source                                       = "./env-config"
+  app_name                                     = local.app_name
+  default_region                               = module.project_config.default_region
+  environment                                  = "dev"
+  service_override_extra_environment_variables = {}
+}
@@ -0,0 +1,17 @@
+locals {
+  # Map from environment variable name to environment variable value
+  # This is a map rather than a list so that variables can be easily
+  # overridden per environment using terraform's `merge` function
+  default_extra_environment_variables = {}
+
+  # Configuration for secrets
+  # List of configurations for defining environment variables that pull from SSM parameter
+  # store. Configurations are of the format
+  # {
+  #   ENV_VAR_NAME = {
+  #     manage_method     = "generated" # or "manual" for a secret that was created and stored in SSM manually
+  #     secret_store_name = "/ssm/param/name"
+  #   }
+  # }
+  secrets = {}
+}
@@ -0,0 +1,11 @@
+output "service_config" {
+  value = {
+    region = var.default_region
+    extra_environment_variables = merge(
+      local.default_extra_environment_variables,
+      var.service_override_extra_environment_variables
+    )
+
+    secrets = local.secrets
+  }
+}
@@ -0,0 +1,22 @@
+variable "app_name" {
+  type = string
+}
+
+variable "environment" {
+  description = "name of the application environment (e.g. dev, staging, prod)"
+  type        = string
+}
+
+variable "default_region" {
+  description = "default region for the project"
+  type        = string
+}
+
+variable "service_override_extra_environment_variables" {
+  type        = map(string)
+  description = <<EOT
+    Map that overrides the default extra environment variables defined in environment-variables.tf.
+    Map from environment variable name to environment variable value
+    EOT
+  default     = {}
+}
@@ -0,0 +1,60 @@
+locals {
+  app_name                        = "ecs-terraform"
+  environments                    = ["dev", "staging", "prod"]
+  project_name                    = module.project_config.project_name
+  has_database                    = true
+  has_incident_management_service = false
+
+  environment_configs = {
+    dev     = module.dev_config
+    staging = module.staging_config
+    prod    = module.prod_config
+  }
+
+  # Map from environment name to the account name for the AWS account that
+  # contains the resources for that environment. Resources that are shared
+  # across environments use the key "shared".
+  # The list of configured AWS accounts can be found in /infra/account
+  # by looking for the backend config files of the form:
+  #   <ACCOUNT_NAME>.<ACCOUNT_ID>.s3.tfbackend
+  #
+  # Projects/applications that use the same AWS account for all environments
+  # will refer to the same account for all environments. For example, if the
+  # project has a single account named "myaccount", then infra/accounts will
+  # have one tfbackend file myaccount.XXXXX.s3.tfbackend, and the
+  # account_names_by_environment map will look like:
+  #
+  #   account_names_by_environment = {
+  #     shared  = "myaccount"
+  #     dev     = "myaccount"
+  #     staging = "myaccount"
+  #     prod    = "myaccount"
+  #   }
+  #
+  # Projects/applications that have separate AWS accounts for each environment
+  # might have a map that looks more like this:
+  #
+  #   account_names_by_environment = {
+  #     shared  = "dev"
+  #     dev     = "dev"
+  #     staging = "staging"
+  #     prod    = "prod"
+  #   }
+  account_names_by_environment = {
+    shared  = "simpler-grants-gov"
+    dev     = "simpler-grants-gov"
+    staging = "simpler-grants-gov"
+    prod    = "simpler-grants-gov"
+  }
+
+  # The name of the network that contains the resources shared across all
+  # application environments, such as the build repository.
+  # The list of networks can be found in /infra/networks
+  # by looking for the backend config files of the form:
+  #   <NETWORK_NAME>.s3.tfbackend
+  shared_network_name = "dev"
+}
+
+module "project_config" {
+  source = "../../project-config"
+}
@@ -0,0 +1,31 @@
+output "app_name" {
+  value = local.app_name
+}
+
+output "account_names_by_environment" {
+  value = local.account_names_by_environment
+}
+
+output "environments" {
+  value = local.environments
+}
+
+output "has_database" {
+  value = local.has_database
+}
+
+output "has_incident_management_service" {
+  value = local.has_incident_management_service
+}
+
+output "image_repository_name" {
+  value = local.image_repository_name
+}
+
+output "build_repository_config" {
+  value = local.build_repository_config
+}
+
+output "environment_configs" {
+  value = local.environment_configs
+}
@@ -0,0 +1,7 @@
+module "prod_config" {
+  source                                       = "./env-config"
+  app_name                                     = local.app_name
+  default_region                               = module.project_config.default_region
+  environment                                  = "prod"
+  service_override_extra_environment_variables = {}
+}
@@ -0,0 +1,7 @@
+module "staging_config" {
+  source                                       = "./env-config"
+  app_name                                     = local.app_name
+  default_region                               = module.project_config.default_region
+  environment                                  = "staging"
+  service_override_extra_environment_variables = {}
+}