Merge branch 'main' into login-screen

infrastructure/.sops.yaml

@@ -0,0 +1,3 @@
+creation_rules:
+  - kms: arn:aws:kms:us-east-1:763640948377:alias/ddays-app
+    aws_profile: ddays-app

infrastructure/scripts/ansible-playbook.sh

@@ -0,0 +1,36 @@
+#!/bin/sh
+
+ANSIBLE_ENV=$1;
+ANSIBLE_COMPONENT=$2;
+
+if [ -z "$ANSIBLE_ENV" ] || [ -z "$ANSIBLE_COMPONENT" ]; then
+  echo "Usage: $0 <environment> <component> <arguments>"
+  exit 1
+fi
+
+shift 2
+cd -P -- "$(dirname -- "$0")" || exit 1
+
+if [ ! -f "../ansible/inventories/$ANSIBLE_ENV.aws_ec2.yml" ]; then
+  echo "Environment '$ANSIBLE_ENV' does not exist"
+  exit 1
+fi
+
+if [ ! -d "../ansible/playbooks/$ANSIBLE_COMPONENT" ]; then
+  echo "Component '$ANSIBLE_COMPONENT' does not exist"
+  exit 1
+fi
+
+./ssh-agent.sh "$ANSIBLE_ENV" load
+
+cd ../ansible || exit 1
+
+ansible-playbook "playbooks/$ANSIBLE_COMPONENT/playbook.yml" \
+  -i "inventories/$ANSIBLE_ENV.aws_ec2.yml" "$@"
+status=$?
+
+cd - >/dev/null || exit 1
+
+./ssh-agent.sh "$ANSIBLE_ENV" unload
+
+exit $status

infrastructure/scripts/ssh-agent.sh

@@ -0,0 +1,24 @@
+#!/bin/sh
+
+ENV=$1
+ACTION=$2
+
+if [ -z "$ENV" ] || [ -z "$ACTION" ]; then
+  echo "Usage: $0 <env> <load|unload>"
+  exit 1
+fi
+
+cd -P -- "$(dirname -- "$0")" || exit 1
+
+case "$ACTION" in
+load)
+  sops -d "../ssh-keys/$ENV.enc" | ssh-add - 2>&1 | grep -v "^Identity added"
+  ;;
+unload)
+  ssh-add -d "../ssh-keys/$ENV.pub" 2>&1 | grep -v "^Identity removed"
+  ;;
+*)
+  echo "Usage: $0 <env> <load|unload>"
+  exit 1
+  ;;
+esac

infrastructure/scripts/ssh-keygen.sh

@@ -0,0 +1,17 @@
+#!/bin/sh
+
+ENV=$1
+
+if [ -z "$ENV" ]; then
+  echo "Usage: $0 <env>"
+  exit 1
+fi
+
+cd -P -- "$(dirname -- "$0")" || exit 1
+
+PROJECT=$(basename "$(git rev-parse --show-toplevel)")
+
+mkdir -p ../ssh-keys
+ssh-keygen -t ed25519 -C "$PROJECT-$ENV" -N "" -f "../ssh-keys/$ENV"
+mv "../ssh-keys/$ENV" "../ssh-keys/$ENV.enc"
+sops -e -i "../ssh-keys/$ENV.enc"

infrastructure/scripts/terraform.sh

@@ -0,0 +1,31 @@
+#!/bin/sh
+
+TF_ENV=$1;
+TF_COMPONENT=$2;
+
+if [ -z "$TF_ENV" ] || [ -z "$TF_COMPONENT" ]; then
+  echo "Usage: $0 <environment> <component> <command>"
+  exit 1
+fi
+
+shift 2
+cd -P -- "$(dirname -- "$0")" || exit 1
+
+if [ ! -d "../terraform/live/$TF_ENV" ]; then
+  echo "Environment '$TF_ENV' does not exist"
+  exit 1
+fi
+
+if [ ! -d "../terraform/live/$TF_ENV/$TF_COMPONENT" ]; then
+  echo "Component '$TF_COMPONENT' does not exist"
+  exit 1
+fi
+
+if [ "$1" = "init" ]; then
+  AWS_PROFILE=$(basename "$(git rev-parse --show-toplevel)") \
+  terraform -chdir="../terraform/live/$TF_ENV/$TF_COMPONENT" init -reconfigure \
+    -backend-config="key=$TF_ENV/$TF_COMPONENT$TF_STATE_SUFFIX.tfstate"
+else
+  AWS_PROFILE=$(basename "$(git rev-parse --show-toplevel)") \
+  terraform -chdir="../terraform/live/$TF_ENV/$TF_COMPONENT" "$@"
+fi

infrastructure/terraform/.gitignore

@@ -0,0 +1,31 @@
+# Local .terraform directories
+**/.terraform/*
+
+# .tfstate files
+*.tfstate
+*.tfstate.*
+
+# Crash log files
+crash.log
+
+# Ignore any .tfvars files that are generated automatically for each Terraform run. Most
+# .tfvars files are managed as part of configuration and so should be included in
+# version control.
+#
+# example.tfvars
+
+# Ignore override files as they are usually used to override resources locally and so
+# are not checked in
+override.tf
+override.tf.json
+*_override.tf
+*_override.tf.json
+
+# Include override files you do wish to add to version control using negated pattern
+#
+# !example_override.tf
+
+# Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan
+# example: *tfplan*
+
+.DS_Store

infrastructure/terraform/live/shared/data/.terraform-version

@@ -0,0 +1 @@
+1.5.3

infrastructure/terraform/live/shared/data/main.tf

@@ -0,0 +1,70 @@
+terraform {
+  required_version = ">= 1.0.0, < 2.0.0"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 5.0"
+    }
+
+    cloudflare = {
+      source  = "cloudflare/cloudflare"
+      version = "~> 4.0"
+    }
+
+    sops = {
+      source  = "carlpett/sops"
+      version = "~> 0.5"
+    }
+  }
+
+  backend "s3" {
+    bucket         = "ddays-app-tfstate"
+    dynamodb_table = "ddays-app-tfstate-lock"
+    region         = "us-east-1"
+    profile        = "ddays-app"
+    encrypt        = true
+  }
+}
+
+provider "aws" {
+  region  = "eu-central-1"
+  profile = "ddays-app"
+}
+
+provider "aws" {
+  alias   = "us-east-1"
+  region  = "us-east-1"
+  profile = "ddays-app"
+}
+
+provider "cloudflare" {
+  api_token = data.sops_file.secrets.data["cloudflare_api_token"]
+}
+
+data "cloudflare_zone" "dump_hr" {
+  name = "dump.hr"
+}
+
+data "sops_file" "secrets" {
+  source_file = "secrets.enc.json"
+}
+
+module "uploads" {
+  source = "../../../modules/static-website"
+
+  bucket_name        = "ddays-app-uploads"
+  bucket_versioning  = true
+  website_domain     = "ddays-app-uploads.dump.hr"
+  cloudflare_zone_id = data.cloudflare_zone.dump_hr.id
+
+  tags = {
+    Project     = "ddays-app"
+    Role        = "uploads"
+    Environment = "shared"
+  }
+
+  providers = {
+    aws.us-east-1 = aws.us-east-1
+  }
+}

infrastructure/terraform/live/shared/data/secrets.enc.json

@@ -0,0 +1,22 @@
+{
+  "cloudflare_api_token": "ENC[AES256_GCM,data:J0XTy9u44ATF679dk4wtJcT2DYaGJh5276TCdTdJSVBZ4K0eTRKjfQ==,iv:LT6BxJJtvLA6V+HE6hOr9ht4T+R+Z2rPkHxqCI2ml8Q=,tag:rHAyw6/D4bnPmv+XUtuMtQ==,type:str]",
+  "sops": {
+    "kms": [
+      {
+        "arn": "arn:aws:kms:us-east-1:763640948377:alias/ddays-app",
+        "created_at": "2024-01-03T19:59:20Z",
+        "enc": "AQICAHgdcjswtFLRk2r0EsHvbS93T1AaxRGQ/GRNaO0DtK3p7QFoHrUajBHm2HJu58SJAKI1AAAAfjB8BgkqhkiG9w0BBwagbzBtAgEAMGgGCSqGSIb3DQEHATAeBglghkgBZQMEAS4wEQQMqAibeTCnVcmKO/KdAgEQgDsjQL/GkUfX3GU5dQQtZb0MMbY2q0fR2wG+Ga0f56lReN/TaMExAapqaW1U/TIRfLLyAppWBNlLK3wzwA==",
+        "aws_profile": "ddays-app"
+      }
+    ],
+    "gcp_kms": null,
+    "azure_kv": null,
+    "hc_vault": null,
+    "age": null,
+    "lastmodified": "2024-01-03T19:59:21Z",
+    "mac": "ENC[AES256_GCM,data:VRIjWvChlyTV3WRgbncZJtinZJD3tl/IxoigD8OcYqvBKDejd7Wwwvhj5DbZDyAJojTbZZPUIgx43xlLprZIteLsh8w2F10Kwa5XaMNa5tcxSf2qvlbxIRiVv27Ci5TITfOADFsXuGqZjZMb3uB60j6Z04Ct4zMgI8fiC+Kx4nY=,iv:CfA4unBFLnPufJ4Dyz56TRw48fzVqS6g3O4UGBN/4ko=,tag:XaUNTJY+zDtD3O4mu6vjkQ==,type:str]",
+    "pgp": null,
+    "unencrypted_suffix": "_unencrypted",
+    "version": "3.7.3"
+  }
+}

infrastructure/terraform/live/shared/tfstate/.terraform-version

@@ -0,0 +1 @@
+1.5.3

infrastructure/terraform/live/shared/tfstate/main.tf

@@ -0,0 +1,22 @@
+terraform {
+  required_version = ">= 1.0.0, < 2.0.0"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 5.0"
+    }
+  }
+}
+
+provider "aws" {
+  region  = "us-east-1"
+  profile = "ddays-app"
+}
+
+module "tfstate_backend" {
+  source = "github.com/bdeak4/terraform-state-s3-backend"
+
+  bucket_name = "ddays-app-tfstate"
+  table_name  = "ddays-app-tfstate-lock"
+}