Added database deployments for the document transfer service.

codeforamerica · Aug 7, 2024 · b92a92a · b92a92a
1 parent ddd36d2
commit b92a92a
Show file tree

Hide file tree

Showing 6 changed files with 133 additions and 48 deletions.
diff --git a/tofu/config/production/.terraform.lock.hcl b/tofu/config/production/.terraform.lock.hcl
diff --git a/tofu/config/production/main.tf b/tofu/config/production/main.tf
@@ -61,6 +61,44 @@ module "vpc" {
   }
 }
 
+module "secrets" {
+  # tflint-ignore: terraform_module_pinned_source
+  source = "github.com/codeforamerica/tofu-modules/aws/secrets"
+
+  project                = "illinois-getchildcare"
+  environment            = "production"
+  service                = "document-transfer"
+
+  secrets = {
+    "consumer/aws" = {
+      description = "AWS Consumer API credentials for the Document Transfer Service."
+      recovery_window = 7
+    }
+  }
+}
+
+module "database" {
+  # tflint-ignore: terraform_module_pinned_source
+  source = "github.com/codeforamerica/tofu-modules/aws/serverless_database"
+
+  logging_key_arn = module.logging.kms_key_arn
+  secrets_key_arn = module.secrets.kms_key_arn
+  vpc_id = module.vpc.vpc_id
+  subnets = module.vpc.private_subnets
+  ingress_cidrs = module.vpc.private_subnets_cidr_blocks
+
+  min_capacity = 2
+  max_capacity = 2
+  skip_final_snapshot = false
+  apply_immediately = true
+  key_recovery_period = 30
+  snapshot_identifier = "arn:aws:rds:us-east-1:211125423013:cluster-snapshot:prod-cluster-pre-cmk"
+
+  project                = "illinois-getchildcare"
+  environment            = "production"
+  service                = "document-transfer"
+}
+
 # Deploy the Document Transfer service to a Fargate cluster.
 module "document_transfer" {
   # tflint-ignore: terraform_module_pinned_source
@@ -77,16 +115,21 @@ module "document_transfer" {
   public_subnets  = module.vpc.public_subnets
   logging_key_id  = module.logging.kms_key_arn
   container_port  = 3000
+  image_tags_mutable = true
+  enable_execute_command = true
 
   # Only allow access from the web application and its workers.
   public = false
 
   environment_variables = {
     RACK_ENV                    = "production"
     OTEL_EXPORTER_OTLP_ENDPOINT = "http://localhost:4318"
+    DATABASE_HOST = module.database.cluster_endpoint
   }
 
   environment_secrets = {
+    DATABASE_PASSWORD = "${module.database.secret_arn}:password"
+    DATABASE_USER = "${module.database.secret_arn}:username"
     ONEDRIVE_CLIENT_ID     = "onedrive:client_id"
     ONEDRIVE_CLIENT_SECRET = "onedrive:client_secret"
     ONEDRIVE_TENANT_ID     = "onedrive:tenant_id"
@@ -100,16 +143,3 @@ module "document_transfer" {
     }
   }
 }
-
-output "peer_ids" {
-  value = module.vpc.peer_ids
-}
-
-# Display commands to push the Docker image to ECR.
-output "document_transfer_docker_push" {
-  value = module.document_transfer.docker_push
-}
-
-# output "peer_routes" {
-#   value = module.vpc.peer_routes
-# }
diff --git a/tofu/config/production/output.tf b/tofu/config/production/output.tf
@@ -0,0 +1,12 @@
+output "peer_ids" {
+  value = module.vpc.peer_ids
+}
+
+# Display commands to push the Docker image to ECR.
+output "document_transfer_docker_push" {
+  value = module.document_transfer.docker_push
+}
+
+output "database_endpoint" {
+  value = module.database.cluster_endpoint
+}
diff --git a/tofu/config/staging/.terraform.lock.hcl b/tofu/config/staging/.terraform.lock.hcl
diff --git a/tofu/config/staging/main.tf b/tofu/config/staging/main.tf
@@ -62,6 +62,43 @@ module "vpc" {
   }
 }
 
+module "secrets" {
+  # tflint-ignore: terraform_module_pinned_source
+  source = "github.com/codeforamerica/tofu-modules/aws/secrets"
+
+  project                = "illinois-getchildcare"
+  environment            = "staging"
+  service                = "document-transfer"
+
+  secrets = {
+    "consumer/aws" = {
+      description = "AWS Consumer API credentials for the Document Transfer Service."
+      recovery_window = 7
+    }
+  }
+}
+
+module "database" {
+  # tflint-ignore: terraform_module_pinned_source
+  source = "github.com/codeforamerica/tofu-modules/aws/serverless_database"
+
+  logging_key_arn = module.logging.kms_key_arn
+  secrets_key_arn = module.secrets.kms_key_arn
+  vpc_id = module.vpc.vpc_id
+  subnets = module.vpc.private_subnets
+  ingress_cidrs = module.vpc.private_subnets_cidr_blocks
+
+  min_capacity = 2
+  max_capacity = 2
+  skip_final_snapshot = true
+  apply_immediately = true
+  key_recovery_period = 7
+
+  project                = "illinois-getchildcare"
+  environment            = "staging"
+  service                = "document-transfer"
+}
+
 # Deploy the Document Transfer service to a Fargate cluster.
 module "document_transfer" {
   # tflint-ignore: terraform_module_pinned_source
@@ -88,9 +125,12 @@ module "document_transfer" {
   environment_variables = {
     RACK_ENV                    = "staging"
     OTEL_EXPORTER_OTLP_ENDPOINT = "http://localhost:4318"
+    DATABASE_HOST = module.database.cluster_endpoint
   }
 
   environment_secrets = {
+    DATABASE_PASSWORD = "${module.database.secret_arn}:password"
+    DATABASE_USER = "${module.database.secret_arn}:username"
     ONEDRIVE_CLIENT_ID     = "onedrive:client_id"
     ONEDRIVE_CLIENT_SECRET = "onedrive:client_secret"
     ONEDRIVE_TENANT_ID     = "onedrive:tenant_id"
@@ -104,12 +144,3 @@ module "document_transfer" {
     }
   }
 }
-
-output "peer_ids" {
-  value = module.vpc.peer_ids
-}
-
-# Display commands to push the Docker image to ECR.
-output "document_transfer_docker_push" {
-  value = module.document_transfer.docker_push
-}
diff --git a/tofu/config/staging/output.tf b/tofu/config/staging/output.tf
@@ -0,0 +1,12 @@
+output "peer_ids" {
+  value = module.vpc.peer_ids
+}
+
+# Display commands to push the Docker image to ECR.
+output "document_transfer_docker_push" {
+  value = module.document_transfer.docker_push
+}
+
+output "database_endpoint" {
+  value = module.database.cluster_endpoint
+}