acm-uiuc · devksingh4 · Jul 22, 2025 · Jul 22, 2025 · Jul 22, 2025 · Jul 22, 2025
diff --git a/.github/workflows/manual-prod.yml b/.github/workflows/manual-prod.yml
@@ -0,0 +1,130 @@
+name: Deploy all resources to PROD (Manual)
+run-name: Manual PROD deploy - @${{ github.actor }}
+
+on:
+  workflow_dispatch:
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    timeout-minutes: 15
+    name: Run Unit Tests
+    steps:
+      - uses: actions/checkout@v4
+        env:
+          HUSKY: "0"
+
+      - name: Set up Node
+        uses: actions/setup-node@v4
+        with:
+          node-version: 22.x
+          cache: "yarn"
+
+      - name: Setup Terraform
+        uses: hashicorp/setup-terraform@v2
+        with:
+          terraform_version: 1.12.2
+
+      - name: Restore Yarn Cache
+        uses: actions/cache@v4
+        with:
+          path: node_modules
+          key: yarn-modules-${{ runner.arch }}-${{ runner.os }}-${{ hashFiles('**/yarn.lock') }}-dev
+          restore-keys: |
+            yarn-modules-${{ runner.arch }}-${{ runner.os }}-
+
+      - name: Run unit testing
+        run: make test_unit
+
+  build:
@@ -8,2 +8,4 @@
  test:
+    permissions:
+      contents: read
    runs-on: ubuntu-latest
@@ -39,2 +41,4 @@
  build:
+    permissions:
+      contents: read
    runs-on: ubuntu-24.04-arm
@@ -8,2 +8,4 @@
  test:
+    permissions:
+      contents: read
    runs-on: ubuntu-latest
@@ -39,2 +41,4 @@
  build:
+    permissions:
+      contents: read
    runs-on: ubuntu-24.04-arm
+    runs-on: ubuntu-24.04-arm
+    timeout-minutes: 15
+    name: Build Application
+    steps:
+      - uses: actions/checkout@v4
+        env:
+          HUSKY: "0"
+
+      - name: Set up Node
+        uses: actions/setup-node@v4
+        with:
+          node-version: 22.x
+          cache: "yarn"
+
+      - name: Restore Yarn Cache
+        uses: actions/cache@v4
+        with:
+          path: node_modules
+          key: yarn-modules-${{ runner.arch }}-${{ runner.os }}-${{ hashFiles('**/yarn.lock') }}-prod
+          restore-keys: |
+            yarn-modules-${{ runner.arch }}-${{ runner.os }}-
+
+      - name: Run build
+        run: make build
+        env:
+          HUSKY: "0"
+          VITE_RUN_ENVIRONMENT: prod
+          RunEnvironment: prod
+          VITE_BUILD_HASH: ${{ github.sha }}
+
+      - name: Upload Build files
+        uses: actions/upload-artifact@v4
+        with:
+          include-hidden-files: true
+          name: build-prod
+          path: |
+            .aws-sam/
+            dist/
+            dist_ui/
+
+  deploy-prod:
@@ -42,2 +42,5 @@
    name: Build Application
+    permissions:
+      contents: read
+      actions: write
    steps:
@@ -42,2 +42,5 @@
    name: Build Application
+    permissions:
+      contents: read
+      actions: write
    steps:
+    runs-on: ubuntu-latest
+    timeout-minutes: 30
+    name: Deploy to Prod and Run Health Check
+    concurrency:
+      group: ${{ github.event.repository.name }}-prod
+      cancel-in-progress: false
+    permissions:
+      id-token: write
+      contents: read
+    needs:
+      - test
+      - build
+    environment: "AWS PROD"
+    steps:
+      - name: Set up Node for testing
+        uses: actions/setup-node@v4
+        with:
+          node-version: 22.x
+
+      - name: Setup Terraform
+        uses: hashicorp/setup-terraform@v2
+        with:
+          terraform_version: 1.12.2
+
+      - uses: actions/checkout@v4
+        env:
+          HUSKY: "0"
+      - uses: aws-actions/setup-sam@v2
+        with:
+          use-installer: true
+      - name: Set up Python 3.11
+        uses: actions/setup-python@v5
+        with:
+          python-version: 3.11
+      - name: Download Build files
+        uses: actions/download-artifact@v4
+        with:
+          name: build-prod
+      - uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: arn:aws:iam::298118738376:role/GitHubActionsRole
+          role-session-name: Manual_Core_Prod_Deployment_${{ github.run_id }}
+          aws-region: us-east-1
+      - name: Publish to AWS
+        run: make deploy_prod
+        env:
+          HUSKY: "0"
+          VITE_RUN_ENVIRONMENT: prod
+      - name: Call the health check script
+        run: make prod_health_check
diff --git a/.husky/pre-commit b/.husky/pre-commit
@@ -6,6 +6,7 @@ if [ -n "$STAGED_FILES" ]; then
   # Run lint on all files (modifies files in the working directory)
   yarn lint --fix
   yarn prettier:write
+  terraform -chdir=terraform/ fmt --recursive
 
   echo "Re-adding originally staged files to the staging area..."
   # Re-add only the originally staged files

diff --git a/Makefile b/Makefile
@@ -90,17 +90,20 @@ postdeploy:
 
 deploy_prod: check_account_prod
 	@echo "Deploying CloudFormation stack..."
-	terraform -chdir=terraform/envs/prod init
-	terraform -chdir=terraform/envs/prod apply -auto-approve
 	sam deploy $(common_params) --parameter-overrides $(run_env)=prod $(set_application_prefix)=$(application_key) $(set_application_name)="$(application_name)" S3BucketPrefix="$(s3_bucket_prefix)"
+	@echo "Deploying Terraform..."
+	$(eval MAIN_DISTRIBUTION_ID := $(shell aws cloudformation describe-stacks --stack-name $(application_key) --query "Stacks[0].Outputs[?OutputKey=='CloudfrontDistributionId'].OutputValue" --output text))
+	terraform -chdir=terraform/envs/prod init
+	terraform -chdir=terraform/envs/prod apply -auto-approve -var main_cloudfront_distribution_id="$(MAIN_DISTRIBUTION_ID)"
 	make postdeploy
 
 deploy_dev: check_account_dev
 	@echo "Deploying CloudFormation stack..."
 	sam deploy $(common_params) --parameter-overrides $(run_env)=dev $(set_application_prefix)=$(application_key) $(set_application_name)="$(application_name)" S3BucketPrefix="$(s3_bucket_prefix)"
 	@echo "Deploying Terraform..."
+	$(eval MAIN_DISTRIBUTION_ID := $(shell aws cloudformation describe-stacks --stack-name $(application_key) --query "Stacks[0].Outputs[?OutputKey=='CloudfrontDistributionId'].OutputValue" --output text))
 	terraform -chdir=terraform/envs/qa init
-	terraform -chdir=terraform/envs/qa apply -auto-approve
+	terraform -chdir=terraform/envs/qa apply -auto-approve -var main_cloudfront_distribution_id="$(MAIN_DISTRIBUTION_ID)"
 	make postdeploy
 
 invalidate_cloudfront:

diff --git a/cloudformation/alerting.yml b/cloudformation/alerting.yml
diff --git a/cloudformation/logs.yml b/cloudformation/logs.yml
@@ -1,22 +1,8 @@
 AWSTemplateFormatVersion: '2010-09-09'
 Description: Stack Log Groups
 Transform: AWS::Serverless-2016-10-31
-Parameters:
-  LambdaFunctionName:
-    Type: String
-    AllowedPattern: ^[a-zA-Z0-9]+[a-zA-Z0-9-]+[a-zA-Z0-9]+$
-  LogRetentionDays:
-    Type: Number
+
 Resources:
-  AppApiLambdaLogGroup:
-    Type: AWS::Logs::LogGroup
-    DeletionPolicy: Retain
-    UpdateReplacePolicy: Retain
-    Properties:
-      LogGroupName:
-        Fn::Sub: /aws/lambda/${LambdaFunctionName}
-      RetentionInDays:
-        Ref: LogRetentionDays
   AppAuditLog:
     Type: "AWS::DynamoDB::Table"
     DeletionPolicy: "Retain"

diff --git a/cloudformation/main.yml b/cloudformation/main.yml
@@ -6,14 +6,6 @@ Parameters:
   RunEnvironment:
     Type: String
     AllowedValues: ["dev", "prod"]
-  AlertSNSArn:
-    Description: SNS Queue to send general alarm alerts to (prod only)
-    Type: String
-    Default: arn:aws:sns:us-east-1:298118738376:infra-monitor-alerts
-  PriorityAlertSNSArn:
-    Description: SNS Queue to send priority alarm alerts to (prod only)
-    Type: String
-    Default: arn:aws:sns:us-east-1:298118738376:infra-core-api-priority-alerts
   ApplicationPrefix:
     Type: String
     Description: Application prefix, no ending dash
@@ -46,10 +38,8 @@ Conditions:
 Mappings:
   General:
     dev:
-      LogRetentionDays: 7
       SesDomain: "aws.qa.acmuiuc.org"
     prod:
-      LogRetentionDays: 90
       SesDomain: "acm.illinois.edu"
   ApiGwConfig:
     dev:
@@ -103,10 +93,6 @@ Resources:
     Type: AWS::Serverless::Application
     Properties:
       Location: ./logs.yml
-      Parameters:
-        LambdaFunctionName: !Sub ${ApplicationPrefix}-lambda
-        LogRetentionDays:
-          !FindInMap [General, !Ref RunEnvironment, LogRetentionDays]
 
   AppSQSQueues:
     Type: AWS::Serverless::Application
@@ -116,18 +102,6 @@ Resources:
         QueueName: !Sub ${ApplicationPrefix}-sqs
         MessageTimeout: !Ref SqsMessageTimeout
 
-  AppAlarms:
-    Condition: IsProd
-    Type: AWS::Serverless::Application
-    Properties:
-      Location: ./alerting.yml
-      Parameters:
-        AlertSNSArn: !Ref AlertSNSArn
-        PriorityAlertSNSArn: !Ref PriorityAlertSNSArn
-        ApplicationPrefix: !Ref ApplicationPrefix
-        ApplicationFriendlyName: !Ref ApplicationFriendlyName
-        MainCloudfrontDistributionId: !GetAtt AppFrontendCloudfrontDistribution.Id
-
   LinkryRecordSetv4:
     Condition: IsDev
     Type: AWS::Route53::RecordSet

diff --git a/terraform/envs/prod/main.tf b/terraform/envs/prod/main.tf
@@ -18,11 +18,15 @@ provider "aws" {
   }
 }
 
-import {
-  to = aws_cloudwatch_log_group.main_app_logs
-  id = "/aws/lambda/${var.ProjectId}-lambda"
-}
 resource "aws_cloudwatch_log_group" "main_app_logs" {
   name              = "/aws/lambda/${var.ProjectId}-lambda"
   retention_in_days = var.LogRetentionDays
 }
+
+module "app_alarms" {
+  source                          = "../../modules/alarms"
+  main_cloudfront_distribution_id = var.main_cloudfront_distribution_id
+  resource_prefix                 = var.ProjectId
+  priority_sns_arn                = var.GeneralSNSAlertArn
+  standard_sns_arn                = var.PrioritySNSAlertArn
+}
diff --git a/terraform/envs/prod/variables.tf b/terraform/envs/prod/variables.tf
@@ -8,3 +8,17 @@ variable "ProjectId" {
   default = "infra-core-api"
 }
 
+variable "main_cloudfront_distribution_id" {
+  type        = string
+  description = "(temporary) ID for the cloudfront distribution that serves the main application"
+}
+
+variable "GeneralSNSAlertArn" {
+  type    = string
+  default = "arn:aws:sns:us-east-1:298118738376:infra-monitor-alerts"
+}
+
+variable "PrioritySNSAlertArn" {
+  type    = string
+  default = "arn:aws:sns:us-east-1:298118738376:infra-core-api-priority-alerts"
+}