feat: add AWS terraform deployment config files

* feat: add middle eastern/ north african as a new ethnicity to data

* feat:add terraform config files

* fix: fix port assignments in ecs module

* Update img name in container definition

* feat: get mongo password from docuemntdb module and pass it to ecs contianer definition, module cleanup

* fix: fix mismatch between ECS and ALB health check endpoints

* feat: update health check path

* fead: pass allow_all_hosts env var to container definition

* update mongo_params value passed to container definition

* update: update passwords format passed to container definition

* feat: pass mongo_uri env variable to container definition from module documentdb

* remove unused mongo env variables

* feat: add dummy timestamp env variable to container definition

* feat: add comments

* delete tf plan

* Revert "feat: add middle eastern/ north african as a new ethnicity to data"

This reverts commit 9f3deb6.

Author: asadeg02

terraform/.gitignore

@@ -0,0 +1,2 @@
+.terraform/
+.terraform.lock.hcl

terraform/documentdb/main.tf

@@ -0,0 +1,93 @@
+# DocumentDB Password
+resource "random_password" "bwwc_documentdb_password" {
+  length      = 20
+  special     = false
+  min_special = 0
+}
+
+
+# Store the generated password in AWS Secrets Manager
+resource "aws_secretsmanager_secret" "bwwc_documentdb_password_secret" {
+  name = "bwwc-documentdb-password"
+}
+
+# Save the secret value as a new version in Secrets Manager
+resource "aws_secretsmanager_secret_version" "documentdb_password_secret_value" {
+  secret_id = aws_secretsmanager_secret.bwwc_documentdb_password_secret.id
+  secret_string = jsonencode({
+    password = random_password.bwwc_documentdb_password.result
+  })
+}
+
+# DocumentDB Subnet Group
+resource "aws_docdb_subnet_group" "bwwc_documentdb_subnet_group" {
+  name        = "bwwc-documentdb-subnet-group"
+  description = "Subnet group for bwwc API DocumentDB Cluster"
+  subnet_ids  = var.private_subnet_ids
+}
+
+# DocumentDB Security Group
+resource "aws_security_group" "bwwc_documentdb_sg" {
+  name        = "bwwc-documentdb-sg"
+  description = "Security Group for bwwc API DocumentDB Cluster"
+  vpc_id      = var.vpc_id
+
+  ingress {
+    from_port   = 27017
+    to_port     = 27017
+    protocol    = "tcp"
+    cidr_blocks = ["10.0.0.0/16"]
+  }
+
+  egress {
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+}
+
+# DocumentDB Cluster
+resource "aws_docdb_cluster" "bwwc_documentdb" {
+  enabled_cloudwatch_logs_exports = ["audit"]
+  deletion_protection             = true
+  cluster_identifier              = "bwwc-documentdb"
+  engine                          = "docdb"
+  apply_immediately               = true
+  skip_final_snapshot             = true
+  engine_version                  = "5.0.0"
+  master_username                 = "bwwc"
+
+  # Use password stored in Secrets Manager
+  master_password                 = jsondecode(aws_secretsmanager_secret_version.documentdb_password_secret_value.secret_string).password
+  
+  db_subnet_group_name            = aws_docdb_subnet_group.bwwc_documentdb_subnet_group.name
+  vpc_security_group_ids          = [aws_security_group.bwwc_documentdb_sg.id]
+  allow_major_version_upgrade     = true
+  storage_encrypted               = true
+  db_cluster_parameter_group_name = aws_docdb_cluster_parameter_group.bwwc_group.name
+}
+
+# Cluster instances
+resource "aws_docdb_cluster_instance" "bwwc_documentdb" {
+  count = 2
+  # Setting promotion tier to 0 makes the instance eligible to become a writer.
+  promotion_tier     = 0
+  cluster_identifier = aws_docdb_cluster.bwwc_documentdb.cluster_identifier
+  identifier_prefix  = "${aws_docdb_cluster.bwwc_documentdb.cluster_identifier}-"
+  instance_class     = "db.t3.medium"
+  engine             = aws_docdb_cluster.bwwc_documentdb.engine
+  depends_on         = [aws_docdb_cluster.bwwc_documentdb]
+}
+
+# Custom DocumentDB group for custom settings
+resource "aws_docdb_cluster_parameter_group" "bwwc_group" {
+  family      = "docdb5.0"
+  name        = "bwwc-param-group"
+  description = "docdb cluster parameter group"
+
+  parameter {
+    name  = "tls"
+    value = "disabled"
+  }
+}

terraform/documentdb/outputs.tf

@@ -0,0 +1,15 @@
+output "mongo_host" {
+  description = "The host (endpoint) of the MongoDB DocumentDB Cluster"
+  value       = aws_docdb_cluster.bwwc_documentdb.endpoint
+}
+
+output "mongo_password" {
+  description = "DocumentDB password retrieved from Secrets Manager"
+  value       = aws_secretsmanager_secret.bwwc_documentdb_password_secret.arn
+  sensitive   = true
+}
+
+output "mongo_uri" {
+  value = "mongodb://bwwc:${jsondecode(aws_secretsmanager_secret_version.documentdb_password_secret_value.secret_string).password}@${aws_docdb_cluster.bwwc_documentdb.endpoint}:27017/?retryWrites=false"
+  sensitive = true
+}

terraform/documentdb/variables.tf

@@ -0,0 +1,9 @@
+variable "vpc_id" {
+  description = "ID of the VPC where ECS resources will be deployed"
+  type = string
+}
+
+variable "private_subnet_ids" {
+  description = "List of private subnet IDs for ECS services"
+  type        = list(string)
+}

terraform/ecs/main.tf

@@ -0,0 +1,261 @@
+provider "aws" {
+  region = "us-east-1"
+}
+
+resource "aws_ecs_cluster" "bwwc_cluster" {
+  name = "bwwc-cluster"
+}
+
+# Create a CloudWatch Log Group for the backend service logs
+resource "aws_cloudwatch_log_group" "ecs_log_group_backend" {
+  name              = "/ecs/bwwc-backend"
+  retention_in_days = 14
+}
+
+# Define a custom IAM policy allowing ECS tasks to write logs to CloudWatch
+resource "aws_iam_policy" "cloudwatch_logs_policy" {
+  name        = "ecs-cloudwatch-logs-policy"
+  description = "Policy to allow ECS tasks to write logs to CloudWatch"
+
+  policy = jsonencode({
+    Version = "2012-10-17",
+    Statement = [
+      {
+        Effect = "Allow",
+        Action = [
+          "logs:CreateLogStream",
+          "logs:PutLogEvents"
+        ],
+        Resource = [
+          "${aws_cloudwatch_log_group.ecs_log_group_backend.arn}:*"
+        ]
+      }
+    ]
+  })
+}
+
+# Attach the CloudWatch logs policy to the ECS task execution role
+resource "aws_iam_role_policy_attachment" "cloudwatch_logs_policy_attachment" {
+  role       = aws_iam_role.ecs_task_execution_role.name
+  policy_arn = aws_iam_policy.cloudwatch_logs_policy.arn
+}
+
+# Define the ECS Fargate task for the backend service
+resource "aws_ecs_task_definition" "backend" {
+  family                   = "bwwc-backend"
+  network_mode             = "awsvpc"
+  requires_compatibilities = ["FARGATE"]
+  cpu                      = "512"
+  memory                   = "1024"
+  execution_role_arn       = aws_iam_role.ecs_task_execution_role.arn
+
+  runtime_platform {
+    cpu_architecture = "X86_64"
+  }
+
+  container_definitions = jsonencode([
+    {
+      name      = "bwwc-backend",
+      image     = "multiparty/bwwc-backend:main",
+      memory    = 512,
+      cpu       = 256,
+      essential = true,
+      portMappings = [{ containerPort = 8000, hostPort = 8000 }], #application is listening on port 8000
+      healthCheck = {
+        command     = ["CMD-SHELL", "wget -q -O - http://localhost:8000/api/bwwc/healthz || exit 1"]
+        interval    = 30
+        timeout     = 5
+        retries     = 3
+        startPeriod = 60
+      },
+      environment = [
+        { name = "SECRET_KEY", value = "django-insecure-x$ee)y$zn8!egy6(9olf6maf2tt0%wtn&qd_qzlo_v9f_-!5)@" },
+        { name = "BASE_URL", value = "http://${aws_lb.bwwc_lb.dns_name}" },
+        { name = "PRIME", value = "180252380737439" },
+        { name = "THRESHOLD", value = "3" },
+        { name = "POSTGRES_HOST", value = var.postgres_host },
+        { name = "POSTGRES_USERNAME", value = var.postgres_username },
+        { name = "POSTGRES_DATABASE", value = var.postgres_database },
+        { name = "POSTGRES_PORT", value = "5432" },
+        { name = "MONGO_URI", value = var.mongo_uri },
+        { name = "DJANGO_ALLOWED_HOSTS", value = "${aws_lb.bwwc_lb.dns_name},localhost,127.0.0.1" },
+        { name = "ALLOW_ALL_HOSTS", value = "true" },
+        { name = "DUMMY_TRIGGER", value = timestamp() }
+      ],
+      secrets = [
+        { name = "POSTGRES_PASSWORD", valueFrom = "${var.postgres_password}:password::" }  
+      ],
+      logConfiguration = {
+        logDriver = "awslogs"
+        options = {
+          "awslogs-group"         = aws_cloudwatch_log_group.ecs_log_group_backend.name
+          "awslogs-region"        = "us-east-1"
+          "awslogs-stream-prefix" = "bwwc-backend"
+        }
+      }      
+    }
+  ])
+}
+
+# Create the ECS service to run the backend task
+resource "aws_ecs_service" "backend" {
+  name            = "bwwc-backend-service"
+  cluster         = aws_ecs_cluster.bwwc_cluster.id
+  task_definition = aws_ecs_task_definition.backend.arn
+  launch_type     = "FARGATE"
+  desired_count   = 1
+  
+  network_configuration {
+    subnets          = var.private_subnet_ids
+    security_groups  = [aws_security_group.fargate_sg.id]
+    assign_public_ip = false
+  }
+
+  load_balancer {
+    target_group_arn = aws_lb_target_group.backend.arn
+    container_name   = "bwwc-backend"
+    container_port   = 8000 # Must match container definition's port above
+  }
+
+  # Grace period to allow the container to pass health checks before being marked unhealthy
+  health_check_grace_period_seconds = 60
+}
+
+resource "aws_security_group" "lb_sg" {
+  name        = "lb-sg"
+  description = "Security group for the ALB"
+  vpc_id      = var.vpc_id
+
+  ingress {
+    description = "Allow HTTP traffic"
+    from_port   = 80
+    to_port     = 80
+    protocol    = "tcp"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  ingress {
+    description = "Allow HTTPS traffic"
+    from_port   = 443
+    to_port     = 443
+    protocol    = "tcp"
+    cidr_blocks = ["0.0.0.0/0"] # Allow traffic from anywhere
+  }
+
+  egress {
+    description = "Allow all outbound traffic"
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+}
+
+# Security group for the ALB to allow HTTP and HTTPS from the internet
+resource "aws_security_group" "fargate_sg" {
+  name        = "fargate-sg"
+  description = "Allow inbound traffic to backend only from ALB"
+  vpc_id      = var.vpc_id
+
+  ingress {
+    from_port   = 8000
+    to_port     = 8000
+    protocol    = "tcp"
+    security_groups = [aws_security_group.lb_sg.id]
+  }
+
+  egress {
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+}
+
+# Security group for the ECS tasks to allow traffic only from the ALB
+resource "aws_lb" "bwwc_lb" {
+  name               = "bwwc-lb"
+  internal           = false
+  load_balancer_type = "application"
+  security_groups    = [aws_security_group.lb_sg.id]
+  subnets            = var.public_subnet_ids
+}
+
+# Application Load Balancer for routing traffic to the ECS service
+resource "aws_lb_target_group" "backend" {
+  name        = "bwwc-backend-tg"
+  port        = 8000 # must match container definition port
+  protocol    = "HTTP"
+  vpc_id      = var.vpc_id
+  target_type = "ip"
+
+  health_check {
+    path                = "/api/bwwc/healthz" 
+    interval            = 30        
+    timeout             = 5         
+    healthy_threshold   = 2        
+    unhealthy_threshold = 2        
+    matcher             = "200"     
+  }
+
+  lifecycle {
+    create_before_destroy = true
+  }
+}
+
+# Listener to forward HTTP traffic from the ALB to the target group
+resource "aws_lb_listener" "backend" {
+  load_balancer_arn = aws_lb.bwwc_lb.arn
+  port             = 80
+  protocol         = "HTTP"
+  default_action {
+    type             = "forward"
+    target_group_arn = aws_lb_target_group.backend.arn
+  }
+}
+
+# IAM policy allowing ECS tasks to retrieve secrets from Secrets Manager
+resource "aws_iam_policy" "secrets_access" {
+  name        = "ECSSecretsAccess"
+  description = "Allow ECS tasks to retrieve secrets from AWS Secrets Manager"
+  policy      = jsonencode({
+    Version = "2012-10-17",
+    Statement = [
+      {
+        Effect   = "Allow",
+        Action   = ["secretsmanager:GetSecretValue"],
+        Resource = "arn:aws:secretsmanager:us-east-1:135854645631:secret:*"
+      }
+    ]
+  })
+}
+
+# IAM role that ECS tasks assume to interact with AWS services
+resource "aws_iam_role" "ecs_task_execution_role" {
+  name = "ecsTaskExecutionRole"
+
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17",
+    Statement = [
+      {
+        Effect = "Allow",
+        Principal = {
+          Service = "ecs-tasks.amazonaws.com"
+        },
+        Action = "sts:AssumeRole"
+      }
+    ]
+  })
+}
+
+# Attach AWS-managed ECS task execution policy to the execution role
+resource "aws_iam_role_policy_attachment" "ecs_task_execution_role_policy" {
+  role       = aws_iam_role.ecs_task_execution_role.name
+  policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy"
+}
+
+# Attach custom secrets access policy to the execution role
+resource "aws_iam_role_policy_attachment" "ecs_task_secrets" {
+  role       = aws_iam_role.ecs_task_execution_role.name
+  policy_arn = aws_iam_policy.secrets_access.arn
+}

terraform/ecs/outputs.tf

@@ -0,0 +1,3 @@
+output "bwwc_lb_dns_name" {
+  value = aws_lb.bwwc_lb.dns_name
+}