Deploy the Frontend on ECS (#4198)

Author: marcoacierno

.github/workflows/deploy.yml

@@ -221,7 +221,7 @@ jobs:
         run: terraform validate -no-color
 
       - name: Terraform apply
-        run: terraform apply -no-color -auto-approve &> /dev/null
+        run: terraform apply -target module.pretix -target module.pycon_backend -target module.clamav -target module.database -target module.emails -target module.cluster -no-color -auto-approve &> /dev/null
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
@@ -247,11 +247,114 @@ jobs:
           done
         shell: bash
 
-  deploy-fe:
-    runs-on: ubuntu-latest
+  build-fe:
     needs: [wait-aws-update]
+    runs-on: [self-hosted]
+    permissions:
+      packages: write
+      contents: read
+
     steps:
-      - name: Trigger hook
-        if: github.ref == 'refs/heads/main'
+      - uses: actions/checkout@v4
+        with:
+          ref: ${{ github.ref }}
+          fetch-depth: 0
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          aws-access-key-id: ${{ secrets.aws_access_key_id }}
+          aws-secret-access-key: ${{ secrets.aws_secret_access_key }}
+          aws-region: eu-central-1
+      - name: Get service githash
+        id: git
+        run: |
+          hash=$(git rev-list -1 HEAD -- frontend)
+          echo "githash=$hash" >> $GITHUB_OUTPUT
+      - name: Check if commit is already on ECR
+        id: image
+        run: |
+          set +e
+          aws ecr describe-images --repository-name=pythonit/pycon-frontend --image-ids=imageTag=${{ steps.git.outputs.githash }}
+          if [[ $? == 0 ]]; then
+            echo "image_exists=1" >> $GITHUB_OUTPUT
+          else
+            echo "image_exists=0" >> $GITHUB_OUTPUT
+          fi
+      - name: Set up QEMU dependency
+        if: ${{ steps.image.outputs.image_exists == 0 }}
+        uses: docker/setup-qemu-action@v3
+      - name: Login to GitHub Packages
+        if: ${{ steps.image.outputs.image_exists == 0 }}
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: Login to Amazon ECR
+        if: ${{ steps.image.outputs.image_exists == 0 }}
+        uses: aws-actions/amazon-ecr-login@v2
+      - name: Set up Docker Buildx
+        id: buildx
+        if: ${{ steps.image.outputs.image_exists == 0 }}
+        uses: docker/setup-buildx-action@v3
+      - name: Get vars
+        id: vars
+        if: ${{ steps.image.outputs.image_exists == 0 }}
         run: |
-          curl -X POST ${{ secrets.VERCEL_DEPLOY_HOOK }}
+          cms_hostname=$(aws ssm get-parameter --output text --query Parameter.Value --with-decryption --name /pythonit/${{ env.TF_WORKSPACE }}/pycon-frontend/cms-hostname)
+          echo "CMS_HOSTNAME=$cms_hostname" >> "$GITHUB_OUTPUT"
+
+          conference_code=$(aws ssm get-parameter --output text --query Parameter.Value --with-decryption --name /pythonit/${{ env.TF_WORKSPACE }}/pycon-frontend/conference-code)
+          echo "CONFERENCE_CODE=$conference_code" >> "$GITHUB_OUTPUT"
+      - name: Build and push
+        if: ${{ steps.image.outputs.image_exists == 0 }}
+        uses: docker/build-push-action@v6
+        with:
+          context: ./frontend
+          file: ./frontend/Dockerfile
+          builder: ${{ steps.buildx.outputs.name }}
+          provenance: false
+          push: true
+          tags: ${{ secrets.AWS_ACCOUNT_ID }}.dkr.ecr.eu-central-1.amazonaws.com/pythonit/pycon-frontend:${{ steps.git.outputs.githash }}
+          cache-from: type=local,src=/tmp/.buildx-cache
+          cache-to: type=local,dest=/tmp/.buildx-cache
+          platforms: linux/arm64
+          build-args: |
+            API_URL_SERVER=https://${{ fromJSON('["pastaporto-", ""]')[github.ref == 'refs/heads/main'] }}admin.pycon.it
+            CMS_ADMIN_HOST=${{ fromJSON('["pastaporto-", ""]')[github.ref == 'refs/heads/main'] }}admin.pycon.it
+            CMS_HOSTNAME=${{ steps.vars.outputs.cms_hostname }}
+            CONFERENCE_CODE=${{ steps.vars.outputs.conference_code }}
+
+  deploy-fe:
+    runs-on: ubuntu-latest
+    needs: [build-fe]
+    environment:
+      name: ${{ fromJSON('["pastaporto", "production"]')[github.ref == 'refs/heads/main'] }}
+    defaults:
+      run:
+        working-directory: ./infrastructure/applications
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          ref: ${{ github.ref }}
+          fetch-depth: 0
+      - uses: hashicorp/setup-terraform@v3
+        with:
+          terraform_version: 1.2.4
+      - name: Terraform Init
+        run: terraform init
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
+          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+      - name: Terraform Validate
+        id: validate
+        run: terraform validate -no-color
+
+      - name: Terraform apply
+        run: terraform apply -no-color -auto-approve &> /dev/null
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
+          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          AWS_DEFAULT_REGION: eu-central-1

frontend/Dockerfile

@@ -0,0 +1,48 @@
+FROM node:23-alpine AS base
+
+RUN apk add --no-cache curl
+
+FROM base AS deps
+
+RUN apk add --no-cache libc6-compat
+WORKDIR /app
+
+COPY package.json pnpm-lock.yaml* .npmrc* ./
+RUN corepack enable pnpm && pnpm i --frozen-lockfile
+
+FROM base AS builder
+
+ARG API_URL_SERVER
+ARG CMS_HOSTNAME
+ARG CONFERENCE_CODE
+ARG CMS_ADMIN_HOST
+
+WORKDIR /app
+
+COPY --from=deps /app/node_modules ./node_modules
+COPY . .
+
+RUN corepack enable pnpm && pnpm run build
+
+FROM base AS runner
+WORKDIR /app
+
+ENV NODE_ENV=production
+ENV NEXT_TELEMETRY_DISABLED=1
+
+RUN addgroup --system --gid 1001 nodejs
+RUN adduser --system --uid 1001 nextjs
+
+COPY --from=builder /app/public ./public
+
+COPY --from=builder --chown=nextjs:nodejs /app/.next/standalone ./
+COPY --from=builder --chown=nextjs:nodejs /app/.next/static ./.next/static
+
+USER nextjs
+
+EXPOSE 3000
+
+ENV PORT=3000
+
+ENV HOSTNAME="0.0.0.0"
+CMD ["node", "server.js"]

frontend/next.config.js

@@ -15,6 +15,7 @@ const {
 } = process.env;
 
 module.exports = withSentryConfig({
+  output: "standalone",
   i18n: {
     locales: ["default", "en", "it"],
     defaultLocale: "default",

frontend/src/pages/api/health.ts

@@ -0,0 +1,3 @@
+export default async function handler(req, res) {
+  return res.json({ ok: true });
+}

infrastructure/applications/applications.tf

@@ -34,6 +34,18 @@ module "pycon_backend" {
   }
 }
 
+module "pycon_frontend" {
+  source       = "./pycon_frontend"
+  cluster_id = module.cluster.cluster_id
+  logs_group_name = module.cluster.logs_group_name
+  server_ip = module.cluster.server_ip
+
+  providers = {
+    aws    = aws
+    aws.us = aws.us
+  }
+}
+
 module "clamav" {
   source       = "./clamav"
   cluster_id = module.cluster.cluster_id

infrastructure/applications/cluster/cloudfront.tf

@@ -1,5 +1,6 @@
 locals {
-  pycon_web_domain  = local.is_prod ? "admin.pycon.it" : "${terraform.workspace}-admin.pycon.it"
+  pycon_admin_domain  = local.is_prod ? "admin.pycon.it" : "${terraform.workspace}-admin.pycon.it"
+  pycon_frontend_domain  = local.is_prod ? "frontend.pycon.it" : "${terraform.workspace}-frontend.pycon.it"
   pretix_web_domain = local.is_prod ? "tickets.pycon.it" : "${terraform.workspace}-tickets.pycon.it"
 }
 
@@ -22,9 +23,8 @@ resource "aws_cloudfront_distribution" "application" {
   is_ipv6_enabled     = true
   comment             = "${terraform.workspace} server"
   wait_for_deployment = false
-  aliases = [
-    local.pycon_web_domain,
-    local.pretix_web_domain
+  aliases = local.is_prod ? ["*.pycon.it", "pycon.it"] : [
+    "*.pycon.it",
   ]
 
   origin {

infrastructure/applications/cluster/domains.tf

@@ -4,7 +4,19 @@ data "aws_route53_zone" "zone" {
 
 resource "aws_route53_record" "web_pycon" {
   zone_id = data.aws_route53_zone.zone.zone_id
-  name    = local.pycon_web_domain
+  name    = local.pycon_admin_domain
+  type    = "A"
+
+  alias {
+    name                   = aws_cloudfront_distribution.application.domain_name
+    zone_id                = aws_cloudfront_distribution.application.hosted_zone_id
+    evaluate_target_health = false
+  }
+}
+
+resource "aws_route53_record" "web_frontend" {
+  zone_id = data.aws_route53_zone.zone.zone_id
+  name    = local.pycon_frontend_domain
   type    = "A"
 
   alias {

infrastructure/applications/pycon_backend/worker.tf

@@ -30,7 +30,7 @@ locals {
     },
     {
       name  = "ALLOWED_HOSTS",
-      value = ".pycon.it"
+      value = ".pycon.it,${var.server_ip}"
     },
     {
       name  = "DJANGO_SETTINGS_MODULE",

infrastructure/applications/pycon_frontend/repo.tf

@@ -0,0 +1,15 @@
+data "aws_ecr_repository" "repo" {
+  name = "pythonit/pycon-frontend"
+}
+
+data "aws_ecr_image" "image" {
+  repository_name = data.aws_ecr_repository.repo.name
+  image_tag       = data.external.githash.result.githash
+}
+
+data "aws_caller_identity" "current" {}
+
+data "external" "githash" {
+  program     = ["python", abspath("${path.module}/../pretix/githash.py")]
+  working_dir = abspath("${path.root}/../../frontend")
+}

infrastructure/applications/pycon_frontend/secrets.tf

@@ -0,0 +1,8 @@
+module "secrets" {
+  source  = "../../components/secrets"
+  service = "pycon-frontend"
+}
+
+module "common_secrets" {
+  source = "../../components/secrets"
+}