Time to parameterize (#3)

* Start modularizing cube cluster creation

* Setup secrets, env vars and container health checks

* Add resource config params

* move module to a module folder

* Migrate to parameterized

* Update repo location

* Temp update branch

* Update cluster name

* Install curl

* Add cubestore script

* Add port for refresh worker and remove health check for cubestore

* desired count for cubestore

* Move back to main

* Update docker/cube/Dockerfile

Co-authored-by: Samantha Hughes <[email protected]>

---------

Co-authored-by: Samantha Hughes <[email protected]>

Author: singhals

.github/workflows/deploy.yml

@@ -26,13 +26,13 @@ jobs:
         with:
           mask-password: "false"
 
-      - name: Build, tag, and push docker image to Amazon ECR
+      - name: Build, tag, and push cube api docker image to Amazon ECR
         env:
           REGISTRY: ${{ steps.login-ecr.outputs.registry }}
-          REPOSITORY: sync-svc-cube
+          REPOSITORY: prod-sync-cube-ecr
           IMAGE_TAG: "${{ github.sha }}"
         run: |
-          docker build -t $REGISTRY/$REPOSITORY:$IMAGE_TAG .
+          docker build -t $REGISTRY/$REPOSITORY:$IMAGE_TAG -f docker/cube/Dockerfile .
           docker push $REGISTRY/$REPOSITORY:$IMAGE_TAG
 
       - name: Update cube-api Task Definition with latest image
@@ -41,28 +41,28 @@ jobs:
         with:
           task-definition-family: cube_api
           container-name: cube-api
-          image: ${{ steps.login-ecr.outputs.registry }}/sync-svc-cube:${{ github.sha }}
+          image: ${{ steps.login-ecr.outputs.registry }}/prod-sync-cube-ecr:${{ github.sha }}
 
       - name: Update cube-refresh-worker Task Definition with latest image
         id: cube-refresh-worker-task-def
         uses: aws-actions/[email protected]
         with:
           task-definition-family: cube_refresh_worker
           container-name: cube-refresh-worker
-          image: ${{ steps.login-ecr.outputs.registry }}/sync-svc-cube:${{ github.sha }}
+          image: ${{ steps.login-ecr.outputs.registry }}/prod-sync-cube-ecr:${{ github.sha }}
 
       - name: Deploy cube-api task definition
         uses: aws-actions/[email protected]
         with:
           task-definition: ${{ steps.cube-api-task-def.outputs.task-definition }}
           service: cube_api
-          cluster: production
+          cluster: prod-sync_cluster
           wait-for-service-stability: true
 
       - name: Deploy cube-refresh-worker task definition
         uses: aws-actions/[email protected]
         with:
           task-definition: ${{ steps.cube-refresh-worker-task-def.outputs.task-definition }}
           service: cube_refresh_worker
-          cluster: production
+          cluster: prod-sync_cluster
           wait-for-service-stability: true

Dockerfile

@@ -0,0 +1,17 @@
+#!/bin/bash
+
+set -e
+
+AWS_REGION="us-east-1"
+ECR_REPOSITORY="prod-sync-cubestore-ecr"
+
+AWS_ACCOUNT_ID=$(aws sts get-caller-identity --query "Account" --output text)
+REGISTRY="${AWS_ACCOUNT_ID}.dkr.ecr.${AWS_REGION}.amazonaws.com"
+IMAGE_TAG=$(git rev-parse --short HEAD 2>/dev/null || date +%s)
+
+aws ecr get-login-password --region $AWS_REGION | docker login --username AWS --password-stdin $REGISTRY
+
+docker build --platform linux/amd64 -t $REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG -f docker/cubestore/Dockerfile .
+docker push $REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG
+
+echo "New cubestore image pushed to ECR: $REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG. Please update terraform cubestore services task definitions accordingly."

deploy_cubestore.sh

@@ -0,0 +1,11 @@
+FROM cubejs/cube:v1.1.9
+
+RUN apt-get update \
+        && apt-get install -y --no-install-recommends curl \
+        && apt-get clean \
+        && rm -rf /var/lib/apt/lists/*
+
+COPY cube.js cube.js
+COPY fetch.js fetch.js
+RUN mkdir model
+COPY model/ model/

docker/cube/Dockerfile

@@ -0,0 +1,3 @@
+FROM cubejs/cubestore:latest
+
+RUN apt-get update && apt-get install -y curl

docker/cubestore/Dockerfile

@@ -7,3 +7,120 @@ provider "aws" {
     }
   }
 }
+
+module "vpc" {
+  source  = "terraform-aws-modules/vpc/aws"
+  version = ">=5.7.1"
+
+  name = "production-vpc"
+  cidr = "10.0.0.0/16"
+
+  azs                  = ["us-east-1a", "us-east-1b", "us-east-1d", "us-east-1c"]
+  private_subnets      = ["10.0.1.0/24", "10.0.2.0/24", "10.0.3.0/24", "10.0.4.0/24"]
+  public_subnets       = ["10.0.101.0/24", "10.0.102.0/24", "10.0.103.0/24", "10.0.104.0/24"]
+  enable_dns_hostnames = true
+  enable_dns_support   = true
+  enable_nat_gateway   = true
+  create_igw           = true
+}
+
+module "production_cube_cluster" {
+  source = "./modules/cube-cluster"
+
+  cluster_prefix       = "prod-sync"
+  vpc                  = module.vpc
+  cube_api_domain_name = "cube-api.synccomputing.com"
+  cube_shared_env = [
+    {
+      name  = "CUBEJS_DB_SSL"
+      value = "true"
+    },
+    {
+      name  = "CUBEJS_DB_TYPE"
+      value = "postgres"
+    },
+    {
+      name  = "CUBEJS_DB_HOST"
+      value = "ec2-3-221-59-105.compute-1.amazonaws.com"
+    },
+    {
+      name  = "CUBEJS_DB_PORT"
+      value = "5432"
+    },
+    {
+      name  = "CUBEJS_DB_USER"
+      value = "cube"
+    },
+    {
+      name  = "CUBEJS_DB_NAME"
+      value = "d20nhfliefb6aa"
+    },
+    {
+      name  = "CUBEJS_SCHEMA_PATH"
+      value = "model"
+    },
+    {
+      name  = "CUBEJS_DEV_MODE"
+      value = "false"
+    },
+    {
+      name  = "NODE_ENV",
+      value = "production"
+    },
+    {
+      name  = "CUBEJS_JWK_URL"
+      value = "https://sync-prod.us.auth0.com/.well-known/jwks.json"
+    },
+    {
+      name  = "CUBEJS_JWT_AUDIENCE"
+      value = "https://api.synccomputing.com"
+    },
+    {
+      name  = "CUBEJS_JWT_ISSUER"
+      value = "https://login.app.synccomputing.com/"
+    },
+    {
+      name  = "CUBEJS_JWT_ALGS"
+      value = "RS256"
+    },
+    {
+      name  = "CUBEJS_JWT_CLAIMS_NAMESPACE"
+      value = "https://synccomputing.com/"
+    }
+  ]
+  cube_shared_secrets = [
+    { name = "CUBEJS_DB_PASS", valueFrom = aws_secretsmanager_secret.postgres_cube_user_pw.arn },
+    { name = "CUBEJS_JWT_KEY", valueFrom = aws_secretsmanager_secret.auth0_jwt_key.arn },
+  ]
+}
+
+resource "aws_secretsmanager_secret" "postgres_cube_user_pw" {
+  name = "production/postgres-cube-user-pw"
+}
+
+resource "aws_secretsmanager_secret" "auth0_jwt_key" {
+  name = "production/auth0-jwt-key"
+}
+
+resource "aws_iam_openid_connect_provider" "github_openid" {
+  url = "https://token.actions.githubusercontent.com"
+
+  client_id_list = [
+    "sts.amazonaws.com",
+  ]
+
+  thumbprint_list = ["cf23df2207d99a74fbe169e3eba035e633b65d94"]
+}
+
+module "iam_github_oidc_role" {
+  source      = "terraform-aws-modules/iam/aws//modules/iam-github-oidc-role"
+  name        = "github_actions_role"
+  path        = "/system/"
+  description = "GitHub IAM role for GitHub actions"
+
+  subjects = ["synccomputingcode/sync-svc-cube-v2:*"]
+
+  policies = {
+    GitHubActionsPolicy = module.production_cube_cluster.cube_repo_ecr_policy.arn
+  }
+}

terraform/.terraform.lock.hcl

@@ -14,8 +14,8 @@ data "aws_cloudfront_origin_request_policy" "all_viewers" {
   name = "Managed-AllViewer"
 }
 
-resource "aws_cloudfront_distribution" "sync_svc_cube_cdn" {
-  aliases         = [local.domain_name, "www.${local.domain_name}"]
+resource "aws_cloudfront_distribution" "cube_cdn" {
+  aliases         = [var.cube_api_domain_name]
   comment         = "Cloudfront distribution for cube.dev api"
   price_class     = "PriceClass_100"
   is_ipv6_enabled = true
@@ -25,12 +25,6 @@ resource "aws_cloudfront_distribution" "sync_svc_cube_cdn" {
     domain_name = local.api_domain_name
     origin_id   = local.api_domain_name
 
-    # vpc_origin_config {
-    #   vpc_origin_id            = aws_cloudfront_vpc_origin.alb.id
-    #   origin_keepalive_timeout = 5
-    #   origin_read_timeout      = 30
-    # }
-
     custom_origin_config {
       http_port                = 80
       https_port               = 443
@@ -64,4 +58,4 @@ resource "aws_cloudfront_distribution" "sync_svc_cube_cdn" {
       locations        = []
     }
   }
-}
+}

terraform/ecr.tf

@@ -1,4 +1,4 @@
 resource "aws_cloudwatch_log_group" "main" {
-  name              = "/ecs/sync-svc-cube/production"
+  name              = "/ecs/${var.cluster_prefix}-cube-logs"
   retention_in_days = 14
 }