Moving configs to envvars, making regions not hardcoded

nuschpl · Jan 7, 2020 · 0bd7d2a · 0bd7d2a
1 parent 819c1c1
commit 0bd7d2a
Show file tree

Hide file tree

Showing 26 changed files with 877 additions and 320 deletions.
diff --git a/.gitignore b/.gitignore
@@ -1,4 +1,5 @@
 *.auto.tfvars
+*.pem
 !terraform/dictionaries.auto.tfvars
 */.terraform*
 *.tfstate

diff --git a/terraform/cognito_iam_roles.tf → terraform/cognito_iam_roles.tf.bak b/terraform/cognito_iam_roles.tf → terraform/cognito_iam_roles.tf.bak
diff --git a/terraform/deploy.sh b/terraform/deploy.sh
@@ -83,16 +83,6 @@ echo "[*] Generating Terraform configurations"
 # Generate terraform configs
 jsonnet -m . terraform.jsonnet
 
-echo "[*] Creating dynamic templates"
-# Inject the dynamic template content into the template
-cat templates/api_handler_variables-fresh.tpl > templates/api_handler_variables.tpl
-cat template-inject_api_handler.json >> templates/api_handler_variables.tpl
-cat templates/npk_settings-fresh.tpl > templates/npk_settings.tpl
-cat template-inject_api_handler.json | jq -r 'to_entries | map( {(.key) : (.value | keys)}) | add' >> templates/npk_settings.tpl
-
-echo -n "}" >> templates/api_handler_variables.tpl
-echo -n "}" >> templates/npk_settings.tpl
-
 terraform init
 terraform apply -auto-approve
-terraform apply -auto-approve	# Yes, userdata.sh is an unresolvable cyclical dependency. I am ashamed.
+terraform apply -auto-approve
diff --git a/terraform/dictionaries.auto.tfvars b/terraform/dictionaries.auto.tfvars
@@ -6,12 +6,12 @@
 
 /*	Dictionaries Variables */
 
-dictionary-east-1 = "arn:aws:s3:::npk-dictionary-east-1-20181029005812833000000004"
-dictionary-east-2 = "arn:aws:s3:::npk-dictionary-east-2-20181029005812776500000003"
-dictionary-west-1 = "arn:aws:s3:::npk-dictionary-west-1-20181029005812746900000001"
-dictionary-west-2 = "arn:aws:s3:::npk-dictionary-west-2-20181029005812750900000002"
+dictionary-us-east-1 = "arn:aws:s3:::npk-dictionary-east-1-20181029005812833000000004"
+dictionary-us-east-2 = "arn:aws:s3:::npk-dictionary-east-2-20181029005812776500000003"
+dictionary-us-west-1 = "arn:aws:s3:::npk-dictionary-west-1-20181029005812746900000001"
+dictionary-us-west-2 = "arn:aws:s3:::npk-dictionary-west-2-20181029005812750900000002"
 
-dictionary-east-1-id = "npk-dictionary-east-1-20181029005812833000000004"
-dictionary-east-2-id = "npk-dictionary-east-2-20181029005812776500000003"
-dictionary-west-1-id = "npk-dictionary-west-1-20181029005812746900000001"
-dictionary-west-2-id = "npk-dictionary-west-2-20181029005812750900000002"
+dictionary-us-east-1-id = "npk-dictionary-east-1-20181029005812833000000004"
+dictionary-us-east-2-id = "npk-dictionary-east-2-20181029005812776500000003"
+dictionary-us-west-1-id = "npk-dictionary-west-1-20181029005812746900000001"
+dictionary-us-west-2-id = "npk-dictionary-west-2-20181029005812750900000002"
diff --git a/terraform/jsonnet/cognito_iam_roles.libsonnet b/terraform/jsonnet/cognito_iam_roles.libsonnet
@@ -1,42 +1,160 @@
 {
-	"aws_iam_role": {
-		"cognito_authenticated": {
-			"name_prefix": "cognito_authenticated_role_",
-			"assume_role_policy": '{"Version": "2012-10-17","Statement": [{
-		    	"Effect": "Allow",
-		    	"Principal": {"Federated": "cognito-identity.amazonaws.com"},
-		    	"Action": "sts:AssumeRoleWithWebIdentity",
-		    	"Condition": {
-		    		"StringEquals": {"cognito-identity.amazonaws.com:aud": "${aws_cognito_identity_pool.main.id}"},
-		    		"ForAnyValue:StringLike": {"cognito-identity.amazonaws.com:amr": "authenticated"}
-			}}]}'
+	"resource":	{
+		"aws_iam_role": {
+			"cognito_authenticated": {
+				"name_prefix": "cognito_authenticated_role_",
+				"assume_role_policy": '{"Version": "2012-10-17","Statement": [{
+			    	"Effect": "Allow",
+			    	"Principal": {"Federated": "cognito-identity.amazonaws.com"},
+			    	"Action": "sts:AssumeRoleWithWebIdentity",
+			    	"Condition": {
+			    		"StringEquals": {"cognito-identity.amazonaws.com:aud": "${aws_cognito_identity_pool.main.id}"},
+			    		"ForAnyValue:StringLike": {"cognito-identity.amazonaws.com:amr": "authenticated"}
+				}}]}'
+			},
+			"cognito_unauthenticated": {
+				"name_prefix": "cognito_unauthenticated_role_",
+				"assume_role_policy": '{"Version": "2012-10-17","Statement": [{
+					"Effect": "Allow","Principal": {"Federated": "cognito-identity.amazonaws.com"},
+					"Action": "sts:AssumeRoleWithWebIdentity"}
+				]}'
+			},
 		},
-		"cognito_unauthenticated": {
-			"name_prefix": "cognito_unauthenticated_role_",
-			"assume_role_policy": '{"Version": "2012-10-17","Statement": [{
-				"Effect": "Allow","Principal": {"Federated": "cognito-identity.amazonaws.com"},
-				"Action": "sts:AssumeRoleWithWebIdentity"}
-			]}'
-		},
-	},
-	"aws_iam_role_policy": {
-		"cognito_authenticated": {
-			"name_prefix": "cognito_authenticated_policy_",
-			"role": "${aws_iam_role.cognito_authenticated.id}",
-			"policy": "${data.aws_iam_policy_document.cognito_authenticated.json}"
+		"aws_iam_role_policy": {
+			"cognito_authenticated": {
+				"name_prefix": "cognito_authenticated_policy_",
+				"role": "${aws_iam_role.cognito_authenticated.id}",
+				"policy": "${data.aws_iam_policy_document.cognito_authenticated.json}"
+			},
+			"cognito_unauthenticated": {
+				"name_prefix": "cognito_authenticated_policy_",
+				"role": "${aws_iam_role.cognito_unauthenticated.id}",
+				"policy": "${data.aws_iam_policy_document.cognito_unauthenticated.json}"
+			}
 		},
-		"cognito_unauthenticated": {
-			"name_prefix": "cognito_authenticated_policy_",
-			"role": "${aws_iam_role.cognito_unauthenticated.id}",
-			"policy": "${data.aws_iam_policy_document.cognito_unauthenticated.json}"
+		"aws_cognito_identity_pool_roles_attachment": {
+			"default": {
+				"identity_pool_id": "${aws_cognito_identity_pool.main.id}",
+				"roles": {
+					"authenticated": "${aws_iam_role.cognito_authenticated.arn}",
+					"unauthenticated": "${aws_iam_role.cognito_unauthenticated.arn}"
+				}
+			}
 		}
 	},
-	"aws_cognito_identity_pool_roles_attachment": {
-		"default": {
-			"identity_pool_id": "${aws_cognito_identity_pool.main.id}",
-			"roles": {
-				"authenticated": "${aws_iam_role.cognito_authenticated.arn}",
-				"unauthenticated": "${aws_iam_role.cognito_unauthenticated.arn}"
+	data(settings)::
+	local regionKeys = std.objectFields(settings.regions);
+	{
+		"aws_iam_policy_document": {
+			"cognito_authenticated": {
+				"statement": [{
+					"sid": "1",
+					"actions": [
+						"cognito-identity:*",
+						"mobileanalytics:PutEvents",
+						"cognito-sync:*",
+						"ec2:describeSpotPriceHistory",
+						"pricing:*"
+					],
+					"resources": [
+						"*"
+					]
+				},{
+					"sid": "2",
+					"actions": [
+						"s3:PutObject"
+					],
+					"resources": [
+						"${aws_s3_bucket.user_data.arn}/&{cognito-identity.amazonaws.com:sub}/uploads/*"
+					]
+				},{
+					"sid": "3",
+					"actions": [
+						"s3:GetObject",
+						"s3:ListObjectVersions",
+						"s3:DeleteObject"
+					],
+					"resources": [
+						"${aws_s3_bucket.user_data.arn}/&{cognito-identity.amazonaws.com:sub}",
+						"${aws_s3_bucket.user_data.arn}/&{cognito-identity.amazonaws.com:sub}/*"
+					]
+				},{
+					"sid": "4",
+					"actions": [
+						"s3:ListBucket"
+					],
+					"resources": [
+						"${aws_s3_bucket.user_data.arn}",
+					],
+					"condition": [{
+							"test": "StringLike",
+							"variable": "s3:prefix",
+
+							"values": [
+								"&{cognito-identity.amazonaws.com:sub}/",
+								"&{cognito-identity.amazonaws.com:sub}/*"
+							]
+					}]
+				},{
+					"sid": "5",
+					"actions": [
+						"dynamodb:GetItem",
+						"dynamodb:BatchGetItem",
+						"dynamodb:Query"
+					],
+					"resources": [
+						"${aws_dynamodb_table.campaigns.arn}",
+						"${aws_dynamodb_table.settings.arn}"
+					],
+					"condition": [{
+							"test": "ForAllValues:StringEquals",
+							"variable": "dynamodb:LeadingKeys",
+
+							"values": [
+								"&{cognito-identity.amazonaws.com:sub}",
+								"admin"
+							]
+					}]
+				},{
+					"sid": "6",
+					"actions": [
+						"s3:ListBucket"
+					],
+					"resources": [
+						"${var.dictionary-" + regionKeys[i] + "}"
+						for i in std.range(0, std.length(regionKeys) - 1)
+					]
+				},{
+					"sid": "7",
+					"actions": [
+						"s3:GetObject"
+					],
+					"resources": [
+						"${var.dictionary-" + regionKeys[i] + "}/*"
+						for i in std.range(0, std.length(regionKeys) - 1)
+					]
+				},{
+					"sid": "8",
+					"actions": [
+						"execute-api:Invoke"
+					],
+					"resources": [
+						"${aws_api_gateway_deployment.npk.execution_arn}/*/userproxy/*"
+					]
+				}]
+			},
+			"cognito_unauthenticated": {
+				"statement": [{
+					"sid": "logs",
+					"actions": [
+						"cognito-identity:*",
+						"mobileanalytics:PutEvents",
+						"cognito-sync:*"
+					],
+					"resources": [
+						"*"
+					]
+				}]
 			}
 		}
 	}

diff --git a/terraform/jsonnet/lambda_functions.libsonnet b/terraform/jsonnet/lambda_functions.libsonnet
@@ -1,5 +1,7 @@
 {
-	"resource": {
+	resources(settings)::
+	local regionKeys = std.objectFields(settings.regions);
+	{
 		"aws_lambda_function": {
 			"proxy_api_handler": {
 				"depends_on": ["data.archive_file.proxy_api_handler", "aws_iam_role_policy.lambda_proxy_api_handler"],
@@ -11,39 +13,104 @@
 				"runtime": "nodejs8.10",
 				"timeout": 60,
 
+				"environment": {
+					"variables": {
+						"www_dns_names": std.toString(settings.dnsNames.www),
+						"campaign_max_price": "${var.campaign_max_price}",
+						"userdata_bucket": "${aws_s3_bucket.user_data.id}",
+						"instanceProfile": "${aws_iam_instance_profile.npk_node.arn}",
+						"iamFleetRole": "${aws_iam_role.npk_fleet_role.arn}",
+						"availabilityZones": std.manifestJsonEx({
+							[regionKeys[i]]: {
+								[settings.regions[regionKeys[i]][azi]]: "${aws_subnet." + settings.regions[regionKeys[i]][azi] + ".id}"
+									for azi in std.range(0, std.length(settings.regions[regionKeys[i]]) - 1)
+							}
+							for i in std.range(0, std.length(regionKeys) - 1)
+						}, ""),
+						"dictionaryBuckets": std.manifestJsonEx({
+							[regionKeys[i]]: "${var.dictionary-" + regionKeys[i] + "-id}"
+							for i in std.range(0, std.length(regionKeys) - 1)
+						}, "")
+					}
+				},
+
 				"dead_letter_config": {
 					"target_arn":	"${aws_sqs_queue.api_handler_dlq.arn}"
-				},
-			},
+				}
+			} + if std.objectHas(settings, "debug_lambda") && settings.debug_lambda == true then {
+				"tracing_config": {
+					"mode": "Active"
+				}
+			} else {},
 			"status_reporter": {
 				"depends_on": ["data.archive_file.status_reporter", "aws_iam_role_policy.lambda_status_reporter"],
 				"filename": "./lambda_functions/zip_files/status_reporter.zip",
 				"function_name": "status_reporter",
 				"role": "${aws_iam_role.lambda_status_reporter.arn}",
 				"handler": "main.main",
 				"source_code_hash": "${data.archive_file.status_reporter.output_base64sha256}",
-				"runtime": "nodejs8.10",
+				"runtime": "nodejs12.x",
 				"timeout": 60,
 
+				"environment": {
+					"variables": {
+						"www_dns_name": std.toString(settings.dnsNames.www),
+						"region": "${var.region}",
+						"campaign_max_price": "${var.campaign_max_price}",
+						"critical_events_sns_topic": "${aws_sns_topic.critical_events.id}",
+						"availabilityZones": std.manifestJsonEx({
+							[regionKeys[i]]: {
+								[settings.regions[regionKeys[i]][azi]]: "${aws_subnet." + settings.regions[regionKeys[i]][azi] + ".id}"
+									for azi in std.range(0, std.length(settings.regions[regionKeys[i]]) - 1)
+							}
+							for i in std.range(0, std.length(regionKeys) - 1)
+						}, "")
+					}
+				},
+
 				"dead_letter_config": {
 					"target_arn":	"${aws_sqs_queue.status_reporter_dlq.arn}"
 				},
-			},
+			} + if std.objectHas(settings, "debug_lambda") && settings.debug_lambda == true then {
+				"tracing_config": {
+					"mode": "Active"
+				}
+			} else {},
 			"spot_monitor": {
 				"depends_on": ["data.archive_file.spot_monitor", "aws_iam_role_policy.lambda_spot_monitor"],
 				"filename": "./lambda_functions/zip_files/spot_monitor.zip",
 				"function_name": "spot_monitor",
 				"role": "${aws_iam_role.lambda_spot_monitor.arn}",
 				"handler": "main.main",
 				"source_code_hash": "${data.archive_file.spot_monitor.output_base64sha256}",
-				"runtime": "nodejs8.10",
+				"runtime": "nodejs12.x",
 				"memory_size": 512,
 				"timeout": 10,
 
+				"environment": {
+					"variables": {
+						"www_dns_name": std.toString(settings.dnsNames.www),
+						"region": "${var.region}",
+						"campaign_max_price": "${var.campaign_max_price}",
+						"critical_events_sns_topic": "${aws_sns_topic.critical_events.id}",
+						"availabilityZones": std.manifestJsonEx({
+							[regionKeys[i]]: {
+								[settings.regions[regionKeys[i]][azi]]: "${aws_subnet." + settings.regions[regionKeys[i]][azi] + ".id}"
+									for azi in std.range(0, std.length(settings.regions[regionKeys[i]]) - 1)
+							}
+							for i in std.range(0, std.length(regionKeys) - 1)
+						}, "")
+					}
+				},
+
 				"dead_letter_config": {
 					"target_arn":	"${aws_sns_topic.critical_events.arn}"
 				}
-			}
+			} + if std.objectHas(settings, "debug_lambda") && settings.debug_lambda == true then {
+				"tracing_config": {
+					"mode": "Active"
+				}
+			} else {}
 		},
 		"aws_lambda_permission": {
 			"spot_monitor": {
@@ -82,16 +149,15 @@
 		"archive_file": {
 			"proxy_api_handler": {
 				"depends_on": [
-					"local_file.api_handler_variables",
 					"null_resource.npm_install_proxy_api_handler"
+					// "data.template_file.userdata_template" //TODO: Fix cyclical dependency
 				],
 				"type": "zip",
 				"source_dir": "${path.module}/lambda_functions/proxy_api_handler/",
 				"output_path": "${path.module}/lambda_functions/zip_files/proxy_api_handler.zip",
 			},
 			"status_reporter": {
 				"depends_on": [
-					"local_file.lambda_functions_settings-status_reporter",
 					"null_resource.npm_install_status_reporter"
 				],
 				"type": "zip",
@@ -100,7 +166,6 @@
 			},
 			"spot_monitor": {
 				"depends_on": [
-					"local_file.lambda_functions_settings-spot_monitor",
 					"null_resource.npm_install_spot_monitor"
 				],
 				"type": "zip",