From dc4151ba009b464873984f420164081e8034615b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jakub=20Soko=C5=82owski?= <jakub@status.im>
Date: Tue, 30 Jul 2019 15:08:34 -0400
Subject: [PATCH] add a prod environment
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Jakub Sokołowski <jakub@status.im>
---
 Makefile                        | 17 ++++-----
 db.tf                           |  2 +-
 dev.tf                          | 28 +++++++--------
 modules/aws-eb-env/main.tf      |  2 +-
 modules/aws-eb-env/variables.tf |  6 ++++
 modules/prod/access.tf          | 61 ---------------------------------
 modules/prod/main.tf            | 52 ----------------------------
 modules/prod/outputs.tf         | 16 ---------
 modules/prod/variables.tf       | 15 --------
 prod.tf                         | 54 +++++++++++++++++++++++++----
 variables.tf                    | 14 ++++----
 11 files changed, 84 insertions(+), 183 deletions(-)
 delete mode 100644 modules/prod/access.tf
 delete mode 100644 modules/prod/main.tf
 delete mode 100644 modules/prod/outputs.tf
 delete mode 100644 modules/prod/variables.tf

diff --git a/Makefile b/Makefile
index cb2ac6b..fc42a7c 100644
--- a/Makefile
+++ b/Makefile
@@ -77,14 +77,15 @@ secrets:
 	echo "Saving secrets to: terraform.tfvars"
 	@echo "\
 # secrets extracted from password-store\n\
-aws_access_key    = \"$(shell pass cloud/AWS/access-key)\"\n\
-aws_secret_key    = \"$(shell pass cloud/AWS/secret-key)\"\n\
-gandi_api_token   = \"$(shell pass cloud/Gandi/api-token)\"\n\
-dap_ps_smtp_user  = \"$(shell pass cloud/AWS/ses/smtp-user)\"\n\
-dap_ps_smtp_pass  = \"$(shell pass cloud/AWS/ses/smtp-secret-key)\"\n\
-dap_ps_admin_user = \"$(shell pass service/dev/app/admin-user)\"\n\
-dap_ps_admin_pass = \"$(shell pass service/dev/app/admin-pass)\"\n\
-dap_ps_db_uri     = \"$(shell pass service/dev/mongodb/uri)\"\n\
+aws_access_key     = \"$(shell pass cloud/AWS/access-key)\"\n\
+aws_secret_key     = \"$(shell pass cloud/AWS/secret-key)\"\n\
+gandi_api_token    = \"$(shell pass cloud/Gandi/api-token)\"\n\
+dap_ps_smtp_user   = \"$(shell pass cloud/AWS/ses/smtp-user)\"\n\
+dap_ps_smtp_pass   = \"$(shell pass cloud/AWS/ses/smtp-secret-key)\"\n\
+dap_ps_admin_user  = \"$(shell pass service/dev/app/admin-user)\"\n\
+dap_ps_admin_pass  = \"$(shell pass service/dev/app/admin-pass)\"\n\
+dap_ps_dev_db_uri  = \"$(shell pass service/dev/mongodb/uri)\"\n\
+dap_ps_prod_db_uri = \"$(shell pass service/prod/mongodb/uri)\"\n\
 " > terraform.tfvars
 
 cleanup:
diff --git a/db.tf b/db.tf
index 0a37fd9..3f7a70d 100644
--- a/db.tf
+++ b/db.tf
@@ -35,7 +35,7 @@ resource "aws_security_group" "mongodb" {
 
 resource "aws_instance" "mongodb" {
   ami               = data.aws_ami.ubuntu.id
-  instance_type     = var.instance_type
+  instance_type     = "t2.micro"
   key_name          = aws_key_pair.admin.key_name
   availability_zone = var.zone
 
diff --git a/dev.tf b/dev.tf
index 6e824db..5837a33 100644
--- a/dev.tf
+++ b/dev.tf
@@ -7,8 +7,8 @@ locals {
     ADMIN_USER     = var.dap_ps_admin_user
     ADMIN_PASSWORD = var.dap_ps_admin_pass
     /* Database */
-    DB_CONNECTION = var.dap_ps_db_uri
-    /* BlockChain */
+    DB_CONNECTION = var.dap_ps_dev_db_uri
+    /* Blockchain */
     BLOCKCHAIN_CONNECTION_POINT      = "wss://ropsten.infura.io/ws/v3/8675214b97b44e96b70d05326c61fd6a"
     DISCOVER_CONTRACT                = "0x17e7a7330d23fc6a2ab8578a627408f815396662"
     MAX_REQUESTS_FOR_RATE_LIMIT_TIME = 1
@@ -24,27 +24,23 @@ locals {
     EMAIL_TLS             = "true"
     APPROVER_MAIL         = "dapps-approvals@status.im"
     APPROVE_NOTIFIER_MAIL = "dapps-approvals@status.im"
-    /* CloudWatch TODO */
-    CLOUDWATCH_ACCESS_KEY_ID     = "This is for production, if you have logging set up (AWS Cloudwatch)"
-    CLOUDWATCH_REGION            = "This is for production, if you have logging set up (AWS Cloudwatch)"
-    CLOUDWATCH_SECRET_ACCESS_KEY = "This is for production, if you have logging set up (AWS Cloudwatch)"
   }
 }
 
 module "dev" {
-  source        = "./modules/aws-eb-env"
-  name          = "dev-dap-ps"
-  gandi_zone_id = gandi_zone.dap_ps_zone.id
-  dns_domain    = "dap.ps"
-  stage         = "dev"
-  stack_name    = var.stack_name
+  source     = "./modules/aws-eb-env"
+  name       = "dev-dap-ps"
+  stage      = "dev"
+  env_vars   = local.dev_env
+  dns_domain = var.public_domain
+  stack_name = var.stack_name
+
+  /* Plumbing */
   keypair_name  = aws_key_pair.admin.key_name
+  gandi_zone_id = gandi_zone.dap_ps_zone.id
 
   /* Scaling */
+  instance_type = "t2.micro"
   autoscale_min = 1
   autoscale_max = 2
-
-  /* Environment */
-  env_vars = local.dev_env
 }
-
diff --git a/modules/aws-eb-env/main.tf b/modules/aws-eb-env/main.tf
index 191cf0f..987d83a 100644
--- a/modules/aws-eb-env/main.tf
+++ b/modules/aws-eb-env/main.tf
@@ -66,7 +66,7 @@ module "eb_environment" {
   env_vars              = var.env_vars
 
   /* Scaling */
-  instance_type          = "t2.micro"
+  instance_type          = var.instance_type
   autoscale_min          = var.autoscale_min /* min instances */
   autoscale_max          = var.autoscale_max /* max instances */
   autoscale_measure_name = "CPUUtilization"
diff --git a/modules/aws-eb-env/variables.tf b/modules/aws-eb-env/variables.tf
index 55228ad..5c29d4a 100644
--- a/modules/aws-eb-env/variables.tf
+++ b/modules/aws-eb-env/variables.tf
@@ -41,6 +41,12 @@ variable "env_vars" {
 
 /* Scaling --------------------------------------*/
 
+variable "instance_type" {
+  description = "Name of instance type to use"
+  default     = "t2.micro"
+  type        = string
+}
+
 variable "autoscale_min" {
   description = "Minimum instances autoscaling will create."
   default     = "1"
diff --git a/modules/prod/access.tf b/modules/prod/access.tf
deleted file mode 100644
index 9c1b6a1..0000000
--- a/modules/prod/access.tf
+++ /dev/null
@@ -1,61 +0,0 @@
-/* ACCESS ---------------------------------------*/
-
-resource "aws_iam_group" "deploy" {
-  name = "${var.name}-deploy"
-}
-
-resource "aws_iam_user" "deploy" {
-  name = "${var.name}-deploy"
-
-  tags = {
-    Description = "User for deploying the ${var.dns_entry}.${var.dns_domain} Elastic Beanstalk app"
-  }
-}
-
-resource "aws_iam_access_key" "deploy" {
-  user    = "${aws_iam_user.deploy.name}"
-  pgp_key = "${file("files/support@dap.ps.gpg")}"
-}
-
-resource "aws_iam_user_group_membership" "deploy" {
-  user   = "${aws_iam_user.deploy.name}"
-  groups = ["${aws_iam_group.deploy.name}"]
-}
-
-resource "aws_iam_group_policy_attachment" "deploy" {
-  group      = "${aws_iam_group.deploy.name}"
-  policy_arn = "arn:aws:iam::aws:policy/AWSElasticBeanstalkFullAccess"
-}
-
-/* ROLES ----------------------------------------*/
-
-resource "aws_iam_instance_profile" "main" {
-  name = "${var.name}"
-  role = "${aws_iam_role.main.name}"
-}
-
-resource "aws_iam_role" "main" {
-  name = "${var.name}"
-
-  assume_role_policy = <<EOF
-{
-  "Version": "2012-10-17",
-  "Statement": [
-    {
-      "Action": "sts:AssumeRole",
-      "Principal": {
-        "Service": "ec2.amazonaws.com"
-      },
-      "Effect": "Allow",
-      "Sid": ""
-    }
-  ]
-}
-EOF
-}
-
-resource "aws_iam_policy_attachment" "AWSElasticBeanstalkWebTier" {
-  name       = "${var.name}-AWSElasticBeanstalkWebTier"
-  roles      = ["${aws_iam_role.main.name}"]
-  policy_arn = "arn:aws:iam::aws:policy/AWSElasticBeanstalkWebTier"
-}
diff --git a/modules/prod/main.tf b/modules/prod/main.tf
deleted file mode 100644
index 9bdd31e..0000000
--- a/modules/prod/main.tf
+++ /dev/null
@@ -1,52 +0,0 @@
-/* SSL Certificate ------------------------------*/
-
-resource "aws_acm_certificate" "prod" {
-  domain_name       = "${var.dns_domain}"
-  validation_method = "DNS"
-}
-
-resource "gandi_zonerecord" "prod_cert_verification" {
-  zone   = "${var.gandi_zone_id}"
-  name   = "${replace(aws_acm_certificate.prod.domain_validation_options.0.resource_record_name, ".${var.dns_domain}.", "")}"
-  type   = "${aws_acm_certificate.prod.domain_validation_options.0.resource_record_type}"
-  ttl    = 300
-  values = ["${aws_acm_certificate.prod.domain_validation_options.0.resource_record_value}"]
-}
-
-resource "aws_acm_certificate_validation" "prod" {
-  certificate_arn         = "${aws_acm_certificate.prod.arn}"
-  validation_record_fqdns = ["${gandi_zonerecord.prod_cert_verification.name}.${var.dns_domain}"]
-}
-
-/* RESOURCES ------------------------------------*/
-
-
-//resource "aws_elastic_beanstalk_application" "dev_dap_ps" {
-//  name        = "dev-dap-ps-app"
-//  description = "dev.dap.ps application"
-//}
-//
-//resource "aws_elastic_beanstalk_environment" "dev_dap_ps" {
-//  name                = "dev-dap-ps-app"
-//  application         = "${aws_elastic_beanstalk_application.dev_dap_ps.name}"
-//  solution_stack_name = "64bit Amazon Linux 2018.03 v4.8.3 running Node.js"
-//
-//  setting {
-//    namespace = "aws:autoscaling:launchconfiguration"
-//    name = "IamInstanceProfile"
-//    value = "${aws_iam_instance_profile.main.name}"
-//  }
-//}
-
-
-/* DNS ------------------------------------------*/
-
-
-//resource "gandi_zonerecord" "dev_dap_ps_site" {
-//  zone   = "${var.gandi_zone_id}"
-//  name   = "${var.dns_entry}"
-//  type   = "CNAME"
-//  ttl    = 3600
-//  values = ["${aws_elastic_beanstalk_environment.dev_dap_ps.cname}."]
-//}
-
diff --git a/modules/prod/outputs.tf b/modules/prod/outputs.tf
deleted file mode 100644
index 9aae89c..0000000
--- a/modules/prod/outputs.tf
+++ /dev/null
@@ -1,16 +0,0 @@
-/**
- * Uncomment this if you want to extract the secret again.
- * For details see: https://www.terraform.io/docs/providers/aws/r/iam_access_key.html
- **/
-//output "deploy_access_key" {
-//  value = "${aws_iam_access_key.deploy.id}"
-//}
-//
-//output "deploy_secret_key" {
-//  value = "${aws_iam_access_key.deploy.encrypted_secret}"
-//}
-/**
- * This can be decrypted with:
- * echo $encrypted_secret | base64 --decode | keybase pgp 
- **/
-
diff --git a/modules/prod/variables.tf b/modules/prod/variables.tf
deleted file mode 100644
index 3e6e792..0000000
--- a/modules/prod/variables.tf
+++ /dev/null
@@ -1,15 +0,0 @@
-variable "name" {
-  description = "Name of this environment to be used in all resources."
-}
-
-variable "gandi_zone_id" {
-  description = "ID of the zone in Gandi DNS registrar."
-}
-
-variable "dns_domain" {
-  description = "Name of domain for this environment."
-}
-
-variable "dns_entry" {
-  description = "Name of DNS entry for this environment."
-}
diff --git a/prod.tf b/prod.tf
index 3c916f7..840a2e8 100644
--- a/prod.tf
+++ b/prod.tf
@@ -1,8 +1,50 @@
-module "prod" {
-  source        = "./modules/prod"
-  name          = "prod-dap-ps"
-  gandi_zone_id = gandi_zone.dap_ps_zone.id
-  dns_domain    = "dap.ps"
-  dns_entry     = "prod" /* just means use `dap.ps` */
+locals {
+  prod_env = {
+    /* WARNING EB forces PORT 8081 */
+    ENVIRONMENT     = "PROD"
+    RATE_LIMIT_TIME = 15
+    /* Access */
+    ADMIN_USER     = var.dap_ps_admin_user
+    ADMIN_PASSWORD = var.dap_ps_admin_pass
+    /* Database */
+    DB_CONNECTION = var.dap_ps_prod_db_uri
+    /* Blockchain */
+    BLOCKCHAIN_CONNECTION_POINT      = "TODO"
+    DISCOVER_CONTRACT                = "TODO"
+    MAX_REQUESTS_FOR_RATE_LIMIT_TIME = 1
+    /* IPFS */
+    IPFS_HOST     = "ipfs.infura.io"
+    IPFS_PORT     = 5001
+    IPFS_PROTOCOL = "https"
+    /* Email */
+    EMAIL_USER            = var.dap_ps_smtp_user
+    EMAIL_PASSWORD        = var.dap_ps_smtp_pass
+    EMAIL_HOST            = "email-smtp.us-east-1.amazonaws.com"
+    EMAIL_PORT            = 465
+    EMAIL_TLS             = "true"
+    APPROVER_MAIL         = "dapps-approvals@status.im"
+    APPROVE_NOTIFIER_MAIL = "dapps-approvals@status.im"
+    /* CloudWatch TODO Once we have logging set up (AWS Cloudwatch) */
+    CLOUDWATCH_ACCESS_KEY_ID     = "TODO"
+    CLOUDWATCH_REGION            = "TODO"
+    CLOUDWATCH_SECRET_ACCESS_KEY = "TODO"
+  }
 }
 
+module "prod" {
+  source     = "./modules/aws-eb-env"
+  name       = "prod-dap-ps"
+  stage      = "prod"
+  env_vars   = local.prod_env
+  dns_domain = var.public_domain
+  stack_name = var.stack_name
+
+  /* Plumbing */
+  keypair_name  = aws_key_pair.admin.key_name
+  gandi_zone_id = gandi_zone.dap_ps_zone.id
+
+  /* Scaling */
+  instance_type = "t2.micro"
+  autoscale_min = 1
+  autoscale_max = 6
+}
diff --git a/variables.tf b/variables.tf
index 6aa669a..35da1d0 100644
--- a/variables.tf
+++ b/variables.tf
@@ -46,11 +46,6 @@ variable "image_name" {
   default     = "ubuntu/images/hvm-ssd/ubuntu-bionic-18.04-amd64-server-20190212.1"
 }
 
-variable "instance_type" {
-  description = "Name of instance type to use"
-  default     = "t2.micro"
-}
-
 variable "ssh_user" {
   description = "Default user to use when accesing host via SSH."
   default     = "ubuntu"
@@ -85,8 +80,13 @@ variable "dap_ps_smtp_pass" {
   description = "Password for accessing AWS SES SMTP endpoint."
 }
 
-variable "dap_ps_db_uri" {
-  description = "An URI for MongoDB database including auth information."
+variable "dap_ps_dev_db_uri" {
+  description = "An URI for DEV MongoDB database including auth information."
+  /* https://docs.mongodb.com/manual/reference/connection-string/ */
+}
+
+variable "dap_ps_prod_db_uri" {
+  description = "An URI for PROD MongoDB database including auth information."
   /* https://docs.mongodb.com/manual/reference/connection-string/ */
 }