Test pr2

my-infra/deploy/main.tf

@@ -0,0 +1,35 @@
+terraform {
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "5.23.0"
+    }
+  }
+
+  backend "s3" {
+    bucket               = "thim-terraform"
+    key                  = "tf-state-deploy"
+    workspace_key_prefix = "tf-state-deploy-env"
+    region               = "us-east-1"
+    encrypt              = true
+    dynamodb_table       = "devops-recipe-api-lock"
+  }
+}
+
+provider "aws" {
+  region = "us-east-1"
+  default_tags {
+    tags = {
+      Environment = terraform.workspace
+      Project     = var.project
+      Contact     = var.contact
+      ManageBy    = "Terraform/deploy"
+    }
+  }
+}
+
+locals {
+  prefix = "${var.prefix}-${terraform.workspace}"
+}
+
+data "aws_region" "current" {}

my-infra/deploy/variables.tf

@@ -0,0 +1,51 @@
+variable "prefix" {
+  description = "Prefix for resources in AWS"
+  default     = "raa"
+}
+
+variable "project" {
+  description = "Project name for tagging resources"
+  default     = "recipe-app-api"
+}
+
+variable "contact" {
+  description = "Contact email for tagging resources"
+  default     = "mark@example.com"
+}
+
+variable "db_username" {
+  description = "Username for the recipe app api database"
+  default     = "recipeapp"
+}
+
+variable "db_password" {
+  description = "Password for the Terraform database"
+}
+
+variable "ecr_proxy_image" {
+  description = "Path to the ECR repo with the proxy image"
+}
+
+variable "ecr_app_image" {
+  description = "Path to the ECR repo with the API image"
+}
+
+variable "django_secret_key" {
+  description = "Secret key for Django"
+}
+
+variable "dns_zone_name" {
+  description = "Domain name"
+  default     = "londonappdev.net"
+}
+
+variable "subdomain" {
+  description = "Subdomain for each environment"
+  type        = map(string)
+
+  default = {
+    prod    = "api"
+    staging = "api.staging"
+    dev     = "api.dev"
+  }
+}

my-infra/docker-compose.yml

@@ -0,0 +1,17 @@
+services:
+  terraform:
+    image: hashicorp/terraform:1.6.2
+    volumes:
+      - ./setup:/tf/setup
+      - ./deploy:/tf/deploy
+    working_dir: /tf
+    environment:
+      - AWS_ACCESS_KEY_ID=${AWS_ACCESS_KEY_ID}
+      - AWS_SECRET_ACCESS_KEY=${AWS_SECRET_ACCESS_KEY}
+      - AWS_SESSION_TOKEN=${AWS_SESSION_TOKEN}
+      - AWS_DEFAULT_REGION=us-east-1
+      - TF_WORKSPACE=${TF_WORKSPACE}
+      - TF_VAR_db_password=${TF_VAR_db_password}
+      - TF_VAR_django_secret_key=${TF_VAR_django_secret_key}
+      - TF_VAR_ecr_proxy_image=${TF_VAR_ecr_proxy_image}
+      - TF_VAR_ecr_app_image=${TF_VAR_ecr_app_image}

my-infra/setup/ecr.tf

@@ -0,0 +1,23 @@
+##############################################
+# Create ECR repos for storing Docker images #
+##############################################
+
+resource "aws_ecr_repository" "app" {
+  name                 = "recipe-app-api-app"
+  image_tag_mutability = "MUTABLE"
+  force_delete         = true
+
+  image_scanning_configuration {
+    scan_on_push = false
+  }
+}
+
+
+resource "aws_ecr_repository" "proxy" {
+  name                 = "recipe-app-api-proxy"
+  image_tag_mutability = "MUTABLE"
+  force_delete         = true
+  image_scanning_configuration {
+    scan_on_push = false
+  }
+}

my-infra/setup/iam.tf

@@ -0,0 +1,86 @@
+#######################################################################
+# Create IAM user and policies for Continuous Deployment (CD) account #
+#######################################################################
+
+resource "aws_iam_user" "cd" {
+  name = "recipe-app-api-cd"
+}
+
+resource "aws_iam_access_key" "cd" {
+  user = aws_iam_user.cd.name
+}
+
+#########################################################
+# Policy for Teraform backend to S3 and DynamoDB access #
+#########################################################
+
+data "aws_iam_policy_document" "tf_backend" {
+  statement {
+    effect    = "Allow"
+    actions   = ["s3:ListBucket"]
+    resources = ["arn:aws:s3:::${var.tf_state_bucket}"]
+  }
+
+  statement {
+    effect  = "Allow"
+    actions = ["s3:GetObject", "s3:PutObject", "s3:DeleteObject"]
+    resources = [
+      "arn:aws:s3:::${var.tf_state_bucket}/tf-state-deploy/*",
+      "arn:aws:s3:::${var.tf_state_bucket}/tf-state-deploy-env/*"
+    ]
+  }
+  statement {
+    effect = "Allow"
+    actions = [
+      "dynamodb:DescribeTable",
+      "dynamodb:GetItem",
+      "dynamodb:PutItem",
+      "dynamodb:DeleteItem"
+    ]
+    resources = ["arn:aws:dynamodb:*:*:table/${var.tf_state_lock_table}"]
+  }
+}
+resource "aws_iam_policy" "tf_backend" {
+  name        = "${aws_iam_user.cd.name}-tf-s3-dynamodb"
+  description = "Allow user to use S3 and DynamoDB for TF backend resources"
+  policy      = data.aws_iam_policy_document.tf_backend.json
+}
+
+resource "aws_iam_user_policy_attachment" "tf_backend" {
+  user       = aws_iam_user.cd.name
+  policy_arn = aws_iam_policy.tf_backend.arn
+}
+
+
+#########################
+# Policy for ECR access #
+#########################
+
+data "aws_iam_policy_document" "ecr" {
+  statement {
+    effect    = "Allow"
+    actions   = ["ecr:GetAuthorizationToken"]
+    resources = ["*"]
+  }
+
+  statement {
+    effect = "Allow"
+    actions = [
+      "ecr:CompleteLayerUpload",
+      "ecr:UploadLayerPart",
+      "ecr:InitiateLayerUpload",
+      "ecr:BatchCheckLayerAvailability",
+      "ecr:PutImage"
+    ]
+    resources = [
+      aws_ecr_repository.app.arn,
+      aws_ecr_repository.proxy.arn,
+    ]
+  }
+}
+
+resource "aws_iam_policy" "ecr" {
+  name        = "${aws_iam_user.cd.name}-ecr"
+  description = "Allow user to manage ECR resources"
+  policy      = data.aws_iam_policy_document.ecr.json
+}

my-infra/setup/main.tf

@@ -0,0 +1,29 @@
+terraform {
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "5.23.0"
+    }
+  }
+
+  backend "s3" {
+    bucket         = "thim-terraform"
+    key            = "tf-state-setup"
+    region         = "us-east-1"
+    encrypt        = true
+    dynamodb_table = "devops-recipe-api-lock"
+  }
+}
+
+provider "aws" {
+  region = "us-east-1"
+
+  default_tags {
+    tags = {
+      Environment = terraform.workspace
+      Project     = var.project
+      Contact     = var.contact
+      ManageBy    = "Terraform/setup"
+    }
+  }
+}

my-infra/setup/outputs.tf

@@ -0,0 +1,20 @@
+output "cd_user_access_key_id" {
+  description = "Access key ID for CD user"
+  value       = aws_iam_access_key.cd.id
+}
+
+output "cd_user_access_key_secret" {
+  description = "Access key secret for CD user"
+  value       = aws_iam_access_key.cd.secret
+  sensitive   = true
+}
+
+output "ecr_repo_app" {
+  description = "ECR repository URL for app image"
+  value       = aws_ecr_repository.app.repository_url
+}
+
+output "ecr_repo_proxy" {
+  description = "ECR repository URL for the proxy image"
+  value       = aws_ecr_repository.proxy.repository_url
+}

my-infra/setup/variables.tf

@@ -0,0 +1,19 @@
+variable "tf_state_bucket" {
+  description = "Name of S3 bucket in AWS for storing TF state"
+  default     = "thim-terraform"
+}
+
+variable "tf_state_lock_table" {
+  description = "Name of DynamoDB table for TF state locking"
+  default     = "devops-recipe-api-lock"
+}
+
+variable "project" {
+  description = "Project name for tagging resources"
+  default     = "recipe-app-api"
+}
+
+variable "contact" {
+  description = "Contact name for tagging resources"
+  default     = "mark@example.com"
+}

testfile

@@ -0,0 +1 @@
+mytest