Module Refactor + CodeBuild + CodePipeline + Nginx API Gateway + OONI…

… Github User (#13)

Refactor the various resource groups into modules to make
it easier to develop the test environment.

See: #6

Convert to terraform the CodeBuild and CodePipeline projects that were
previously created through the web UI (fixes:
#12) and add support for an nginx
based API gateway (fixes: #7)

Also includes changes implemented by @DecFox

feat: add OONI Dev User for GH actions (#17)

This adds a new IAM user: ooni_dev_user which shall be used as the
github user to run terraform apply. This IAM user has been given minimal
ReadOnly permissions to resources which allow it to successfully run
`terraform plan`

Regarding CodeBuild and CodePipeline terraform conversion we made use the of the
terraformer tool running it like this:

```
terraformer import aws --resources=ec2,codebuild,codepipeline,iam --regions=eu-central-1
```

The output of this tool cannot be used as-is, but instead required a bit
of massaging to adapt it to the conventions used in the ooni terraform
scripts and hook it up to the existing variables, however it was very
helpful to bootstrap the config.

For the nginx API gateway, the actual configuration is still missing,
but the general idea is that we will have a Elastic Load Balancer rule
to forward requests to the nginx reverse proxy running in EC2 or the
dataapi running on ECS.

Note:

As part of this work I also did some refactoring of the names of some of
the resources and items inside of the terraform config. In doing so this
triggered a destruction and re-creation of all relevant resources, which
is I guess a nice lesson learned (I actually saw it from the plan, but
was curious to see what would happen).

In the future if we would like to do this kind of refactoring we should
be sure to make use of the `moved` syntax in terraform like this:
https://developer.hashicorp.com/terraform/language/modules/develop/refactoring#moved-block-syntax
or manually move the state by running `terraform mv`.

---------

Co-authored-by: DecFox <[email protected]>

.github/workflows/check_ansible.yml

@@ -0,0 +1,95 @@
+# For docs on this see:
+# * https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions
+# * https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#pull_request
+# * https://docs.github.com/en/webhooks/webhook-events-and-payloads?actionType=synchronize#pull_request
+on:
+  pull_request:
+    types:
+      - opened
+      - synchronize # when commits are pushed to the PR
+      - reopened
+      - edited # title or body of a pull request was edited, or the base branch of a pull request was changed
+
+jobs:
+  ansible:
+    strategy:
+      matrix:
+        environment: ["dev"]
+    runs-on: ubuntu-latest
+    defaults:
+      run:
+        working-directory: ansible/
+    permissions:
+      pull-requests: write
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Install Ansible
+        run: |
+          sudo apt update
+          sudo apt install software-properties-common
+          sudo add-apt-repository --yes --update ppa:ansible/ansible-9
+          sudo apt install -y ansible
+
+      - name: Write devops ssh key to .ssh
+        run: |
+          mkdir -p ~/.ssh/
+          chmod 700 ~/.ssh/
+          echo "${{ secrets.AWS_SSH_KEY }}" > ~/.ssh/ooni-devops-prod.pem
+          chmod 600 ~/.ssh/ooni-devops-prod.pem
+
+      - name: Run Ansible Playbook
+        id: playbook
+        env:
+          ANSIBLE_SSH_ARGS: "-o UserKnownHostsFile=known_hosts"
+          INVENTORY_FILE_PATH: "../tf/modules/ansible_inventory/inventories/inventory-${{ matrix.environment }}.ini"
+        run: |
+          echo "ansible_playbook<<EOF" >> "$GITHUB_OUTPUT"
+          echo "\$ ansible-playbook playbook.yml --check --diff -i $INVENTORY_FILE_PATH" >> "$GITHUB_OUTPUT"
+          ansible-playbook playbook.yml --check --diff -i  $INVENTORY_FILE_PATH \
+            --key-file ~/.ssh/ooni-devops-prod.pem 2>&1 | tee -a "$GITHUB_OUTPUT"
+          echo "EOF" >> "$GITHUB_OUTPUT"
+        continue-on-error: true
+
+      # This can be uncommmented to make it possible to ssh into the container to debug the run
+      #- name: Setup tmate session
+      #  uses: mxschmitt/action-tmate@v3
+
+      - uses: actions/github-script@v6
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          script: |
+            const commentTitle = "Ansible Run Output";
+            const ansiblePlaybookOutput = `${{ steps.playbook.outputs.ansible_playbook}}`;
+            const parts = ansiblePlaybookOutput.split(/PLAY RECAP \*+/);
+            const ansiblePlaybookRecap = parts.length > 1 ? parts[1].trim() : '';
+
+            const commentBody = `
+            #### Ansible Playbook Recap 🔍
+
+            \`\`\`\n
+            ${ansiblePlaybookRecap}
+            \`\`\`
+
+            #### Ansible playbook output 📖\`${{ steps.playbook.outcome }}\`
+
+            <details><summary>Show Execution</summary>
+
+            \`\`\`\n
+            ${ansiblePlaybookOutput}
+            \`\`\`
+
+            </details>
+
+            |                   |                                    |
+            |-------------------|------------------------------------|
+            | Pusher            | @${{ github.actor }}               |
+            | Action            |  ${{ github.event_name }}          |
+            | Working Directory |  ${{ env.tf_actions_working_dir }} |
+            | Workflow          |  ${{ github.workflow }}            |
+            | Last updated      |  ${(new Date()).toUTCString()}     |
+            `;
+
+            // Call the script to write the comment
+            const script = require('./scripts/ghactions/comment-on-pr.js');
+            await script({github, context, core, commentTitle, commentBody});

.github/workflows/check_deploy.yml → .github/workflows/check_terraform.yml

@@ -10,108 +10,39 @@ on:
       - reopened
       - edited # title or body of a pull request was edited, or the base branch of a pull request was changed
 
-env:
-  tf_actions_working_dir: "./tf/environments/prod"
-  AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
-  AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
-
 jobs:
-  ansible:
-    needs: terraform
-    runs-on: ubuntu-latest
-    defaults:
-      run:
-        working-directory: ${{ env.tf_actions_working_dir }}/ansible
-    permissions:
-      pull-requests: write
-    steps:
-      - uses: actions/checkout@v4
-
-      - name: Install Ansible
-        run: |
-          sudo apt update
-          sudo apt install software-properties-common
-          sudo add-apt-repository --yes --update ppa:ansible/ansible-9
-          sudo apt install -y ansible
-
-      - name: Write devops ssh key to .ssh
-        run: |
-          mkdir -p ~/.ssh/
-          chmod 700 ~/.ssh/
-          echo "${{ secrets.AWS_SSH_KEY }}" > ~/.ssh/ooni-devops-prod.pem
-          chmod 600 ~/.ssh/ooni-devops-prod.pem
-
-      - name: Run Ansible Playbook
-        id: playbook
-        env:
-          ANSIBLE_SSH_ARGS: "-o UserKnownHostsFile=known_hosts"
-        run: |
-          echo "ansible_playbook<<EOF" >> "$GITHUB_OUTPUT"
-          echo "\$ ansible-playbook playbook.yml --check --diff -i inventory.ini" >> "$GITHUB_OUTPUT"
-          ansible-playbook playbook.yml --check --diff -i inventory.ini --key-file ~/.ssh/ooni-devops-prod.pem 2>&1 | tee -a "$GITHUB_OUTPUT"
-          echo "EOF" >> "$GITHUB_OUTPUT"
-        continue-on-error: true
-
-      # This can be uncommmented to make it possible to ssh into the container to debug the run
-      #- name: Setup tmate session
-      #  uses: mxschmitt/action-tmate@v3
-
-      - uses: actions/github-script@v6
-        with:
-          github-token: ${{ secrets.GITHUB_TOKEN }}
-          script: |
-            const commentTitle = "Ansible Run Output";
-            const ansiblePlaybookOutput = `${{ steps.playbook.outputs.ansible_playbook}}`;
-            const parts = ansiblePlaybookOutput.split(/PLAY RECAP \*+/);
-            const ansiblePlaybookRecap = parts.length > 1 ? parts[1].trim() : '';
-
-            const commentBody = `
-            #### Ansible Playbook Recap 🔍
-
-            \`\`\`\n
-            ${ansiblePlaybookRecap}
-            \`\`\`
-
-            #### Ansible playbook output 📖\`${{ steps.playbook.outcome }}\`
-
-            <details><summary>Show Execution</summary>
-
-            \`\`\`\n
-            ${ansiblePlaybookOutput}
-            \`\`\`
-
-            </details>
-
-            |                   |                                    |
-            |-------------------|------------------------------------|
-            | Pusher            | @${{ github.actor }}               |
-            | Action            |  ${{ github.event_name }}          |
-            | Working Directory |  ${{ env.tf_actions_working_dir }} |
-            | Workflow          |  ${{ github.workflow }}            |
-            | Last updated      |  ${(new Date()).toUTCString()}     |
-            `;
-
-            // Call the script to write the comment
-            const script = require('./scripts/ghactions/comment-on-pr.js');
-            await script({github, context, core, commentTitle, commentBody});
-
   terraform:
+    strategy:
+      matrix:
+        environment: ["dev"]
+
     runs-on: ubuntu-latest
     if: ${{ !startsWith(github.event.head_commit.message, 'skip-terraform:') }}
     defaults:
       run:
-        working-directory: ${{ env.tf_actions_working_dir }}
+        working-directory: tf/environments/${{ matrix.environment }}
     permissions:
       contents: write
       pull-requests: write
-    env:
-      TF_VAR_aws_access_key_id: ${{ secrets.AWS_ACCESS_KEY_ID }}
-      TF_VAR_aws_secret_access_key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
-      TF_VAR_ooni_pg_password: ${{ secrets.OONI_PG_PASSWORD }}
 
     steps:
       - uses: actions/checkout@v4
 
+      - name: Configure AWS credentials
+        run: |
+          mkdir ~/.aws/
+          cat <<EOF > ~/.aws/credentials
+          [default]
+          aws_access_key_id = ${{ secrets.OONIDEVOPS_AWS_ACCESS_KEY_ID }}
+          aws_secret_access_key = ${{ secrets.OONIDEVOPS_AWS_SECRET_ACCESS_KEY }}
+
+          [oonidevops_user]
+          aws_access_key_id = ${{ secrets.OONIDEVOPS_AWS_ACCESS_KEY_ID }}
+          aws_secret_access_key = ${{ secrets.OONIDEVOPS_AWS_SECRET_ACCESS_KEY }}
+          EOF
+          chmod 700 ~/.aws/
+          chmod 600 ~/.aws/credentials
+
       - name: Install Terraform
         run: |
           wget -O- https://apt.releases.hashicorp.com/gpg | sudo gpg --dearmor -o /usr/share/keyrings/hashicorp-archive-keyring.gpg
@@ -194,7 +125,7 @@ jobs:
             |-------------------|------------------------------------|
             | Pusher            | @${{ github.actor }}               |
             | Action            |  ${{ github.event_name }}          |
-            | Working Directory |  ${{ env.tf_actions_working_dir }} |
+            | Environment       |  ${{ matrix.environment }}         |
             | Workflow          |  ${{ github.workflow }}            |
             | Last updated      |  ${ (new Date()).toUTCString() }   |
             `;

tf/Readme.md

@@ -1 +1,6 @@
 https://www.terraform-best-practices.com/naming
+
+Sometimes it's useful to specify a target like this:
+```
+terraform apply -target=module.ooniapi_frontend.aws_lb_listener_rule.oonidataapi_rule
+```

tf/environments/dev/backend.tf

@@ -0,0 +1,13 @@
+terraform {
+  required_version = ">= 1.0.0"
+
+  backend "s3" {
+    region  = "eu-central-1"
+    bucket  = "oonidevops-dev-terraform-state"
+    key     = "terraform.tfstate"
+    profile = ""
+    encrypt = "true"
+
+    dynamodb_table = "oonidevops-dev-terraform-state-lock"
+  }
+}