Deploy infrastructure resources to AWS region us-west-2 and update to current project architecture

[rocketnova]

Ticket

• https://wicmtdp.atlassian.net/browse/PRP-193
• https://wicmtdp.atlassian.net/browse/PRP-161
• https://wicmtdp.atlassian.net/browse/PRP-194

Changes

What was added, updated, or removed in this PR.

• Change regions from us-west-1 to us-west-2
• Modify the env-template to create 1 database, 1 service cluster, and 3 services
• Update some CI/CD from the infra template (cd.yml, Makefile, bin)
• Move IAM module to be called by the infra/accounts/account/ module
• Break out database resources into separate infra/modules/database module
• Break out random password generation into separate infra/modules/random_password module
• Break out ECS cluster into separate infra/modules/service_cluster module
• Update IAM permissions for wic-prp-eng user group
• Rename some variables that were still called api

Context for reviewers

Testing instructions, background context, more in-depth details of the implementation, and anything else you'd like to call out or ask reviewers. Explain how the changes were verified.

This PR started out as just migrating our resources from us-west-1 to us-west-2, but as we deleted all the resources and re-created them, it didn't make sense to re-create them in the wrong pattern when we knew we were about to need them to be different.

So, in addition to the region change, we also modified the env-template to support our current project architecture (1 database, 1 service cluster, 3 services). To do this, we broke out some of the resources that were previously grouped into the service module into their own separate modules. We renamed our resources to ensure that each environment had its own dedicated resources.

Testing

Screenshots, GIF demos, code examples or output to help show the changes working as expected. ProTip: you can drag and drop or paste images into this textbox.

These changes have all been deployed to our AWS account. To confirm that all of the resources exist and are configured properly. Please check all of the following against the terraform files.

build-repository

• ecr: https://us-west-2.console.aws.amazon.com/ecr/repositories?region=us-west-2

cluster:

• ecs cluster: https://us-west-2.console.aws.amazon.com/ecs/v2/clusters?region=us-west-2

database

• rds cluster: https://us-west-2.console.aws.amazon.com/rds/home?region=us-west-2#databases:
• rds instance: same as above
• ssm password: https://us-west-2.console.aws.amazon.com/systems-manager/parameters/?region=us-west-2&tab=Table#
• backup plan: https://us-west-2.console.aws.amazon.com/backup/home?region=us-west-2#/backupplan
• backup vault: https://us-west-2.console.aws.amazon.com/backup/home?region=us-west-2#/backupvaults
• iam role "postgresql-backup": https://us-east-1.console.aws.amazon.com/iamv2/home?region=us-west-2#/roles
• iam role "rds-enhanced monitoring": same as above
• iam policy "db-access": https://us-east-1.console.aws.amazon.com/iamv2/home?region=us-west-2#/policies

service

• ecs service: service for each cluster
• ecs task definition: https://us-west-2.console.aws.amazon.com/ecs/v2/task-definitions?region=us-west-2
• ecs alb: https://us-west-2.console.aws.amazon.com/ec2/home?region=us-west-2#LoadBalancers:
• ecs alb listener: listener tab for each alb
• ecs alb target group: https://us-west-2.console.aws.amazon.com/ec2/home?region=us-west-2#TargetGroups:
• cloudwatch log group: https://us-west-2.console.aws.amazon.com/cloudwatch/home?region=us-west-2#logsV2:log-groups
• iam role "task-executor": https://us-east-1.console.aws.amazon.com/iamv2/home?region=us-west-2#/roles
• security group alb: https://us-west-2.console.aws.amazon.com/ec2/home?region=us-west-2#SecurityGroups:
• security group app: same as above

[microwavenby]

Sure is! If it doesn't apply, ignore it and I'll approve 🙃

On Mon, Mar 13, 2023, at 11:09 AM, Rocket wrote:

@.**** commented on this pull request.

In infra/modules/iam/main.tf https://github.com/navapbc/wic-participant-recertification-portal/pull/14#discussion_r1134430772:

• "kms:DescribeKey", "kms:CreateAlias", "kms:Decrypt",

Good question! I'm not sure. I know these permissions allow a user (one of us) in the user group to create and destroy environments, including the S3 buckets.

Do we need to put files into the S3 bucket? Is this in reference to how we're going to handle doc upload?

— Reply to this email directly, view it on GitHub https://github.com/navapbc/wic-participant-recertification-portal/pull/14#discussion_r1134430772, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAFQTP7SID7AKGPAX7WMXFLW35PHHANCNFSM6AAAAAAVS7N34E. You are receiving this because your review was requested.Message ID: @.***>

[rocketnova]

Sure is! If it doesn't apply, ignore it and I'll approve 🙃

@microwavenby Yah, this PR doesn't cover anything to do with doc upload, so it's a good concern for @aplybeah's upcoming PR on doc upload