founders_template 0.1.8 → 0.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: b5f2681dabadc9894661a24323ba46dd5f4a95a6b80080762bbacc6d27779f84
-  data.tar.gz: d4a66020be8435a346e9151de52dbfa183ec2b0d7ff409eb3fe67f70a1bb04d2
+  metadata.gz: 63513b1a9939d9994e19c59956425304098c38aa841d358da7d873676a1e95e7
+  data.tar.gz: 1cc583c8e56bfca7894d0b879b179fa4ce804d0dca3386e3a3620ff40a1afa16
 SHA512:
-  metadata.gz: f073af7c2e910ab1058d222cb52064898b7d2cef2fbed888e38380411ca4829c8866474b9a9f5eb9b2540ac72d5dc960ca29a246a7076cb097c0a14290b6bece
-  data.tar.gz: 411810e4b15c74221fd7e5cb8215cea6e4a78943107289f8db2a28b42228746a6a0a0d8fc97c146447c463d8dd2514c9d41a241d17ac8f61378e9e6241982e2c
+  metadata.gz: 025e9454595dd45dcf5b40281ac4eac1f8f547cbd77265610e5252b0c20e9a4e2e692cd679e2c24823505a9c2ab184072127cda95962939df5670d772c3ee3cf
+  data.tar.gz: 9ed501799e1a6b1a5903caed3ce0b403a2f70afafaf662ab202f5d6ae2a2676cda90c2bc4900da20c7e098716865ba20e5211cdc52cab43a5f980cf6588d6f30

data/Gemfile-rails6.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    founders_template (0.1.8)
+    founders_template (0.2.0)
       activesupport
       aws-sdk-core
       aws-sdk-ec2

data/lib/founders_template/cli.rb

@@ -52,8 +52,13 @@ module FoundersTemplate
       template 'buildspec.yml.erb', 'buildspec.yml'
       template 'dockerignore.erb', '.dockerignore'
       template 'docker-compose.ci.yml.erb', 'docker-compose.ci.yml'
+      template 'docker-compose.yml.erb', 'docker-compose.yml'
       template 'docker-sync.yml.erb', 'docker-sync.yml'
+      template 'Dockerfile.erb', 'Dockerfile'
 
+      install_terraform_project
+
+      directory 'docker', 'docker'
       directory 'ci', 'ci'
     end
 
@@ -63,6 +68,23 @@ module FoundersTemplate
       VERSION
     end
 
+    def install_terraform_project
+      directory 'terraform', 'terraform'
+
+      template 'terraform-production.tfvars.erb', 'terraform/production/terraform.tfvars'
+      template 'terraform-shared.tfvars.erb', 'terraform/shared/terraform.tfvars'
+
+      gsub_file 'terraform/production/main.tf',
+                /(bucket\s+=\s+)".+-terraform-production"/,
+                %(\\1"#{app_config.slugified_name}-terraform-production")
+      gsub_file 'terraform/production/main.tf',
+                /(dynamodb_table\s+=\s+)".+-terraform-production"/,
+                %(\\1"#{app_config.slugified_name}-terraform-production")
+      gsub_file 'terraform/production/main.tf',
+                /(region\s+=\s+)".+"/,
+                %(\\1"#{app_config.aws_region}")
+    end
+
     def ensure_aws_credentials
       return if aws_credentials?
 
@@ -88,6 +110,7 @@ module FoundersTemplate
                        default: 'us-east-1'
 
       add_to_envrc AWS_REGION: aws_region
+      add_to_envrc AWS_DEFAULT_REGION: aws_region
 
       profile = <<~TEXT
         [#{app_config.short_name}]
@@ -168,10 +191,18 @@ module FoundersTemplate
     end
 
     def ensure_application_config
-      return if app_config.valid?
-
-      app_config.name = ask 'Application Name:'
-      app_config.short_name = ask 'Application Short Name:', default: app_config.short_name
+      unless app_config.name
+        app_config.name = ask 'Application Name:'
+        app_config.short_name = ask 'Application Short Name:', default: app_config.short_name
+      end
+
+      app_config.github_org = ask 'GitHub Organization:' unless app_config.github_org
+      app_config.github_repo = ask 'GitHub Repo Name:' unless app_config.github_repo
+
+      unless app_config.valid?
+        error 'There is an error in your config.'
+        exit 1
+      end
 
       template_file app_config
     end

data/lib/founders_template/config_file.rb

@@ -1,20 +1,29 @@
 # frozen_string_literal: true
 
 require 'founders_template/template_file'
+require 'active_support/core_ext/string/inflections'
 
 module FoundersTemplate
   class ConfigFile < TemplateFile
     root_key 'application'
-    required_keys %i( name short_name )
+    required_keys %i( name short_name github_org github_repo)
 
     template_file 'ft.yml.erb'
     output_file 'ft.yml'
 
-    attr_accessor :name
+    attr_accessor :name, :github_org, :github_repo
     attr_writer :short_name
 
     def short_name
       @short_name ||= name.split.map(&:chr).join.downcase
     end
+
+    def slugified_name
+      name.parameterize
+    end
+
+    def aws_region
+      ENV['AWS_REGION']
+    end
   end
 end

data/lib/founders_template/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module FoundersTemplate
-  VERSION = '0.1.8'
+  VERSION = '0.2.0'
 end

data/templates/Dockerfile.erb

@@ -0,0 +1,68 @@
+FROM ruby:2.6.5-alpine as builder
+
+RUN apk add --update --no-cache \
+    build-base \
+    postgresql-dev \
+    git \
+    yarn \
+    tzdata \
+    vim \
+    less
+
+WORKDIR /app
+
+COPY Gemfile* ./
+COPY vendor ./vendor/
+
+ARG RAILS_ENV=development
+ENV RAILS_ENV=$RAILS_ENV
+
+RUN if [ "$RAILS_ENV" = "production" ] || [ "$RAILS_ENV" = "staging" ]; then bundle install --jobs 4 --deployment --without development test; else bundle install --jobs 4 --path vendor/bundle; fi
+
+COPY package.json* ./
+COPY yarn.lock ./
+RUN yarn install
+
+COPY . /app
+
+ARG SECRET_KEY_BASE
+ENV SECRET_KEY_BASE=$SECRET_KEY_BASE
+
+ARG DATABASE_URL="postgres://postgres@db"
+ENV DATABASE_URL=$DATABASE_URL
+
+ARG REDIS_URL="redis://redis"
+ENV REDIS_URL=$REDIS_URL
+
+ARG AWS_DEFAULT_REGION
+ARG AWS_CONTAINER_CREDENTIALS_RELATIVE_URI
+ARG COMPILE_ASSETS
+RUN if [ ! -z "$COMPILE_ASSETS" ] || [ "$RAILS_ENV" = "production" ] || [ "$RAILS_ENV" = "staging" ]; then ASSET_COMPILATION=1 bundle exec rake assets:precompile; fi
+
+ENTRYPOINT [ "bundle", "exec" ]
+
+# App
+FROM builder as app
+
+ENV RAILS_LOG_TO_STDOUT=1
+
+ARG RAILS_MASTER_KEY
+RUN if [ ! -z "$RAILS_MASTER_KEY" ] ; then echo "$RAILS_MASTER_KEY" > config/credentials/$RAILS_ENV.key ; fi
+
+ENV EDITOR=vim
+ENTRYPOINT [ "bundle", "exec" ]
+
+# Web
+FROM nginx as web
+
+WORKDIR /app
+
+COPY --from=builder /app/public /app/public/
+COPY docker/nginx/nginx.conf /etc/nginx/conf.d/default.conf
+
+ARG RAILS_ENV=development
+RUN if [ "$RAILS_ENV" = "production" ]; then sed -i 's/app:3000/localhost:3000/' /etc/nginx/conf.d/default.conf; fi
+
+EXPOSE 80
+
+CMD [ "nginx", "-g", "daemon off;" ]

data/templates/docker/nginx/nginx.conf

@@ -0,0 +1,78 @@
+upstream rails_app {
+  server app:3000;
+}
+
+server {
+  # define your domain
+  server_name www.example.com;
+
+  gzip on;
+  gzip_proxied no-cache no-store private expired auth;
+  gzip_min_length 1024;
+  gzip_types text/plain text/css application/json application/x-javascript text/javascript application/vnd.ms-fontobject application/x-font-ttf font/opentype image/svg+xml image/x-icon;
+
+  client_max_body_size 50M;
+
+  # define the public application root
+  root   /app/public;
+  index  index.html;
+
+  # define where Nginx should write its logs
+  access_log /dev/stdout;
+  error_log /dev/stderr;
+
+  # deny requests for files that should never be accessed
+  location ~ /\. {
+    deny all;
+  }
+  location ~* ^.+\.(rb|log)$ {
+    deny all;
+  }
+
+  # serve static (compiled) assets directly if they exist (for rails production)
+  location ~* ^/(packs|assets)/ {
+    try_files $uri @rails;
+
+    access_log off;
+    gzip_static on;
+    expires max;
+
+    add_header Cache-Control public;
+    add_header Last-Modified "";
+    add_header ETag "";
+
+    add_header 'Access-Control-Allow-Origin' '*';
+    add_header 'Access-Control-Allow-Methods' 'GET, OPTIONS';
+    add_header 'Access-Control-Expose-Headers' '';
+    add_header 'Access-Control-Max-Age' 1728000;
+
+    break;
+  }
+
+  # ActionCable config
+  location /cable {
+    proxy_http_version 1.1;
+    proxy_redirect off;
+
+    proxy_set_header Upgrade $http_upgrade;
+    proxy_set_header Connection "Upgrade";
+    proxy_set_header X-Real-IP  $remote_addr;
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header Host $http_host;
+
+    proxy_pass http://rails_app;
+  }
+
+  # send non-static file requests to the app server
+  location / {
+    try_files $uri @rails;
+  }
+
+  location @rails {
+    proxy_set_header X-Real-IP  $remote_addr;
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header Host $http_host;
+    proxy_redirect off;
+    proxy_pass http://rails_app;
+  }
+}

data/templates/docker-compose.yml.erb

@@ -0,0 +1,75 @@
+version: '3.4'
+
+volumes:
+  <%= app_config.short_name %>:
+    external: true
+
+services:
+  web:
+    image: <%= app_config.short_name %>-web:latest
+    build:
+      context: .
+      target: web
+    ports:
+      - "8080:80"
+    volumes:
+      . ./public:/app/public
+    depends_on:
+      - app
+  app:
+    image: <%= app_config.short_name %>-app:latest
+    build:
+      context: .
+      target: app
+    ports:
+      - "3000:3000"
+    volumes:
+      - <%= app_config.short_name %>:/app:nocopy
+    command: puma -C config/puma.rb
+    environment:
+      REDIS_URL: redis://redis
+      WEBPACKER_DEV_SERVER_HOST: webpacker
+    depends_on:
+      - db
+      - redis
+  webpacker:
+    image: <%= app_config.short_name %>-app:latest
+    ports:
+      - "3035:3035"
+    volumes:
+      - <%= app_config.short_name %>:/app:nocopy
+    command: bin/webpack-dev-server
+    environment:
+      WEBPACKER_DEV_SERVER_HOST: 0.0.0.0
+    depends_on:
+      - app
+  worker:
+    image: <%= app_config.short_name %>-app:latest
+    volumes:
+      - <%= app_config.short_name %>:/app:nocopy
+    command: rails resque:work
+    environment:
+      REDIS_URL: redis://redis
+      QUEUE: '*'
+    depends_on:
+      - app
+  scheduler:
+    image: <%= app_config.short_name %>-app:latest
+    volumes:
+      - <%= app_config.short_name %>:/app:nocopy
+    command: rails resque:scheduler
+    environment:
+      REDIS_URL: redis://redis
+    depends_on:
+      - app
+  db:
+    image: postgres:9.6-alpine
+    volumes:
+      - ./tmp/db_data:/var/lib/postgresql/data
+  redis:
+    image: redis:5.0.5-alpine
+  mailcatcher:
+    image: schickling/mailcatcher
+    command: mailcatcher --no-quit --foreground --ip=0.0.0.0 -v
+    ports:
+      - "1080:1080"

data/templates/terraform/modules/application/main.tf

@@ -0,0 +1,70 @@
+data "aws_caller_identity" "current" {}
+
+resource "aws_security_group" "ecs_tasks" {
+  name        = "${var.name}-ecs-tasks"
+  description = "allow inbound access from the ALB only for ${var.name}"
+  vpc_id      = var.vpc_id
+
+  ingress {
+    protocol        = "tcp"
+    from_port       = "80"
+    to_port         = "80"
+    security_groups = [var.load_balance_security_group.id]
+  }
+
+  ingress {
+    protocol  = "-1"
+    from_port = 0
+    to_port   = 0
+    self      = true
+  }
+
+  egress {
+    protocol    = "-1"
+    from_port   = 0
+    to_port     = 0
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+}
+
+resource "aws_ecs_cluster" "main" {
+  name = var.name
+}
+
+# Execution role for the cluster
+data "template_file" "ecs_execution_role" {
+  template = file("${path.module}/policies/ecs_execution_role.json")
+
+  vars = {
+    aws_account_id = data.aws_caller_identity.current.account_id
+  }
+}
+
+resource "aws_iam_role" "ecs_execution_role" {
+  name = "${var.name}-ecs-execution-role"
+
+  assume_role_policy = data.template_file.ecs_execution_role.rendered
+}
+
+resource "aws_iam_role_policy" "ecs_execution_policy" {
+  name   = "${var.name}-ecs-execution-policy"
+  role   = aws_iam_role.ecs_execution_role.id
+  policy = file("${path.module}/policies/ecs_execution.json")
+}
+
+# Execution role for the task, this allows the docker image access to AWS resources
+resource "aws_iam_role" "ecs_task_execution_role" {
+  name = "${var.name}-ecs-task-execution-role"
+
+  assume_role_policy = data.template_file.ecs_execution_role.rendered
+}
+
+data "template_file" "ecs_task_execution_policy" {
+  template = file("${path.module}/policies/ecs_task_execution.json")
+}
+
+resource "aws_iam_role_policy" "ecs_task_execution_policy" {
+  name   = "${var.name}-ecs-task-execution-policy"
+  role   = aws_iam_role.ecs_task_execution_role.id
+  policy = data.template_file.ecs_task_execution_policy.rendered
+}

data/templates/terraform/modules/application/one_off_service.tf

@@ -0,0 +1,48 @@
+# ONE OFF
+resource "aws_cloudwatch_log_group" "one_off" {
+  name              = "/ecs/service/${var.name}-one-off"
+  retention_in_days = "14"
+}
+
+data "template_file" "one_off_task_definition" {
+  template = file("${path.module}/task_definitions/one_off.json")
+
+  vars = {
+    app_log_path = aws_cloudwatch_log_group.one_off.name
+    app_image    = "${var.app_repository_url}:latest"
+    app_memory   = var.app_process_memory
+    region       = var.aws_region
+    app_memory   = var.app_task_memory
+    environment  = jsonencode(var.app_environment)
+  }
+}
+
+resource "aws_ecs_task_definition" "one_off" {
+  family                   = "${var.name}-one_off"
+  network_mode             = "awsvpc"
+  requires_compatibilities = ["FARGATE"]
+  cpu                      = var.app_task_cpu
+  memory                   = var.app_task_memory
+  execution_role_arn       = aws_iam_role.ecs_execution_role.arn
+  task_role_arn            = aws_iam_role.ecs_task_execution_role.arn
+
+  container_definitions = data.template_file.one_off_task_definition.rendered
+}
+
+resource "aws_ecs_service" "one_off" {
+  name            = "${var.name}-one_off"
+  cluster         = aws_ecs_cluster.main.id
+  task_definition = aws_ecs_task_definition.one_off.arn
+  desired_count   = "0"
+  launch_type     = "FARGATE"
+
+  network_configuration {
+    security_groups = [aws_security_group.ecs_tasks.id]
+    subnets         = var.task_subnets
+  }
+
+  lifecycle {
+    create_before_destroy = true
+    ignore_changes        = [task_definition]
+  }
+}

data/templates/terraform/modules/application/outputs.tf

@@ -0,0 +1,19 @@
+output "application_security_group" {
+  value = aws_security_group.ecs_tasks
+}
+
+output "web_service_name" {
+  value = aws_ecs_service.web.name
+}
+
+output "worker_service_name" {
+  value = aws_ecs_service.worker.name
+}
+
+output "ecs_cluster" {
+  value = aws_ecs_cluster.main
+}
+
+output "one_off_task_definition_name" {
+  value = aws_ecs_task_definition.one_off.family
+}

data/templates/terraform/modules/application/policies/ecs_execution.json

@@ -0,0 +1,17 @@
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Action": [
+        "ecr:GetAuthorizationToken",
+        "ecr:BatchCheckLayerAvailability",
+        "ecr:GetDownloadUrlForLayer",
+        "ecr:BatchGetImage",
+        "logs:CreateLogStream",
+        "logs:PutLogEvents"
+      ],
+      "Resource": "*"
+    }
+  ]
+}

data/templates/terraform/modules/application/policies/ecs_execution_role.json

@@ -0,0 +1,21 @@
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Sid": "",
+      "Effect": "Allow",
+      "Principal": {
+        "Service": "ecs-tasks.amazonaws.com"
+      },
+      "Action": "sts:AssumeRole"
+    },
+    {
+      "Sid": "",
+      "Effect": "Allow",
+      "Principal": {
+        "AWS": "${aws_account_id}"
+      },
+      "Action": "sts:AssumeRole"
+    }
+  ]
+}

data/templates/terraform/modules/application/policies/ecs_task_execution.json

@@ -0,0 +1,17 @@
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Action": "iam:PassRole",
+      "Effect": "Allow",
+      "Resource": [
+        "*"
+      ],
+      "Condition": {
+        "StringLike": {
+          "iam:PassedToService": "ecs-tasks.amazonaws.com"
+        }
+      }
+    }
+  ]
+}

data/templates/terraform/modules/application/sshable.tf

@@ -0,0 +1,17 @@
+resource "aws_security_group" "sshable" {
+  name        = "sshable-${var.name}"
+  description = "Enable SSH to the world, please do not use unless you know what you are doing"
+  vpc_id      = var.vpc_id
+
+  ingress {
+    from_port   = 22
+    to_port     = 22
+    protocol    = "TCP"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+}
+
+resource "aws_key_pair" "sshable" {
+  key_name   = var.name
+  public_key = var.key_pair_public_key
+}

data/templates/terraform/modules/application/task_definitions/one_off.json

@@ -0,0 +1,18 @@
+[
+  {
+    "image": "${app_image}",
+    "memory": ${app_memory},
+    "name": "one_off",
+    "networkMode": "awsvpc",
+    "essential": true,
+    "environment": ${environment},
+    "logConfiguration": {
+      "logDriver": "awslogs",
+      "options": {
+        "awslogs-group": "${app_log_path}",
+        "awslogs-region": "${region}",
+        "awslogs-stream-prefix": "ecs"
+      }
+    }
+  }
+]

data/templates/terraform/modules/application/task_definitions/web.json

@@ -0,0 +1,41 @@
+[
+  {
+    "image": "${app_image}",
+    "memory": ${app_memory},
+    "name": "app",
+    "networkMode": "awsvpc",
+    "essential": true,
+    "command": [ "puma", "-C", "config/puma.rb" ],
+    "environment": ${environment},
+    "logConfiguration": {
+      "logDriver": "awslogs",
+      "options": {
+        "awslogs-group": "${app_log_path}",
+        "awslogs-region": "${region}",
+        "awslogs-stream-prefix": "ecs"
+      }
+    }
+  },
+  {
+    "image": "${web_image}",
+    "memory": 256,
+    "name": "web",
+    "networkMode": "awsvpc",
+    "essential": true,
+    "portMappings": [
+      {
+        "containerPort": 80,
+        "hostPort": 80,
+        "protocol": "tcp"
+      }
+    ],
+    "logConfiguration": {
+      "logDriver": "awslogs",
+      "options": {
+        "awslogs-group": "${web_log_path}",
+        "awslogs-region": "${region}",
+        "awslogs-stream-prefix": "ecs"
+      }
+    }
+  }
+]

data/templates/terraform/modules/application/task_definitions/worker.json

@@ -0,0 +1,49 @@
+[
+  {
+    "image": "${app_image}",
+    "memory": ${worker_app_memory},
+    "name": "worker",
+    "networkMode": "awsvpc",
+    "essential": true,
+    "command": [ "rails", "resque:work" ],
+    "environment": ${environment},
+    "healthCheck": {
+      "command": [ "CMD-SHELL", "ps -ef | grep \"resque\" | grep -v grep" ],
+      "interval": 5,
+      "timeout": 2,
+      "retries": 3,
+      "startPeriod": 30
+    },
+    "logConfiguration": {
+      "logDriver": "awslogs",
+      "options": {
+        "awslogs-group": "${app_log_path}",
+        "awslogs-region": "${region}",
+        "awslogs-stream-prefix": "ecs"
+      }
+    }
+  },
+  {
+    "image": "${app_image}",
+    "name": "scheduler",
+    "networkMode": "awsvpc",
+    "essential": true,
+    "command": [ "rails", "resque:scheduler" ],
+    "environment": ${environment},
+    "healthCheck": {
+      "command": [ "CMD-SHELL", "ps -ef | grep \"resque-scheduler\" | grep -v grep" ],
+      "interval": 5,
+      "timeout": 2,
+      "retries": 3,
+      "startPeriod": 30
+    },
+    "logConfiguration": {
+      "logDriver": "awslogs",
+      "options": {
+        "awslogs-group": "${app_log_path}",
+        "awslogs-region": "${region}",
+        "awslogs-stream-prefix": "ecs"
+      }
+    }
+  }
+]