@hasna/uptime 0.1.6 → 0.1.8

package/infra/aws/main.tf

@@ -1,5 +1,5 @@
 terraform {
-  required_version = ">= 1.6.0"
+  required_version = ">= 1.9.0"
 
   required_providers {
     aws = {
@@ -13,40 +13,43 @@ provider "aws" {
   region = var.region
 }
 
+data "aws_caller_identity" "current" {}
+
 locals {
-  prefix          = "${var.service_name}-${var.stage}"
-  container_port  = 3899
-  evidence_bucket = "hasna-${var.stage}-${var.service_name}-evidence"
+  prefix                = "${var.service_name}-${var.stage}"
+  container_port        = 3899
+  evidence_bucket       = "hasna-${var.stage}-${var.service_name}-evidence"
+  efs_uid               = 10001
+  efs_gid               = 10001
+  hosted_sqlite_db_path = "/data/uptime/uptime.db"
+  efs_enabled_services  = toset(["web"])
+  use_alb_https         = var.protected_access_mode == "alb_https_cert"
+  use_cloudfront        = var.protected_access_mode == "cloudfront_default_domain"
   services = {
     web = {
       desired_count = lookup(var.desired_counts, "web", 0)
-      db_access     = true
       command       = ["bun", "dist/cli/index.js", "serve", "--mode", "hosted", "--host", "0.0.0.0", "--port", tostring(local.container_port)]
-      secrets       = { HASNA_UPTIME_DATABASE_URL = var.database_secret_arn, APP_ENV = var.app_env_secret_arn, HASNA_UPTIME_HOSTED_TOKEN = var.hosted_token_secret_arn }
+      secrets       = { APP_ENV = var.app_env_secret_arn, HASNA_UPTIME_HOSTED_TOKEN = var.hosted_token_secret_arn }
     }
     scheduler = {
       desired_count = lookup(var.desired_counts, "scheduler", 0)
-      db_access     = true
       command       = ["bun", "dist/cli/index.js", "cloud", "plan"]
-      secrets       = { HASNA_UPTIME_DATABASE_URL = var.database_secret_arn, APP_ENV = var.app_env_secret_arn }
+      secrets       = { APP_ENV = var.app_env_secret_arn }
     }
     "public-probe" = {
       desired_count = lookup(var.desired_counts, "public-probe", 0)
-      db_access     = false
       command       = ["bun", "dist/cli/index.js", "cloud", "plan"]
       secrets       = { PROBE_CONFIG = var.public_probe_secret_arn }
     }
     reporter = {
       desired_count = lookup(var.desired_counts, "reporter", 0)
-      db_access     = true
       command       = ["bun", "dist/cli/index.js", "cloud", "plan"]
-      secrets       = { HASNA_UPTIME_DATABASE_URL = var.database_secret_arn, REPORTING_CONFIG = var.reporting_secret_arn }
+      secrets       = { REPORTING_CONFIG = var.reporting_secret_arn }
     }
     migration = {
       desired_count = lookup(var.desired_counts, "migration", 0)
-      db_access     = true
       command       = ["bun", "dist/cli/index.js", "cloud", "plan"]
-      secrets       = { HASNA_UPTIME_DATABASE_URL = var.database_secret_arn, APP_ENV = var.app_env_secret_arn }
+      secrets       = { APP_ENV = var.app_env_secret_arn }
     }
   }
   tags = {
@@ -61,8 +64,13 @@ data "aws_vpc" "target" {
   id = var.vpc_id
 }
 
+data "aws_ec2_managed_prefix_list" "cloudfront_origin_facing" {
+  count = local.use_cloudfront ? 1 : 0
+  name  = "com.amazonaws.global.cloudfront.origin-facing"
+}
+
 resource "aws_ecr_repository" "open_uptime" {
-  name                 = "hasna/opensource/${var.service_name}"
+  name                 = var.ecr_repository_name
   image_tag_mutability = "IMMUTABLE"
 
   image_scanning_configuration {
@@ -76,6 +84,113 @@ resource "aws_ecr_repository" "open_uptime" {
   tags = local.tags
 }
 
+resource "aws_cloudwatch_log_group" "image_builder" {
+  name              = "/aws/codebuild/${local.prefix}-image-builder"
+  retention_in_days = 14
+  kms_key_id        = var.kms_key_arn
+  tags              = local.tags
+}
+
+data "aws_iam_policy_document" "codebuild_assume_role" {
+  statement {
+    actions = ["sts:AssumeRole"]
+
+    principals {
+      type        = "Service"
+      identifiers = ["codebuild.amazonaws.com"]
+    }
+  }
+}
+
+resource "aws_iam_role" "image_builder" {
+  name               = "${local.prefix}-image-builder-role"
+  assume_role_policy = data.aws_iam_policy_document.codebuild_assume_role.json
+  tags               = local.tags
+}
+
+data "aws_iam_policy_document" "image_builder" {
+  statement {
+    actions   = ["ecr:GetAuthorizationToken"]
+    resources = ["*"]
+  }
+
+  statement {
+    actions = [
+      "ecr:BatchCheckLayerAvailability",
+      "ecr:CompleteLayerUpload",
+      "ecr:DescribeImages",
+      "ecr:DescribeRepositories",
+      "ecr:InitiateLayerUpload",
+      "ecr:PutImage",
+      "ecr:UploadLayerPart",
+    ]
+    resources = [aws_ecr_repository.open_uptime.arn]
+  }
+
+  statement {
+    actions = [
+      "logs:CreateLogStream",
+      "logs:PutLogEvents",
+    ]
+    resources = ["${aws_cloudwatch_log_group.image_builder.arn}:*"]
+  }
+}
+
+resource "aws_iam_role_policy" "image_builder" {
+  name   = "${local.prefix}-image-builder-policy"
+  role   = aws_iam_role.image_builder.id
+  policy = data.aws_iam_policy_document.image_builder.json
+}
+
+resource "aws_codebuild_project" "image_builder" {
+  name         = "${local.prefix}-image-builder"
+  description  = "Build published @hasna/uptime package into the Open Uptime ECR image"
+  service_role = aws_iam_role.image_builder.arn
+  tags         = local.tags
+
+  artifacts {
+    type = "NO_ARTIFACTS"
+  }
+
+  environment {
+    compute_type    = "BUILD_GENERAL1_SMALL"
+    image           = "aws/codebuild/standard:7.0"
+    type            = "LINUX_CONTAINER"
+    privileged_mode = true
+  }
+
+  logs_config {
+    cloudwatch_logs {
+      group_name = aws_cloudwatch_log_group.image_builder.name
+      status     = "ENABLED"
+    }
+  }
+
+  source {
+    type      = "NO_SOURCE"
+    buildspec = <<-YAML
+      version: 0.2
+      phases:
+        pre_build:
+          commands:
+            - aws --version
+            - aws ecr get-login-password --region ${var.region} | docker login --username AWS --password-stdin ${data.aws_caller_identity.current.account_id}.dkr.ecr.${var.region}.amazonaws.com
+        build:
+          commands:
+            - npm pack @hasna/uptime@${var.runtime_package_version}
+            - mkdir package
+            - tar -xzf hasna-uptime-*.tgz -C package --strip-components=1
+            - cd package
+            - docker build -f Dockerfile.package -t ${aws_ecr_repository.open_uptime.repository_url}:${var.runtime_package_version} .
+            - docker push ${aws_ecr_repository.open_uptime.repository_url}:${var.runtime_package_version}
+            - IMAGE_DIGEST=$(aws ecr describe-images --region ${var.region} --repository-name ${aws_ecr_repository.open_uptime.name} --image-ids imageTag=${var.runtime_package_version} --query 'imageDetails[0].imageDigest' --output text)
+            - printf '%s@%s\n' '${aws_ecr_repository.open_uptime.repository_url}' "$IMAGE_DIGEST"
+      YAML
+  }
+
+  depends_on = [aws_iam_role_policy.image_builder]
+}
+
 resource "aws_s3_bucket" "evidence" {
   bucket = local.evidence_bucket
   tags   = local.tags
@@ -182,7 +297,7 @@ resource "aws_security_group" "alb" {
 }
 
 resource "aws_security_group_rule" "alb_https_ingress" {
-  count             = length(var.alb_ingress_cidr_blocks) > 0 ? 1 : 0
+  count             = local.use_alb_https && length(var.alb_ingress_cidr_blocks) > 0 ? 1 : 0
   type              = "ingress"
   description       = "HTTPS"
   security_group_id = aws_security_group.alb.id
@@ -192,6 +307,17 @@ resource "aws_security_group_rule" "alb_https_ingress" {
   cidr_blocks       = var.alb_ingress_cidr_blocks
 }
 
+resource "aws_security_group_rule" "alb_http_from_cloudfront" {
+  count             = local.use_cloudfront ? 1 : 0
+  type              = "ingress"
+  description       = "HTTP from CloudFront origin-facing ranges"
+  security_group_id = aws_security_group.alb.id
+  from_port         = 80
+  to_port           = 80
+  protocol          = "tcp"
+  prefix_list_ids   = [data.aws_ec2_managed_prefix_list.cloudfront_origin_facing[0].id]
+}
+
 resource "aws_security_group_rule" "alb_to_web" {
   type                     = "egress"
   description              = "To Open Uptime web"
@@ -221,7 +347,7 @@ resource "aws_security_group_rule" "web_from_alb" {
 
 resource "aws_security_group_rule" "web_egress" {
   type              = "egress"
-  description       = "Controlled egress to AWS endpoints and database"
+  description       = "Controlled egress to AWS endpoints and EFS"
   security_group_id = aws_security_group.web.id
   from_port         = 0
   to_port           = 0
@@ -244,7 +370,7 @@ resource "aws_security_group_rule" "worker_egress" {
   for_each = aws_security_group.worker
 
   type              = "egress"
-  description       = each.key == "public-probe" ? "Public probe egress for approved public targets" : "Controlled egress to AWS endpoints and database"
+  description       = each.key == "public-probe" ? "Public probe egress for approved public targets" : "Controlled egress to AWS endpoints"
   security_group_id = each.value.id
   from_port         = 0
   to_port           = 0
@@ -252,28 +378,124 @@ resource "aws_security_group_rule" "worker_egress" {
   cidr_blocks       = each.key == "public-probe" ? ["0.0.0.0/0"] : [data.aws_vpc.target.cidr_block]
 }
 
-resource "aws_security_group_rule" "rds_from_web" {
+resource "aws_security_group" "efs" {
+  name        = "${local.prefix}-efs-sg"
+  description = "Open Uptime EFS data store"
+  vpc_id      = data.aws_vpc.target.id
+  tags        = local.tags
+}
+
+resource "aws_security_group_rule" "efs_from_web" {
   type                     = "ingress"
-  from_port                = 5432
-  to_port                  = 5432
+  description              = "Open Uptime web to EFS"
+  security_group_id        = aws_security_group.efs.id
+  from_port                = 2049
+  to_port                  = 2049
   protocol                 = "tcp"
-  security_group_id        = var.rds_security_group_id
   source_security_group_id = aws_security_group.web.id
-  description              = "Open Uptime web to RDS"
 }
 
-resource "aws_security_group_rule" "rds_from_workers" {
-  for_each = {
-    for key, value in local.services : key => value if key != "web" && value.db_access
+resource "aws_efs_file_system" "data" {
+  creation_token = "${local.prefix}-data"
+  encrypted      = true
+  kms_key_id     = var.kms_key_arn
+  tags           = merge(local.tags, { Name = "${local.prefix}-data" })
+
+  lifecycle_policy {
+    transition_to_ia = "AFTER_30_DAYS"
   }
+}
 
-  type                     = "ingress"
-  from_port                = 5432
-  to_port                  = 5432
-  protocol                 = "tcp"
-  security_group_id        = var.rds_security_group_id
-  source_security_group_id = aws_security_group.worker[each.key].id
-  description              = "Open Uptime ${each.key} to RDS"
+resource "aws_efs_backup_policy" "data" {
+  file_system_id = aws_efs_file_system.data.id
+
+  backup_policy {
+    status = "ENABLED"
+  }
+}
+
+resource "aws_efs_access_point" "uptime" {
+  file_system_id = aws_efs_file_system.data.id
+
+  posix_user {
+    uid = local.efs_uid
+    gid = local.efs_gid
+  }
+
+  root_directory {
+    path = "/uptime"
+
+    creation_info {
+      owner_uid   = local.efs_uid
+      owner_gid   = local.efs_gid
+      permissions = "0750"
+    }
+  }
+
+  tags = merge(local.tags, { Name = "${local.prefix}-uptime" })
+}
+
+resource "aws_efs_mount_target" "data" {
+  for_each        = toset(var.private_subnet_ids)
+  file_system_id  = aws_efs_file_system.data.id
+  subnet_id       = each.value
+  security_groups = [aws_security_group.efs.id]
+}
+
+resource "aws_backup_vault" "data" {
+  name        = "${local.prefix}-data"
+  kms_key_arn = var.kms_key_arn
+  tags        = local.tags
+}
+
+resource "aws_backup_plan" "data" {
+  name = "${local.prefix}-data"
+
+  rule {
+    rule_name         = "daily"
+    target_vault_name = aws_backup_vault.data.name
+    schedule          = "cron(0 5 * * ? *)"
+
+    lifecycle {
+      delete_after = 35
+    }
+  }
+
+  tags = local.tags
+}
+
+data "aws_iam_policy_document" "backup_assume_role" {
+  statement {
+    actions = ["sts:AssumeRole"]
+
+    principals {
+      type        = "Service"
+      identifiers = ["backup.amazonaws.com"]
+    }
+  }
+}
+
+resource "aws_iam_role" "backup" {
+  name               = "${local.prefix}-backup-role"
+  assume_role_policy = data.aws_iam_policy_document.backup_assume_role.json
+  tags               = local.tags
+}
+
+resource "aws_iam_role_policy_attachment" "backup" {
+  role       = aws_iam_role.backup.name
+  policy_arn = "arn:aws:iam::aws:policy/service-role/AWSBackupServiceRolePolicyForBackup"
+}
+
+resource "aws_iam_role_policy_attachment" "backup_restore" {
+  role       = aws_iam_role.backup.name
+  policy_arn = "arn:aws:iam::aws:policy/service-role/AWSBackupServiceRolePolicyForRestores"
+}
+
+resource "aws_backup_selection" "data" {
+  iam_role_arn = aws_iam_role.backup.arn
+  name         = "${local.prefix}-data"
+  plan_id      = aws_backup_plan.data.id
+  resources    = [aws_efs_file_system.data.arn]
 }
 
 resource "aws_lb" "open_uptime" {
@@ -302,6 +524,7 @@ resource "aws_lb_target_group" "web" {
 }
 
 resource "aws_lb_listener" "https" {
+  count             = local.use_alb_https ? 1 : 0
   load_balancer_arn = aws_lb.open_uptime.arn
   port              = 443
   protocol          = "HTTPS"
@@ -313,8 +536,73 @@ resource "aws_lb_listener" "https" {
   }
 }
 
+resource "aws_lb_listener" "http_cloudfront" {
+  count             = local.use_cloudfront ? 1 : 0
+  load_balancer_arn = aws_lb.open_uptime.arn
+  port              = 80
+  protocol          = "HTTP"
+
+  default_action {
+    type             = "forward"
+    target_group_arn = aws_lb_target_group.web.arn
+  }
+}
+
+resource "aws_cloudfront_distribution" "open_uptime" {
+  count           = local.use_cloudfront ? 1 : 0
+  enabled         = true
+  is_ipv6_enabled = true
+  comment         = "Open Uptime ${local.prefix} protected HTTPS edge"
+  price_class     = "PriceClass_100"
+  tags            = local.tags
+
+  origin {
+    domain_name = aws_lb.open_uptime.dns_name
+    origin_id   = "${local.prefix}-alb"
+
+    custom_origin_config {
+      http_port              = 80
+      https_port             = 443
+      origin_protocol_policy = "http-only"
+      origin_ssl_protocols   = ["TLSv1.2"]
+    }
+  }
+
+  default_cache_behavior {
+    target_origin_id       = "${local.prefix}-alb"
+    viewer_protocol_policy = "redirect-to-https"
+    compress               = true
+    allowed_methods        = ["GET", "HEAD", "OPTIONS", "PUT", "POST", "PATCH", "DELETE"]
+    cached_methods         = ["GET", "HEAD"]
+    default_ttl            = 0
+    max_ttl                = 0
+    min_ttl                = 0
+
+    forwarded_values {
+      query_string = true
+      headers      = ["Authorization", "Content-Type", "Origin", "X-Uptime-Hosted-Token"]
+
+      cookies {
+        forward = "all"
+      }
+    }
+  }
+
+  restrictions {
+    geo_restriction {
+      restriction_type = "none"
+    }
+  }
+
+  viewer_certificate {
+    cloudfront_default_certificate = true
+  }
+
+  depends_on = [aws_lb_listener.http_cloudfront]
+}
+
 resource "aws_route53_record" "open_uptime" {
-  count   = var.hosted_zone_id == null ? 0 : 1
+  count   = var.hosted_zone_id == null || !local.use_alb_https ? 0 : 1
   zone_id = var.hosted_zone_id
   name    = var.hostname
   type    = "A"
@@ -395,6 +683,24 @@ data "aws_iam_policy_document" "task" {
     actions   = ["kms:Decrypt", "kms:GenerateDataKey"]
     resources = [var.kms_key_arn]
   }
+
+  dynamic "statement" {
+    for_each = contains(local.efs_enabled_services, each.key) ? [1] : []
+
+    content {
+      actions = [
+        "elasticfilesystem:ClientMount",
+        "elasticfilesystem:ClientWrite",
+      ]
+      resources = [aws_efs_file_system.data.arn]
+
+      condition {
+        test     = "StringEquals"
+        variable = "elasticfilesystem:AccessPointArn"
+        values   = [aws_efs_access_point.uptime.arn]
+      }
+    }
+  }
 }
 
 resource "aws_iam_role_policy" "task" {
@@ -414,6 +720,24 @@ resource "aws_ecs_task_definition" "service" {
   execution_role_arn       = aws_iam_role.execution.arn
   task_role_arn            = aws_iam_role.task[each.key].arn
 
+  dynamic "volume" {
+    for_each = contains(local.efs_enabled_services, each.key) ? [1] : []
+
+    content {
+      name = "uptime-data"
+
+      efs_volume_configuration {
+        file_system_id     = aws_efs_file_system.data.id
+        transit_encryption = "ENABLED"
+
+        authorization_config {
+          access_point_id = aws_efs_access_point.uptime.id
+          iam             = "ENABLED"
+        }
+      }
+    }
+  }
+
   container_definitions = jsonencode([
     {
       name      = each.key
@@ -425,12 +749,26 @@ resource "aws_ecs_task_definition" "service" {
         hostPort      = local.container_port
         protocol      = "tcp"
       }] : []
-      environment = [
+      environment = concat([
         { name = "HASNA_UPTIME_MODE", value = "hosted" },
         { name = "HASNA_UPTIME_WORKSPACE_ID", value = var.workspace_id },
         { name = "HASNA_UPTIME_COMPONENT", value = each.key },
         { name = "HASNA_UPTIME_HOSTNAME", value = var.hostname },
-      ]
+        ], each.key == "web" ? [
+        {
+          name  = "HASNA_UPTIME_ALLOWED_ORIGINS"
+          value = local.use_cloudfront ? "https://${aws_cloudfront_distribution.open_uptime[0].domain_name}" : "https://${var.hostname}"
+        },
+        ] : [], contains(local.efs_enabled_services, each.key) ? [
+        { name = "HASNA_UPTIME_HOSTED_SQLITE_DB", value = local.hosted_sqlite_db_path },
+      ] : [])
+      mountPoints = contains(local.efs_enabled_services, each.key) ? [
+        {
+          sourceVolume  = "uptime-data"
+          containerPath = "/data/uptime"
+          readOnly      = false
+        }
+      ] : []
       secrets = [
         for name, value_from in each.value.secrets : {
           name      = name
@@ -476,7 +814,7 @@ resource "aws_ecs_service" "web" {
     container_port   = local.container_port
   }
 
-  depends_on = [aws_lb_listener.https]
+  depends_on = [aws_lb_listener.https, aws_lb_listener.http_cloudfront, aws_efs_mount_target.data]
 }
 
 resource "aws_ecs_service" "worker" {

package/infra/aws/outputs.tf

@@ -2,6 +2,10 @@ output "ecr_repository_url" {
   value = aws_ecr_repository.open_uptime.repository_url
 }
 
+output "image_builder_project_name" {
+  value = aws_codebuild_project.image_builder.name
+}
+
 output "ecs_cluster_name" {
   value = aws_ecs_cluster.open_uptime.name
 }
@@ -10,10 +14,26 @@ output "alb_dns_name" {
   value = aws_lb.open_uptime.dns_name
 }
 
+output "cloudfront_domain_name" {
+  value = try(aws_cloudfront_distribution.open_uptime[0].domain_name, null)
+}
+
+output "protected_access_url" {
+  value = var.protected_access_mode == "cloudfront_default_domain" ? "https://${aws_cloudfront_distribution.open_uptime[0].domain_name}" : "https://${var.hostname}"
+}
+
 output "evidence_bucket" {
   value = aws_s3_bucket.evidence.bucket
 }
 
+output "efs_file_system_id" {
+  value = aws_efs_file_system.data.id
+}
+
+output "efs_access_point_id" {
+  value = aws_efs_access_point.uptime.id
+}
+
 output "service_names" {
   value = concat(
     [aws_ecs_service.web.name],

package/infra/aws/terraform.tfvars.example

@@ -1,21 +1,22 @@
 region                   = "us-east-1"
 stage                    = "prod"
 service_name             = "open-uptime"
-hostname                 = "uptime.hasna.xyz"
-workspace_id             = "wks_2tyysw05cwap"
-vpc_id                   = "vpc-04c7f7abc1d3c3f56"
+hostname                 = "uptime.example.com"
+workspace_id             = "workspace-id"
+vpc_id                   = "vpc-xxxxxxxx"
+ecr_repository_name      = "open-uptime"
+protected_access_mode    = "cloudfront_default_domain"
 public_subnet_ids        = ["subnet-replace-public-a", "subnet-replace-public-b"]
 alb_ingress_cidr_blocks = []
 private_subnet_ids       = ["subnet-replace-private-a", "subnet-replace-private-b"]
-rds_security_group_id    = "sg-replace-rds"
-container_image          = "123456789012.dkr.ecr.us-east-1.amazonaws.com/hasna/opensource/open-uptime@sha256:aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
-certificate_arn          = "arn:aws:acm:us-east-1:123456789012:certificate/replace"
-hosted_zone_id           = "ZREPLACE"
-database_secret_arn      = "arn:aws:secretsmanager:us-east-1:123456789012:secret:hasna/xyz/opensource/uptime/prod/rds"
-app_env_secret_arn       = "arn:aws:secretsmanager:us-east-1:123456789012:secret:hasna/xyz/opensource/uptime/prod/app/env"
-hosted_token_secret_arn  = "arn:aws:secretsmanager:us-east-1:123456789012:secret:hasna/xyz/opensource/uptime/prod/hosted-token"
-public_probe_secret_arn  = "arn:aws:secretsmanager:us-east-1:123456789012:secret:hasna/xyz/opensource/uptime/prod/probe/public"
-reporting_secret_arn     = "arn:aws:secretsmanager:us-east-1:123456789012:secret:hasna/xyz/opensource/uptime/prod/reporting"
+container_image          = "123456789012.dkr.ecr.us-east-1.amazonaws.com/open-uptime@sha256:aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
+runtime_package_version  = "0.1.8"
+certificate_arn          = null
+hosted_zone_id           = null
+app_env_secret_arn       = "arn:aws:secretsmanager:us-east-1:123456789012:secret:open-uptime/prod/app/env"
+hosted_token_secret_arn  = "arn:aws:secretsmanager:us-east-1:123456789012:secret:open-uptime/prod/hosted-token"
+public_probe_secret_arn  = "arn:aws:secretsmanager:us-east-1:123456789012:secret:open-uptime/prod/probe/public"
+reporting_secret_arn     = "arn:aws:secretsmanager:us-east-1:123456789012:secret:open-uptime/prod/reporting"
 kms_key_arn              = "arn:aws:kms:us-east-1:123456789012:key/00000000-0000-0000-0000-000000000000"
 alarm_actions            = []