Move terraform code into this repo (#353)

## Description

Move Terraform code over from
https://github.com/skylight-hq/dibbs-tf-envs. Makes a few changes,
including changing tfstate backend from Azure to AWS, and adding a
bootstrapping step to set up the state.

Author: nickclyde

.dockerignore

@@ -3,4 +3,11 @@ frontend/dist
 frontend/.vite
 frontend/coverage
 **/.DS_Store
-**/node_modules
+**/node_modules
+.git
+.venv
+.ruff_cache
+e2e
+docs
+terraform
+**/__pycache__

.github/workflows/bootstrap.yaml

@@ -0,0 +1,70 @@
+name: Bootstrap Terraform State Backend
+run-name: Bootstrap Terraform State Backend by @${{ github.actor }}
+
+on:
+  workflow_dispatch:
+    inputs:
+      apply:
+        description: "Apply changes (if false, only runs plan)"
+        type: boolean
+        default: false
+      destroy:
+        description: "Destroy state backend resources (WARNING: irreversible)"
+        type: boolean
+        default: false
+
+concurrency:
+  group: bootstrap-terraform-state
+  cancel-in-progress: false
+
+permissions:
+  id-token: write
+  contents: read
+
+jobs:
+  bootstrap:
+    name: Bootstrap
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup Terraform
+        uses: hashicorp/setup-terraform@v4
+        with:
+          terraform_version: 1.14.7
+          terraform_wrapper: false
+
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: ${{ secrets.TERRAFORM_ROLE_ARN }}
+          role-session-name: githubBootstrapWorkflow
+          aws-region: ${{ vars.AWS_REGION }}
+
+      - name: Terraform Init
+        working-directory: terraform/bootstrap
+        run: terraform init
+
+      - name: Terraform Format Check
+        working-directory: terraform/bootstrap
+        run: terraform fmt -check -recursive
+
+      - name: Terraform Validate
+        working-directory: terraform/bootstrap
+        run: terraform validate
+
+      - name: Terraform Plan
+        if: ${{ !inputs.apply && !inputs.destroy }}
+        working-directory: terraform/bootstrap
+        run: terraform plan
+
+      - name: Terraform Apply
+        if: ${{ inputs.apply && !inputs.destroy }}
+        working-directory: terraform/bootstrap
+        run: terraform apply -auto-approve
+
+      - name: Terraform Destroy
+        if: ${{ inputs.destroy }}
+        working-directory: terraform/bootstrap
+        run: terraform destroy -auto-approve

.github/workflows/deploy.yaml

@@ -0,0 +1,106 @@
+name: Deploy Text-to-Code AWS demo
+run-name: Deploy Text-to-Code AWS demo by @${{ github.actor }}
+
+on:
+  workflow_dispatch:
+    inputs:
+      apply:
+        description: "Apply changes (if false, only runs plan)"
+        type: boolean
+        default: false
+      destroy:
+        description: "Destroy all resources (WARNING: irreversible)"
+        type: boolean
+        default: false
+
+concurrency:
+  group: deploy-text-to-code-aws-demo
+  cancel-in-progress: false
+
+permissions:
+  id-token: write
+  contents: read
+
+jobs:
+  deploy_text_to_code:
+    name: Terraform
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup Terraform
+        uses: hashicorp/setup-terraform@v4
+        with:
+          terraform_version: 1.14.7
+          terraform_wrapper: false
+
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: ${{ secrets.TERRAFORM_ROLE_ARN }}
+          role-session-name: githubDeploymentWorkflow
+          aws-region: ${{ vars.AWS_REGION }}
+
+      - name: Terraform Init
+        working-directory: terraform
+        run: terraform init
+
+      - name: Terraform Format Check
+        working-directory: terraform
+        run: terraform fmt -check -recursive
+
+      - name: Terraform Validate
+        working-directory: terraform
+        run: terraform validate
+
+      - name: Create ECR repositories
+        if: ${{ inputs.apply && !inputs.destroy }}
+        working-directory: terraform
+        run: terraform apply -auto-approve -target=aws_ecr_repository.index_lambda -target=aws_ecr_repository.ttc_lambda
+
+      - name: Login to Amazon ECR
+        if: ${{ inputs.apply && !inputs.destroy }}
+        id: ecr-login
+        uses: aws-actions/amazon-ecr-login@v2
+
+      - name: Get ECR repository URLs
+        if: ${{ inputs.apply && !inputs.destroy }}
+        id: ecr-url
+        working-directory: terraform
+        run: |
+          INDEX_ECR_URL=$(terraform output -raw index_ecr_repository_url)
+          echo "index_ecr_url=$INDEX_ECR_URL" >> "$GITHUB_OUTPUT"
+          ECR_URL=$(terraform output -raw ecr_repository_url)
+          echo "ecr_url=$ECR_URL" >> "$GITHUB_OUTPUT"
+
+      - name: Build and push Index Docker image
+        if: ${{ inputs.apply && !inputs.destroy }}
+        run: |
+          INDEX_ECR_URL="${{ steps.ecr-url.outputs.index_ecr_url }}"
+          docker build -f Dockerfile.index -t "$INDEX_ECR_URL:${{ github.sha }}" -t "$INDEX_ECR_URL:latest" .
+          docker push "$INDEX_ECR_URL:${{ github.sha }}"
+          docker push "$INDEX_ECR_URL:latest"
+
+      - name: Build and push TTC Docker image
+        if: ${{ inputs.apply && !inputs.destroy }}
+        run: |
+          ECR_URL="${{ steps.ecr-url.outputs.ecr_url }}"
+          docker build -f Dockerfile.ttc -t "$ECR_URL:${{ github.sha }}" -t "$ECR_URL:latest" .
+          docker push "$ECR_URL:${{ github.sha }}"
+          docker push "$ECR_URL:latest"
+
+      - name: Terraform Plan
+        if: ${{ !inputs.apply && !inputs.destroy }}
+        working-directory: terraform
+        run: terraform plan
+
+      - name: Terraform Apply
+        if: ${{ inputs.apply && !inputs.destroy }}
+        working-directory: terraform
+        run: terraform apply -auto-approve -var="index_lambda_image_tag=${{ github.sha }}" -var="ttc_lambda_image_tag=${{ github.sha }}"
+
+      - name: Terraform Destroy
+        if: ${{ inputs.destroy }}
+        working-directory: terraform
+        run: terraform destroy -auto-approve

.github/workflows/docker-image-push.yml

@@ -28,8 +28,8 @@ jobs:
         include:
           - name: index
             dockerfile: Dockerfile.index
-          - name: lambda
-            dockerfile: Dockerfile.lambda
+          - name: ttc
+            dockerfile: Dockerfile.ttc
           - name: augmentation
             dockerfile: Dockerfile.augmentation
 
@@ -85,3 +85,23 @@ jobs:
           labels: ${{ steps.meta.outputs.labels }}
           cache-from: type=gha
           cache-to: type=gha,mode=max
+
+      - name: Configure APHL AWS credentials
+        if: ${{ matrix.name != 'index' }}
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          aws-access-key-id: ${{ secrets.APHL_AWS_ACCESS_KEY_ID }}
+          aws-secret-access-key: ${{ secrets.APHL_AWS_SECRET_ACCESS_KEY }}
+          aws-region: us-east-1
+
+      - name: Login to APHL ECR
+        if: ${{ matrix.name != 'index' }}
+        id: aphl-ecr
+        uses: aws-actions/amazon-ecr-login@v2
+
+      - name: Push to APHL ECR
+        if: ${{ matrix.name != 'index' }}
+        run: |
+          GHCR_IMAGE="ghcr.io/${{ steps.repo.outputs.owner }}/dibbs-text-to-code/${{ matrix.name }}:latest"
+          ECR_IMAGE="${{ secrets.APHL_ECR_REPOSITORY_URL }}/${{ matrix.name }}:latest"
+          docker buildx imagetools create --tag "$ECR_IMAGE" "$GHCR_IMAGE"

Dockerfile.lambda

@@ -0,0 +1,33 @@
+FROM public.ecr.aws/lambda/python:3.12
+
+LABEL org.opencontainers.image.source=https://github.com/CDCgov/dibbs-text-to-code
+LABEL org.opencontainers.image.licenses=Apache-2.0
+
+# Install build tools for C++ extensions
+RUN microdnf install -y gcc-c++ make && microdnf clean all
+
+# Copy and install workspace packages in dependency order
+COPY ./packages/shared-models ${LAMBDA_TASK_ROOT}/shared-models
+RUN pip install --no-cache-dir "${LAMBDA_TASK_ROOT}/shared-models"
+
+COPY ./packages/lambda-handler ${LAMBDA_TASK_ROOT}/lambda-handler
+RUN pip install --no-cache-dir "${LAMBDA_TASK_ROOT}/lambda-handler"
+
+COPY ./packages/text-to-code ${LAMBDA_TASK_ROOT}/text-to-code
+RUN pip install --no-cache-dir "${LAMBDA_TASK_ROOT}/text-to-code"
+
+COPY ./packages/text-to-code-lambda ${LAMBDA_TASK_ROOT}/text-to-code-lambda
+RUN pip install --no-cache-dir "${LAMBDA_TASK_ROOT}/text-to-code-lambda"
+
+# Download model at build time (baked into image)
+RUN python -c "\
+from huggingface_hub import snapshot_download; \
+snapshot_download( \
+    repo_id='intfloat/e5-large-v2', \
+    local_dir='/opt/model', \
+    ignore_patterns=['*.git*', '*.md', 'onnx/*', 'openvino/*', 'pytorch_model.bin'] \
+)"
+
+ENV MODEL_PATH="/opt/model"
+
+CMD ["text_to_code_lambda.lambda_function.handler"]

Dockerfile.ttc

@@ -0,0 +1,54 @@
+# Local .terraform directories
+**/.terraform/*
+
+# .tfstate files
+*.tfstate
+*.tfstate.*
+
+# Crash log files
+crash.log
+crash.*.log
+
+# Exclude all .tfvars files, which are likely to contain sensitive data, such as
+# password, private keys, and other secrets. These should not be part of version
+# control as they are data points which are potentially sensitive and subject
+# to change depending on the environment.
+*.tfvars
+*.tfvars.json
+
+# Ignore override files as they are usually used to override resources locally and so
+# are not checked in
+override.tf
+override.tf.json
+*_override.tf
+*_override.tf.json
+
+# Ignore transient lock info files created by terraform apply
+.terraform.tfstate.lock.info
+
+# Include override files you do wish to add to version control using negated pattern
+# !example_override.tf
+
+# Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan
+# example: *tfplan*
+
+# Ignore CLI configuration files
+.terraformrc
+terraform.rc
+
+# Extra Goodies
+.terraform.lock.hcl
+.infracost
+terraform.tfstate
+terraform.tfstate.d
+terraform.tfstate.backup
+*.tfvars
+.vscode/settings.json
+credentials.json
+.bash_profile
+awscli-bundle/
+.todo
+.DS_Store
+# Ignore .dot files
+**/*.dot
+