bloom-housing
diff --git a/‎docker-compose.yml‎
Lines changed: 4 additions & 4 deletions b/‎docker-compose.yml‎
Lines changed: 4 additions & 4 deletions
diff --git a/‎infra/README.md‎
Lines changed: 12 additions & 0 deletions b/‎infra/README.md‎
Lines changed: 12 additions & 0 deletions
diff --git a/‎infra/tofu_importable_modules/bloom_deployment/db.tf‎
Lines changed: 51 additions & 0 deletions b/‎infra/tofu_importable_modules/bloom_deployment/db.tf‎
Lines changed: 51 additions & 0 deletions
diff --git a/‎infra/tofu_importable_modules/bloom_deployment/ecs.tf‎
Lines changed: 230 additions & 0 deletions b/‎infra/tofu_importable_modules/bloom_deployment/ecs.tf‎
Lines changed: 230 additions & 0 deletions
diff --git a/‎infra/tofu_importable_modules/bloom_deployment/main.tf‎
Lines changed: 68 additions & 0 deletions b/‎infra/tofu_importable_modules/bloom_deployment/main.tf‎
Lines changed: 68 additions & 0 deletions
@@ -107,10 +107,10 @@ services:
       DATABASE_URL: "postgres://postgres:example@db:5432/bloom_prisma"
     healthcheck:
       test: ["CMD", "curl", "--fail", "http://127.0.0.1:3100/"]
-      interval: "2s"
-      timeout: "1s"
-      retries: 20
-      start_period: "1s"
+      interval: "5s"
+      timeout: "2s"
+      retries: 10
+      start_period: "5s"
     depends_on:
       db:
         condition: service_healthy
 
@@ -10,9 +10,19 @@ Cloud Native Computing Foundation.
   is a set of resources that are all managed together. Each root module has a state file that
   records the results of the latest apply operation.
 
+   - [bloom_dev](./tofu_root_modules/bloom_dev/README.md): Configures the bloom-dev AWS account.
    - [bloom_dev_deployer_permission_set](./tofu_root_modules/bloom_dev_deployer_permission_set/README.md):
      Configures the bloom-dev-deployer permission set that is assigned on the bloom-dev account.
 
+- [tofu_importable_modules](./tofu_importable_modules): Contains all the Open Tofu importable
+  modules. An importable module is a reusable set of resources configured through input
+  parameters. Root modules import importable modules.
+
+   - [bloom_deployment](./tofu_importable_modules/bloom_deployment/README.md): Configures all the
+     resources needed for a Bloom deployment in a single AWS account.
+
+
+
 ## Infrastructure-as-code mental model
 
 Let's say that you need to deploy Bloom to an AWS account. A straight-forward way of achieving this
@@ -122,6 +132,8 @@ directory.
    (Log in via https://d-9067ac8222.awsapps.com/start). If there are unexpected results, go back to
    step 1. In some cases you may have to manually modify or delete resources directly to 'unstick'
    Open Tofu.
+6. To delete only the resources provisioned by the bloom-dev module, run `tofu destroy
+   -target=module.bloom-dev`.
 
 ## AWS setup done manually
 
 
@@ -0,0 +1,51 @@
+# Create a database.
+locals {
+  # Pricing: https://aws.amazon.com/rds/postgresql/pricing/?pg=pr&loc=3
+  # Machine specs: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Concepts.DBInstanceClass.Summary.html#hardware-specifications.burstable-inst-classes
+  db_instance_class = local.is_prod ? "db.t4g.medium" : "db.t4g.micro"
+  db_multi_az       = local.is_prod ? true : false
+
+  # https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_Storage.html#gp2-storage
+  # Unit: GiB
+  db_start_storage = local.is_prod ? 10 : 5
+  db_max_storage   = local.is_prod ? 50 : 10
+
+  # Unit: days
+  db_backup_retention = local.is_prod ? 30 : 7
+}
+resource "aws_db_subnet_group" "bloom" {
+  region     = var.aws_region
+  name       = "bloom"
+  subnet_ids = [for s in aws_subnet.db : s.id]
+}
+resource "aws_db_instance" "bloom" {
+  identifier                      = "bloom"
+  deletion_protection             = local.is_prod
+  engine                          = "postgres"
+  engine_version                  = "17"
+  instance_class                  = local.db_instance_class
+  multi_az                        = local.db_multi_az
+  enabled_cloudwatch_logs_exports = ["postgresql", "upgrade", "iam-db-auth-error"]
+  username                        = "master"
+  manage_master_user_password     = true
+
+  # Networking
+  vpc_security_group_ids              = [aws_security_group.db.id]
+  iam_database_authentication_enabled = true
+  db_subnet_group_name                = aws_db_subnet_group.bloom.id
+
+  # Updates
+  apply_immediately           = true # If false, any changes are applied in the next maintenance window instead of when tofu apply runs.
+  engine_lifecycle_support    = "open-source-rds-extended-support"
+  allow_major_version_upgrade = false
+  auto_minor_version_upgrade  = true
+
+  # Storage
+  storage_encrypted         = true
+  storage_type              = "gp2"
+  allocated_storage         = local.db_start_storage
+  max_allocated_storage     = local.db_max_storage
+  backup_retention_period   = local.db_backup_retention
+  final_snapshot_identifier = "bloom-db-finalsnapshot"
+  skip_final_snapshot       = !local.is_prod
+}
@@ -0,0 +1,230 @@
+# Create an ECS cluster and services for each Bloom binary.
+resource "aws_iam_service_linked_role" "ecs" {
+  aws_service_name = "ecs.amazonaws.com"
+}
+resource "aws_ecs_cluster" "bloom" {
+  region     = var.aws_region
+  name       = "bloom"
+  depends_on = [aws_iam_service_linked_role.ecs]
+  setting {
+    name  = "containerInsights"
+    value = "enabled"
+  }
+}
+
+# API service.
+resource "aws_iam_role" "bloom_api_ecs" {
+  name        = "bloom-api-ecs"
+  description = "Role the ECS service uses when launching the Bloom api container."
+  # https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-iam-roles.html#create_task_iam_policy_and_role
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [{
+      Action = "sts:AssumeRole"
+      Effect = "Allow"
+      Principal = {
+        Service = "ecs-tasks.amazonaws.com"
+      }
+      Condition = {
+        ArnLike = {
+          "aws:SourceArn" = "arn:aws:ecs:${var.aws_region}:${var.aws_account_number}:*"
+        }
+        StringEquals = {
+          "aws:SourceAccount" = var.aws_account_number
+        }
+      }
+    }]
+  })
+}
+resource "aws_iam_role_policy" "bloom_api_ecs" {
+  name = "bloom-api-ecs"
+  role = aws_iam_role.bloom_api_ecs.id
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Action   = "secretsmanager:GetSecretValue"
+        Effect   = "Allow"
+        Resource = aws_db_instance.bloom.master_user_secret[0].secret_arn
+      },
+      {
+        Action = [
+          "logs:CreateLogStream",
+          "logs:PutLogEvents",
+        ]
+        Effect   = "Allow"
+        Resource = "${aws_cloudwatch_log_group.bloom_api.arn}:log-stream:*"
+      },
+    ]
+  })
+}
+resource "aws_iam_role" "bloom_api_container" {
+  name        = "bloom-api-container"
+  description = "Role the Bloom API container runs as."
+  # https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-iam-roles.html#create_task_iam_policy_and_role
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [{
+      Action = "sts:AssumeRole"
+      Effect = "Allow"
+      Principal = {
+        Service = "ecs-tasks.amazonaws.com"
+      }
+      Condition = {
+        ArnLike = {
+          "aws:SourceArn" = "arn:aws:ecs:${var.aws_region}:${var.aws_account_number}:*"
+        }
+        StringEquals = {
+          "aws:SourceAccount" = var.aws_account_number
+        }
+      }
+    }]
+  })
+}
+resource "aws_iam_role_policy" "bloom_api_container" {
+  name = "bloom-api-container"
+  role = aws_iam_role.bloom_api_container.id
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [{
+      Action   = "*"
+      Effect   = "Deny"
+      Resource = "*"
+    }]
+  })
+}
+resource "aws_cloudwatch_log_group" "bloom_api" {
+  region            = var.aws_region
+  name              = "bloom-api"
+  log_group_class   = "STANDARD"
+  retention_in_days = local.is_prod ? 30 : 7
+}
+resource "aws_ecs_task_definition" "bloom_api" {
+  region                   = var.aws_region
+  family                   = "bloom-api"
+  network_mode             = "awsvpc"
+  requires_compatibilities = ["FARGATE"]
+  runtime_platform {
+    operating_system_family = "LINUX"
+    cpu_architecture        = "X86_64"
+  }
+
+  execution_role_arn = aws_iam_role.bloom_api_ecs.arn
+  task_role_arn      = aws_iam_role.bloom_api_container.arn
+
+  # https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task_definition_parameters.html#task_size
+  cpu    = 1024     # 1 vCPU
+  memory = 2 * 1024 # 2 GiB in MiB
+
+  container_definitions = jsonencode([
+    {
+      Name  = "bloom-api"
+      image = var.bloom_api_image
+      command = [
+        "/bin/bash",
+        "-c",
+        # TODO: https://www.prisma.io/docs/orm/more/help-and-troubleshooting/dataguide/connection-uris#percent-encoding-values
+        "export DATABASE_URL=postgres://$DB_USER:$(echo $DB_PASSWORD | sed 's/:/%3A/')@$DB_HOST/bloomprisma && env && yarn db:migration:run && yarn start:prod",
+      ]
+      secrets = [
+        {
+          name = "DB_PASSWORD"
+          # The master_user_secret tofu attribute is a block, so it is exposed as a list even though
+          # there is only one element.
+          #
+          # The RDS managed secret has a username key and a password key. Docs for how to read
+          # a specific key out of a secret:
+          # https://docs.aws.amazon.com/AmazonECS/latest/developerguide/secrets-envvar-secrets-manager.html#secrets-envvar-secrets-manager-update-container-definition
+          valueFrom = "${aws_db_instance.bloom.master_user_secret[0].secret_arn}:password::"
+        }
+      ]
+      environment = [
+        {
+          name  = "PORT"
+          value = "3100"
+        },
+        {
+          name  = "NODE_ENV"
+          value = "production"
+        },
+        {
+          name  = "APP_SECRET"
+          value = "totally a secret"
+        },
+        {
+          name  = "DB_USER"
+          value = aws_db_instance.bloom.username
+        },
+        {
+          name  = "DB_HOST"
+          value = aws_db_instance.bloom.endpoint
+        },
+      ]
+      portMappings = [
+        {
+          containerPort = 3100
+          appProtocol   = "http"
+        }
+      ]
+      restartPolicy = {
+        enabled = false
+      }
+      healthCheck = {
+        command = [
+          "curl",
+          "--fail",
+          "http://127.0.0.1:3100/"
+        ]
+        interval    = 5 # seconds
+        timeout     = 2 # seconds
+        retries     = 10
+        startPeriod = 5 # seconds
+      }
+      logConfiguration = {
+        logDriver = "awslogs"
+        options = {
+          "awslogs-region"        = var.aws_region
+          "awslogs-group"         = aws_cloudwatch_log_group.bloom_api.name
+          "awslogs-stream-prefix" = "bloom-api"
+        }
+      }
+    }
+  ])
+}
+resource "aws_ecs_service" "bloom_api" {
+  region                = var.aws_region
+  cluster               = aws_ecs_cluster.bloom.arn
+  name                  = "bloom-api"
+  force_delete          = true # allow deletion of the service without scaling down tasks to 0 first.
+  task_definition       = aws_ecs_task_definition.bloom_api.arn
+  wait_for_steady_state = false
+  depends_on = [
+    aws_db_instance.bloom,
+    aws_vpc_endpoint.secrets_manager,
+    aws_route_table_association.api_to_nat,
+  ]
+
+  network_configuration {
+    security_groups  = [aws_security_group.api.id]
+    subnets          = [for s in aws_subnet.api : s.id]
+    assign_public_ip = false
+  }
+  # load_balancer {}
+  # health_check_grace_period_seconds - LB
+
+  launch_type                   = "FARGATE"
+  scheduling_strategy           = "REPLICA"
+  availability_zone_rebalancing = "ENABLED"
+  desired_count                 = local.is_prod ? 2 : 1
+  deployment_configuration {
+    strategy = "ROLLING"
+  }
+  deployment_circuit_breaker {
+    enable   = true
+    rollback = true
+  }
+  deployment_controller {
+    type = "ECS"
+  }
+  deployment_maximum_percent = 200 # allow surge of up to twice desired task count.
+}
@@ -0,0 +1,68 @@
+terraform {
+  required_providers {
+    time = {
+      source  = "hashicorp/time"
+      version = "0.13.1"
+    }
+    aws = {
+      version = "6.21.0"
+      source  = "hashicorp/aws"
+    }
+  }
+}
+
+variable "env_type" {
+  type        = string
+  description = "Type of environment this deployment is going in."
+  validation {
+    condition = (
+      var.env_type == "dev" ||
+      var.env_type == "production"
+    )
+    error_message = "Must be 'dev' or 'production'."
+  }
+}
+variable "aws_account_number" {
+  type        = number
+  description = "AWS account number that is being configured."
+}
+variable "aws_region" {
+  type        = string
+  description = "Region to deploy AWS resources to"
+  validation {
+    condition = (
+      var.aws_region == "us-east-1" ||
+      var.aws_region == "us-east-2" ||
+      var.aws_region == "us-west-1" ||
+      var.aws_region == "us-west-2"
+    )
+    error_message = "Must be 'us-east-1', 'us-east-2', 'us-west-1', or 'us-west-2'."
+  }
+}
+locals {
+  is_prod = var.env_type == "production"
+}
+variable "bloom_api_image" {
+  type        = string
+  description = "Container image for the Bloom API."
+}
+variable "bloom_partners_site_image" {
+  type        = string
+  description = "Container image for the Bloom partners site."
+}
+variable "bloom_public_site_image" {
+  type        = string
+  description = "Container image for the Bloom public site."
+}
+
+# Create a CloudTrail data store so that audit events are query-able in SQL.
+resource "aws_cloudtrail_event_data_store" "audit" {
+  count = local.is_prod ? 1 : 0
+
+  region                         = var.aws_region
+  name                           = "audit"
+  multi_region_enabled           = true
+  retention_period               = 30
+  termination_protection_enabled = true
+}
+