feat: align infra and ci with tournament (#62)

* feat: align infra and ci with tournament

* chore: format terraform and pa11y config

* fix(ci): use localhost for accessibility db

Author: kennethaasan

.env.example

@@ -13,3 +13,22 @@ BASIC_AUTH_USER_ID="00000000-0000-7000-8000-000000000000"
 # Optional locally (defaults to a development secret) but REQUIRED in production
 # Generate with: `openssl rand -base64 32`
 BETTER_AUTH_SECRET="GWEDcva6qPMctBu7jLlFbpXiLUFWleQK"
+BETTER_AUTH_EMAIL_SENDER="no-reply@example.com"
+BETTER_AUTH_URL="http://localhost:3000"
+BETTER_AUTH_TRUSTED_ORIGINS="http://localhost:3000,https://mattis.vanvikil.no"
+
+# Amazon SES (emails)
+SES_ENABLED="false"
+SES_REGION="eu-north-1"
+SES_ACCESS_KEY_ID=""
+SES_SECRET_ACCESS_KEY=""
+SES_SOURCE_EMAIL=""
+SES_CONFIGURATION_SET=""
+
+# Base application URL surfaced to the browser
+NEXT_PUBLIC_APP_URL="http://localhost:3000"
+
+# AWS Lambda Powertools configuration
+POWERTOOLS_SERVICE_NAME="mattis"
+POWERTOOLS_LOG_LEVEL="INFO"
+POWERTOOLS_METRICS_NAMESPACE="mattis"

.github/workflows/ci-cd-pipeline.yml

@@ -36,6 +36,9 @@ jobs:
           - name: Lint (Biome)
             command: npm run lint
             job-timeout: 15
+          - name: OpenAPI Lint (Spectral)
+            command: npm run spectral
+            job-timeout: 10
     steps:
       - &node-checkout
         name: Checkout repository
@@ -177,6 +180,53 @@ jobs:
         if: github.event_name == 'pull_request'
         uses: actions/dependency-review-action@v4
 
+  accessibility:
+    name: Accessibility
+    runs-on: ubuntu-latest
+    timeout-minutes: 20
+    services:
+      postgres:
+        image: postgres:17
+        ports:
+          - 5432:5432
+        env:
+          POSTGRES_DB: mattis
+          POSTGRES_USER: mattis
+          POSTGRES_PASSWORD: mattis
+        options: >-
+          --health-cmd "pg_isready -U mattis -d mattis"
+          --health-interval 10s
+          --health-timeout 5s
+          --health-retries 5
+    env:
+      DATABASE_URL: postgresql://mattis:mattis@localhost:5432/mattis
+      NEXT_PUBLIC_APP_URL: http://127.0.0.1:3000
+    steps:
+      - *node-checkout
+      - *node-setup
+      - *node-install-dependencies
+      - *copy-example-env
+      - name: Seed database
+        run: npm run seed
+      - name: Build application
+        run: npm run build
+      - name: Start application
+        run: |
+          PORT=3000 npm run start > /tmp/next.log 2>&1 &
+      - name: Wait for application
+        run: |
+          for i in {1..30}; do
+            if curl -fsS http://127.0.0.1:3000/ >/dev/null; then
+              exit 0
+            fi
+            sleep 2
+          done
+          echo "Application did not start in time"
+          cat /tmp/next.log
+          exit 1
+      - name: Run accessibility checks
+        run: npm run test:accessibility
+
   build:
     name: Build
     runs-on: ubuntu-latest
@@ -233,6 +283,7 @@ jobs:
       - unit-tests
       - infra
       - e2e
+      - accessibility
       - build
     if: github.event_name == 'push' && github.ref == 'refs/heads/main'
     environment: production

.pa11yci.json

@@ -0,0 +1,11 @@
+{
+  "defaults": {
+    "standard": "WCAG2AA",
+    "wait": 8000,
+    "timeout": 20000,
+    "chromeLaunchConfig": {
+      "args": ["--no-sandbox"]
+    }
+  },
+  "urls": ["http://127.0.0.1:3000/", "http://127.0.0.1:3000/login"]
+}

.spectral.yaml

@@ -0,0 +1,5 @@
+extends:
+  - spectral:oas
+
+rules:
+  operation-operationId: error

iac/locals.tf

@@ -5,4 +5,37 @@ locals {
     Environment = var.environment
     ManagedBy   = "terraform"
   }, var.tags)
+
+  default_email_sender = "no-reply@${var.app_domain}"
+
+  app_url_input                     = var.app_url == null ? "" : trimspace(var.app_url)
+  better_auth_url_input             = var.better_auth_url == null ? "" : trimspace(var.better_auth_url)
+  better_auth_trusted_origins_input = var.better_auth_trusted_origins == null ? "" : trimspace(var.better_auth_trusted_origins)
+
+  better_auth_email_sender_input = var.better_auth_email_sender == null ? "" : trimspace(var.better_auth_email_sender)
+  ses_source_email_input         = var.ses_source_email == null ? "" : trimspace(var.ses_source_email)
+  ses_region_input               = var.ses_region == null ? "" : trimspace(var.ses_region)
+  ses_domain_input               = var.ses_domain == null ? "" : trimspace(var.ses_domain)
+  ses_mail_from_input            = var.ses_mail_from_domain == null ? "" : trimspace(var.ses_mail_from_domain)
+  ses_configuration_set_input    = var.ses_configuration_set == null ? "" : trimspace(var.ses_configuration_set)
+  ses_event_topic_input          = var.ses_event_topic_name == null ? "" : trimspace(var.ses_event_topic_name)
+  ses_dmarc_rua_input            = var.ses_dmarc_rua_email == null ? "" : trimspace(var.ses_dmarc_rua_email)
+
+  better_auth_email_sender = local.better_auth_email_sender_input != "" ? local.better_auth_email_sender_input : local.default_email_sender
+  app_url                  = local.app_url_input != "" ? local.app_url_input : "https://${var.app_domain}"
+  better_auth_url          = local.better_auth_url_input != "" ? local.better_auth_url_input : local.app_url
+  better_auth_trusted_origins = local.better_auth_trusted_origins_input != "" ? local.better_auth_trusted_origins_input : join(",", distinct(compact([
+    local.app_url,
+    "https://mattis.vanvikil.no",
+  ])))
+  ses_source_email     = local.ses_source_email_input != "" ? local.ses_source_email_input : local.better_auth_email_sender
+  ses_region           = local.ses_region_input != "" ? local.ses_region_input : var.aws_region
+  ses_domain           = local.ses_domain_input != "" ? local.ses_domain_input : var.app_domain
+  ses_mail_from_domain = local.ses_mail_from_input != "" ? local.ses_mail_from_input : "mail.${local.ses_domain}"
+  ses_configuration_set_name = local.ses_configuration_set_input != "" ? local.ses_configuration_set_input : (
+    var.ses_create_configuration_set ? "${local.stack_name}-ses" : ""
+  )
+  ses_event_topic_name = local.ses_event_topic_input != "" ? local.ses_event_topic_input : "${local.stack_name}-ses-events"
+
+  dmarc_value = local.ses_dmarc_rua_input != "" ? "v=DMARC1; p=${var.ses_dmarc_policy}; rua=mailto:${local.ses_dmarc_rua_input}" : "v=DMARC1; p=${var.ses_dmarc_policy}"
 }