Add infra for Catala app

.github/workflows/cd-app-catala.yml

@@ -0,0 +1,38 @@
+name: Deploy app-catala
+# Need to set a default value for when the workflow is triggered from a git push
+# which bypasses the default configuration for inputs
+run-name: Deploy ${{inputs.version || 'main' }} to app-catala ${{ inputs.environment || 'dev' }}
+
+on:
+  push:
+    branches:
+      - "main"
+    paths:
+      - "app-catala/**"
+      - "bin/**"
+      - "infra/**"
+  workflow_dispatch:
+    inputs:
+      environment:
+        description: Environment to deploy to
+        required: true
+        default: "dev"
+        type: choice
+        options:
+          - dev
+          - staging
+          - prod
+      version:
+        required: true
+        default: "main"
+        description: Tag or branch or SHA to deploy
+
+jobs:
+  deploy:
+    name: " " # GitHub UI is noisy when calling reusable workflows, so use whitespace for name to reduce noise
+    uses: ./.github/workflows/deploy.yml
+    with:
+      app_name: "app-catala"
+      environment: ${{ inputs.environment || 'dev' }}
+      version: ${{ inputs.version || 'main' }}
+    secrets: inherit

.github/workflows/ci-app-catala-infra-service.yml

@@ -0,0 +1,62 @@
+name: CI Infra Service Checks - app-catala
+
+on:
+  push:
+    branches:
+      - main
+    paths:
+      - infra/app-catala/service/**
+      - infra/modules/**
+      - infra/test/**
+      - .github/workflows/ci-app-catala-infra-service.yml
+  pull_request:
+    paths:
+      - infra/app-catala/service/**
+      - infra/modules/**
+      - infra/test/**
+      - .github/workflows/ci-app-catala-infra-service.yml
+  workflow_dispatch:
+    inputs:
+      version:
+        required: true
+        default: "main"
+        description: Tag or branch or SHA to test
+
+jobs:
+  build-and-publish:
+    name: Build
+    uses: ./.github/workflows/build-and-publish.yml
+    with:
+      app_name: app-catala
+      ref: ${{ inputs.version || github.ref }}
+
+  infra-test-e2e:
+    name: Test service
+    runs-on: ubuntu-latest
+    needs: [build-and-publish]
+
+    permissions:
+      contents: read
+      id-token: write
+
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          ref: ${{ inputs.version || github.ref }}
+
+      - name: Set up Terraform
+        uses: ./.github/actions/setup-terraform
+
+      - uses: actions/setup-go@v5
+        with:
+          go-version-file: "infra/test/go.mod"
+
+      - name: Configure AWS credentials
+        uses: ./.github/actions/configure-aws-credentials
+        with:
+          app_name: app-catala
+          # Run infra CI on dev environment
+          environment: dev
+
+      - name: Run Terratest
+        run: make infra-test-service APP_NAME=app-catala

.github/workflows/ci-app-catala-pr-environment-checks.yml

@@ -0,0 +1,22 @@
+name: CI app-catala PR Environment Checks
+on:
+  workflow_dispatch:
+    inputs:
+      pr_number:
+        required: true
+        type: string
+      commit_hash:
+        required: true
+        type: string
+  pull_request:
+
+jobs:
+  update:
+    name: " " # GitHub UI is noisy when calling reusable workflows, so use whitespace for name to reduce noise
+    uses: ./.github/workflows/pr-environment-checks.yml
+    if: github.event_name == 'workflow_dispatch' || github.event.pull_request.state == 'open'
+    with:
+      app_name: "app-catala"
+      environment: "dev"
+      pr_number: ${{ inputs.pr_number || github.event.number }}
+      commit_hash: ${{ inputs.commit_hash || github.event.pull_request.head.sha }}

.github/workflows/ci-app-catala-pr-environment-destroy.yml

@@ -0,0 +1,18 @@
+name: CI app-catala PR Environment Destroy
+on:
+  workflow_dispatch:
+    inputs:
+      pr_number:
+        required: true
+        type: string
+  pull_request_target:
+    types: [closed]
+
+jobs:
+  destroy:
+    name: " " # GitHub UI is noisy when calling reusable workflows, so use whitespace for name to reduce noise
+    uses: ./.github/workflows/pr-environment-destroy.yml
+    with:
+      app_name: "app-catala"
+      environment: "dev"
+      pr_number: ${{ inputs.pr_number || github.event.number }}

.github/workflows/ci-app-catala-vulnerability-scans.yml

@@ -0,0 +1,28 @@
+name: CI Vulnerability Scans - app-catala
+
+on:
+  push:
+    branches:
+      - main
+    paths:
+      - app-catala/**
+      - .grype.yml
+      - .hadolint.yaml
+      - .trivyignore
+      - .github/workflows/vulnerability-scans.yml
+      - .github/workflows/ci-app-catala-vulnerability-scans.yml
+  pull_request:
+    paths:
+      - app-catala/**
+      - .grype.yml
+      - .hadolint.yaml
+      - .trivyignore
+      - .github/workflows/vulnerability-scans.yml
+      - .github/workflows/ci-app-catala-vulnerability-scans.yml
+
+jobs:
+  vulnerability-scans:
+    name: Vulnerability Scans
+    uses: ./.github/workflows/vulnerability-scans.yml
+    with:
+      app_name: "app-catala"

.strata-template-rules-engine-catala/app-catala.yml

@@ -1,5 +1,5 @@
 # Changes here will be overwritten by Copier; NEVER EDIT MANUALLY
 _commit: 4f60dcd
 _src_path: https://github.com/navapbc/strata-template-rules-engine-catala
-app_local_port: 3001
+app_local_port: 3400
 app_name: app-catala

.template-infra/app-app-catala.yml

@@ -0,0 +1,7 @@
+# Changes here will be overwritten by Copier
+_commit: v0.16.0-21-g3af6525
+_src_path: https://github.com/navapbc/template-infra
+app_has_dev_env_setup: true
+app_local_port: 3400
+app_name: app-catala
+template: app

app-catala/.dockleignore

@@ -0,0 +1,2 @@
+# Ignore apt-get cache not being cleared in python base image
+DKL-DI-0005

app-catala/.grype.yml

@@ -0,0 +1,10 @@
+ignore:
+  # These settings ignore any findings that fall into these categories
+  - fix-state: not-fixed
+  - fix-state: wont-fix
+  - fix-state: unknown
+
+  # We dont use imaplib
+  - vulnerability: CVE-2025-15366
+  # We dont use poplib
+  - vulnerability: CVE-2025-15367

app-catala/docker-compose.yml

@@ -15,7 +15,7 @@ services:
       - PY_RUN_APPROACH=local
       - PYTHONPATH=/app/
     ports:
-      - 3001:3001
+      - 3400:3400
     volumes:
       - ./:/app/
       - /app/.venv

app-catala/local.env

@@ -5,7 +5,7 @@
 # create an override.env file in the same directory.
 
 ENVIRONMENT=local
-PORT=3001
+PORT=3400
 
 ############################
 # Logging

docs/app-catala/getting-started.md

@@ -27,7 +27,7 @@ A simple [docker-compose.yml](/app-catala/docker-compose.yml) has been included
 **Note:** Run everything from within the `/app-catala` folder:
 
 1. Run `make init start` to build the image and start the container.
-2. Navigate to `localhost:3001/docs` to access the API documentation (Swagger UI).
+2. Navigate to `localhost:3400/docs` to access the API documentation (Swagger UI).
 3. Run `make run-logs` to see the logs of the running container.
 4. Run `make stop` when you are done to stop the container.
 

e2e/app-catala/playwright.config.js

@@ -0,0 +1,11 @@
+import baseConfig from '../playwright.config';
+import { deepMerge } from '../lib/util';
+import { defineConfig } from '@playwright/test';
+
+export default defineConfig(
+  deepMerge(baseConfig, {
+    use: {
+      baseURL: baseConfig.use.baseURL || 'localhost:3400',
+    },
+  })
+);

e2e/app-catala/tests/index.spec.ts

@@ -0,0 +1,8 @@
+import { expect, test } from '@playwright/test';
+
+test.describe('Catala API tests', () => {
+  test('should return 200 from /health', async ({ request }) => {
+    const response = await request.get('/health');
+    expect(response.status()).toBe(200);
+  });
+});

infra/app-catala/app-config/build_repository.tf

@@ -0,0 +1,20 @@
+data "external" "account_ids_by_name" {
+  program = ["${path.module}/../../../bin/account-ids-by-name"]
+}
+
+locals {
+  image_repository_name         = "${local.project_name}-${local.app_name}"
+  image_repository_region       = module.project_config.default_region
+  image_repository_account_name = module.project_config.network_configs[local.shared_network_name].account_name
+  image_repository_account_id   = data.external.account_ids_by_name.result[local.image_repository_account_name]
+
+  build_repository_config = {
+    name           = local.image_repository_name
+    region         = local.image_repository_region
+    network_name   = local.shared_network_name
+    account_name   = local.image_repository_account_name
+    account_id     = local.image_repository_account_id
+    repository_arn = "arn:aws:ecr:${local.image_repository_region}:${local.image_repository_account_id}:repository/${local.image_repository_name}"
+    repository_url = "${local.image_repository_account_id}.dkr.ecr.${local.image_repository_region}.amazonaws.com/${local.image_repository_name}"
+  }
+}

infra/app-catala/app-config/dev.tf

@@ -0,0 +1,31 @@
+module "dev_config" {
+  source                          = "./env-config"
+  project_name                    = local.project_name
+  app_name                        = local.app_name
+  default_region                  = module.project_config.default_region
+  environment                     = "dev"
+  network_name                    = "dev"
+  domain_name                     = "${local.app_name}.${module.project_config.network_configs["dev"].domain_config.hosted_zone}"
+  enable_https                    = false
+  has_database                    = local.has_database
+  has_incident_management_service = local.has_incident_management_service
+  enable_notifications            = local.enable_notifications
+  enable_document_data_extraction = local.enable_document_data_extraction
+
+  # Enable and configure identity provider.
+  enable_identity_provider = local.enable_identity_provider
+
+  # Support local development against the dev instance.
+  extra_identity_provider_callback_urls = ["http://localhost"]
+  extra_identity_provider_logout_urls   = ["http://localhost"]
+
+  # Enables ECS Exec access for debugging or jump access.
+  # See https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-exec.html
+  # Defaults to `false`. Uncomment the next line to enable.
+  # enable_command_execution = true
+
+  # Uncomment to override default feature flag values
+  # feature_flag_overrides = {
+  #   BAR = true
+  # }
+}

infra/app-catala/app-config/env-config/database.tf

@@ -0,0 +1,10 @@
+locals {
+  database_config = var.has_database ? {
+    region       = var.default_region
+    cluster_name = "${var.app_name}-${var.environment}"
+
+    # Enable extensions that require the rds_superuser role to be created here
+    # See docs/infra/set-up-database.md for more information
+    superuser_extensions = {}
+  } : null
+}

infra/app-catala/app-config/env-config/document_data_extraction.tf

@@ -0,0 +1,37 @@
+locals {
+  document_data_extraction_config = var.enable_document_data_extraction ? {
+    name               = "${var.app_name}-${var.environment}"
+    input_bucket_name  = "${local.bucket_name}-dde-input"
+    output_bucket_name = "${local.bucket_name}-dde-output"
+
+    # List of blueprint file paths or ARNs
+    # File paths are relative to the service directory
+    # ARNs reference AWS-managed or existing custom blueprints
+    blueprints = [
+      "./document-data-extraction-blueprints/*"
+    ]
+
+    # BDA can only be deployed to us-east-1, us-west-2, and us-gov-west-1
+    # TODO(https://github.com/navapbc/template-infra/issues/993) Add GovCloud Support
+    bda_region = "us-east-1"
+
+    standard_output_configuration = {
+      image = {
+        extraction = {
+          bounding_box = {
+            state = "ENABLED"
+          }
+          category = {
+            state = "ENABLED"
+            types = ["TEXT_DETECTION", "LOGOS"]
+          }
+        }
+        generative_field = {
+          state = "ENABLED"
+          types = ["IMAGE_SUMMARY"]
+        }
+      }
+    }
+
+  } : null
+}

infra/app-catala/app-config/env-config/domain.tf

@@ -0,0 +1,7 @@
+locals {
+  domain_config = {
+    hosted_zone  = local.network_config.domain_config.hosted_zone
+    domain_name  = var.domain_name
+    enable_https = var.enable_https
+  }
+}

infra/app-catala/app-config/env-config/environment_variables.tf

@@ -0,0 +1,34 @@
+locals {
+  # Map from environment variable name to environment variable value
+  # This is a map rather than a list so that variables can be easily
+  # overridden per environment using terraform's `merge` function
+  default_extra_environment_variables = {
+    # Example environment variables
+    # WORKER_THREADS_COUNT    = 4
+    # LOG_LEVEL               = "info"
+    # DB_CONNECTION_POOL_SIZE = 5
+  }
+
+  # Configuration for secrets
+  # List of configurations for defining environment variables that pull from SSM parameter
+  # store. Configurations are of the format
+  # {
+  #   ENV_VAR_NAME = {
+  #     manage_method     = "generated" # or "manual" for a secret that was created and stored in SSM manually
+  #     secret_store_name = "/ssm/param/name"
+  #   }
+  # }
+  secrets = {
+    # Example generated secret
+    # RANDOM_SECRET = {
+    #   manage_method     = "generated"
+    #   secret_store_name = "/${var.app_name}-${var.environment}/random-secret"
+    # }
+
+    # Example secret that references a manually created secret
+    # SECRET_SAUCE = {
+    #   manage_method     = "manual"
+    #   secret_store_name = "/${var.app_name}-${var.environment}/secret-sauce"
+    # }
+  }
+}