import sponsor-app//tfmod

Author: sorah

tf/sponsor-app/.mairu.json

@@ -0,0 +1,4 @@
+{
+  "server": "https://amc.rubykaigi.net/api/remote/",
+  "role": "arn:aws:iam::005216166247:role/OrgzAdmin"
+}

tf/sponsor-app/.terraform.lock.hcl

@@ -0,0 +1,5 @@
+data "aws_acm_certificate" "use1-sponsorships-rk-o" {
+  provider    = aws.use1
+  domain      = "sponsorships.rubykaigi.org"
+  most_recent = true
+}

tf/sponsor-app/acm.tf

@@ -0,0 +1,37 @@
+data "aws_caller_identity" "current" {}
+
+locals {
+  aws_account_id = "005216166247"
+}
+
+provider "aws" {
+  region              = "us-west-2"
+  allowed_account_ids = [local.aws_account_id]
+  default_tags {
+    tags = {
+      Project = "sponsor-app"
+    }
+  }
+}
+
+provider "aws" {
+  alias               = "use1"
+  region              = "us-east-1"
+  allowed_account_ids = [local.aws_account_id]
+  default_tags {
+    tags = {
+      Project = "sponsor-app"
+    }
+  }
+}
+
+provider "aws" {
+  alias               = "apne1"
+  region              = "ap-northeast-1"
+  allowed_account_ids = [local.aws_account_id]
+  default_tags {
+    tags = {
+      Project = "sponsor-app"
+    }
+  }
+}

tf/sponsor-app/aws.tf

@@ -0,0 +1,9 @@
+terraform {
+  backend "s3" {
+    bucket               = "rk-infra"
+    workspace_key_prefix = "terraform"
+    key                  = "terraform/sponsor-app.tfstate"
+    region               = "ap-northeast-1"
+    use_lockfile         = true
+  }
+}

tf/sponsor-app/backend.tf

@@ -0,0 +1,31 @@
+module "dev" {
+  source = "../../../sponsor-app/tfmod"
+
+  providers = {
+    aws       = aws
+    aws.use1  = aws.use1
+    aws.apne1 = aws.apne1
+  }
+
+  environment               = "dev"
+  service_name              = "sponsor-app-dev"
+  sqs_name_suffix           = "dev"
+  iam_role_prefix           = "SponsorAppDev"
+  iam_apprunner_access_name = "AppraSponsorAppDev"
+
+  s3_bucket_name = "rk-sponsorship-files-dev"
+  s3_cors_origins = [
+    "http://localhost:13000",
+    "http://localhost:13010",
+    "http://localhost:3000",
+    "https://amc.rubykaigi.net",
+  ]
+
+  enable_cloudfront       = false
+  enable_sqs              = false
+  enable_apprunner        = false
+  enable_amc_oidc         = true
+  enable_shared_resources = false
+
+  github_actions_sub = "repo:ruby-no-kai/sponsor-app:ref:refs/heads/master"
+}

tf/sponsor-app/dev.tf

@@ -0,0 +1,185 @@
+# State migration from sponsor-app/tf to module-based structure
+
+# ECR (shared, goes to prd module with [0])
+moved {
+  from = aws_ecr_repository.app
+  to   = module.prd.aws_ecr_repository.app[0]
+}
+
+moved {
+  from = aws_ecr_lifecycle_policy.app
+  to   = module.prd.aws_ecr_lifecycle_policy.app[0]
+}
+
+# S3 - Production bucket and configs
+moved {
+  from = aws_s3_bucket.files-prd
+  to   = module.prd.aws_s3_bucket.files
+}
+
+moved {
+  from = aws_s3_bucket_public_access_block.files["prd"]
+  to   = module.prd.aws_s3_bucket_public_access_block.files
+}
+
+moved {
+  from = aws_s3_bucket_versioning.files["prd"]
+  to   = module.prd.aws_s3_bucket_versioning.files
+}
+
+moved {
+  from = aws_s3_bucket_lifecycle_configuration.files["prd"]
+  to   = module.prd.aws_s3_bucket_lifecycle_configuration.files
+}
+
+moved {
+  from = aws_s3_bucket_accelerate_configuration.files["prd"]
+  to   = module.prd.aws_s3_bucket_accelerate_configuration.files
+}
+
+moved {
+  from = aws_s3_bucket_cors_configuration.files-prd
+  to   = module.prd.aws_s3_bucket_cors_configuration.files
+}
+
+# S3 - Development bucket and configs
+moved {
+  from = aws_s3_bucket.files-dev
+  to   = module.dev.aws_s3_bucket.files
+}
+
+moved {
+  from = aws_s3_bucket_public_access_block.files["dev"]
+  to   = module.dev.aws_s3_bucket_public_access_block.files
+}
+
+moved {
+  from = aws_s3_bucket_versioning.files["dev"]
+  to   = module.dev.aws_s3_bucket_versioning.files
+}
+
+moved {
+  from = aws_s3_bucket_lifecycle_configuration.files["dev"]
+  to   = module.dev.aws_s3_bucket_lifecycle_configuration.files
+}
+
+moved {
+  from = aws_s3_bucket_accelerate_configuration.files["dev"]
+  to   = module.dev.aws_s3_bucket_accelerate_configuration.files
+}
+
+moved {
+  from = aws_s3_bucket_cors_configuration.files-dev
+  to   = module.dev.aws_s3_bucket_cors_configuration.files
+}
+
+# SQS (production only)
+moved {
+  from = aws_sqs_queue.activejob-prd
+  to   = module.prd.aws_sqs_queue.activejob[0]
+}
+
+moved {
+  from = aws_sqs_queue.activejob-dlq-prd
+  to   = module.prd.aws_sqs_queue.activejob-dlq[0]
+}
+
+# App Runner (production only)
+moved {
+  from = aws_apprunner_service.prd
+  to   = module.prd.aws_apprunner_service.prd[0]
+}
+
+# CloudFront (production only)
+moved {
+  from = aws_cloudfront_distribution.prd
+  to   = module.prd.aws_cloudfront_distribution.prd[0]
+}
+
+# CloudWatch Log Groups (shared, goes to prd module with [0])
+moved {
+  from = aws_cloudwatch_log_group.worker
+  to   = module.prd.aws_cloudwatch_log_group.worker[0]
+}
+
+moved {
+  from = aws_cloudwatch_log_group.batch
+  to   = module.prd.aws_cloudwatch_log_group.batch[0]
+}
+
+# IAM - Production App Role
+moved {
+  from = aws_iam_role.SponsorApp
+  to   = module.prd.aws_iam_role.SponsorApp
+}
+
+moved {
+  from = aws_iam_role_policy.SponsorApp
+  to   = module.prd.aws_iam_role_policy.SponsorApp
+}
+
+# IAM - Development App Role
+moved {
+  from = aws_iam_role.SponsorAppDev
+  to   = module.dev.aws_iam_role.SponsorApp
+}
+
+moved {
+  from = aws_iam_role_policy.SponsorAppDev
+  to   = module.dev.aws_iam_role_policy.SponsorApp
+}
+
+# IAM - Production User Role (S3 uploads)
+moved {
+  from = aws_iam_role.SponsorAppUser
+  to   = module.prd.aws_iam_role.SponsorAppUser
+}
+
+moved {
+  from = aws_iam_role_policy.SponsorAppUser
+  to   = module.prd.aws_iam_role_policy.SponsorAppUser
+}
+
+# IAM - Development User Role (S3 uploads)
+moved {
+  from = aws_iam_role.SponsorAppDevUser
+  to   = module.dev.aws_iam_role.SponsorAppUser
+}
+
+moved {
+  from = aws_iam_role_policy.SponsorAppDevUser
+  to   = module.dev.aws_iam_role_policy.SponsorAppUser
+}
+
+# IAM - App Runner Access Role (ECR pull)
+moved {
+  from = aws_iam_role.app-runner-access
+  to   = module.prd.aws_iam_role.app-runner-access[0]
+}
+
+moved {
+  from = aws_iam_role_policy.app-runner-access
+  to   = module.prd.aws_iam_role_policy.app-runner-access[0]
+}
+
+# IAM - ECS Task Execution Role (shared, goes to prd module with [0])
+moved {
+  from = aws_iam_role.EcsExecSponsorApp
+  to   = module.prd.aws_iam_role.EcsExecSponsorApp[0]
+}
+
+moved {
+  from = aws_iam_role_policy.EcsExecSponsorApp
+  to   = module.prd.aws_iam_role_policy.EcsExecSponsorApp[0]
+}
+
+# IAM - GitHub Actions Deployment Role (shared, goes to prd module with [0])
+moved {
+  from = aws_iam_role.GhaSponsorDeploy
+  to   = module.prd.aws_iam_role.GhaSponsorDeploy[0]
+}
+
+moved {
+  from = aws_iam_role_policy.GhaSponsorDeploy
+  to   = module.prd.aws_iam_role_policy.GhaSponsorDeploy[0]
+}

tf/sponsor-app/moved.tf

@@ -0,0 +1,32 @@
+module "prd" {
+  source = "../../../sponsor-app/tfmod"
+
+  providers = {
+    aws       = aws
+    aws.use1  = aws.use1
+    aws.apne1 = aws.apne1
+  }
+
+  environment               = "production"
+  service_name              = "sponsor-app"
+  sqs_name_suffix           = "prd"
+  iam_role_prefix           = "SponsorApp"
+  iam_apprunner_access_name = "AppraSponsorApp"
+
+  s3_bucket_name  = "rk-sponsorship-files-prd"
+  s3_cors_origins = ["https://sponsorships.rubykaigi.org"]
+
+  enable_cloudfront = true
+  enable_sqs        = true
+  enable_apprunner  = true
+  enable_amc_oidc   = false
+  enable_shared_resources = true
+
+  app_domain            = "sponsorships.rubykaigi.org"
+  certificate_arn       = data.aws_acm_certificate.use1-sponsorships-rk-o.arn
+  cloudfront_log_bucket = "rk-aws-logs.s3.amazonaws.com"
+  cloudfront_log_prefix = "cf/sponsorships.rubykaigi.org/"
+  cloudfront_comment    = "sponsor-app"
+
+  github_actions_sub = "repo:ruby-no-kai/sponsor-app:environment:production"
+}

tf/sponsor-app/prd.tf

@@ -0,0 +1,8 @@
+terraform {
+  required_providers {
+    aws = {
+      source = "hashicorp/aws"
+    }
+  }
+  required_version = ">= 0.13"
+}