Build with CodeBuild instead of BB Pipelines. Utilise terraform-modules. Add Dockerfile. Bump packages.

Author: jch254

Dockerfile

@@ -0,0 +1,14 @@
+FROM node:8-alpine
+WORKDIR /app
+
+COPY package.json yarn.lock ./
+RUN yarn install
+
+ENV SERVER_HOSTNAME=0.0.0.0
+
+COPY server.ts tsconfig.json tslint.json webpack.config.ts webpack.prod.config.ts ./
+COPY src src
+
+EXPOSE 3001/tcp
+
+ENTRYPOINT ["yarn", "run", "dev"]

README.md

@@ -2,11 +2,7 @@
 
 [Bitbucket Pipelines status](https://bitbucket.org/jch254/serverless-node-dynamodb-ui/addon/pipelines/home)
 
-A simple React/Redux-powered UI to front a simple [Serverless API](https://github.com/jch254/serverless-node-dynamodb-api). This project utilises [TypeScript for type checking](https://www.youtube.com/watch?v=V1po0BT7kac) and transpliation to browser-friendly ES5 JavaScript.
-
-Auth0 handles authentication. Users must sign up/login to generate an auth token and gain access to the secured area. All endpoints in the API check validity of the auth token and return unauthorised if invalid, the UI then prompts the user to log in again. The API also determines the identity of the user via the auth token.
-
-This project is deployed to AWS on S3, CloudFront is used as a CDN and Route 53 is used for DNS. All infrastructure is defined as code in the [/infrastructure](infrastructure) directory. Manual steps suck so this project uses Bitbucket Pipelines to automate the build and deployment to AWS - see [bitbucket-pipelines.yml](bitbucket-pipelines.yml). AWS credentials are set using [Bitbucket Pipelines environment variables](https://confluence.atlassian.com/bitbucket/environment-variables-in-bitbucket-pipelines-794502608.html).
+React/Redux-powered UI to front [Serverless API](https://github.com/jch254/serverless-node-dynamodb-api). This project utilises [TypeScript for type checking](https://www.youtube.com/watch?v=V1po0BT7kac) and transpliation to browser-friendly ES5 JavaScript. Auth0 handles authentication. Users must sign up/login to generate an auth token and gain access to the secured area. All endpoints in the API check validity of the auth token and return unauthorised if invalid, the UI then prompts the user to log in again. The API also determines the identity of the user via the auth token.
 
 ### Main technologies used
 
@@ -37,6 +33,14 @@ yarn install
 yarn run dev
 ```
 
+### Running development version locally in Docker container
+1. Run the following commands in the app's root directory then submit requests to http://localhost:3001.
+
+```
+docker build -t sls-api .
+docker run -p 3001:3001 -e AUTH0_CLIENT_ID=YOUR_CLIENT_ID -e AUTH0_DOMAIN=YOUR_DOMAIN -e API_BASE_URI=YOUR_API sls-api
+```
+
 ### Building the production version
 1. Run the following commands in the app's root directory then check the /dist folder
 

bitbucket-pipelines.yml

@@ -0,0 +1,44 @@
+# All commands below are run from root directory of repository by CodeBuild
+version: 0.2
+
+env:
+  variables:
+    TF_VAR_region: "ap-southeast-2"
+    TF_VAR_name: "serverless-node-dynamodb-ui"
+    TF_VAR_kms_key_arns: '["arn:aws:kms:ap-southeast-2:982898479788:key/0ec9686b-13a1-40fc-8256-86e8d3503e9c"]'
+    TF_VAR_ssm_parameter_arns: '["arn:aws:ssm:ap-southeast-2:982898479788:parameter/shared/*","arn:aws:ssm:ap-southeast-2:982898479788:parameter/serverless-node-dynamodb-ui/*"]'
+    TF_VAR_build_docker_image: "jch254/docker-node-terraform-aws"
+    TF_VAR_build_docker_tag: "latest"
+    TF_VAR_buildspec: "buildspec.yml"
+    TF_VAR_source_location: "https://github.com/jch254/serverless-node-dynamodb-ui.git"
+    TF_VAR_bucket_name: "serverless-api.603.nu"
+    TF_VAR_dns_names: '["serverless-api.603.nu"]'
+    TF_VAR_route53_zone_id: "ZS32KHT5LS4PR"
+    TF_VAR_acm_arn: "arn:aws:acm:us-east-1:982898479788:certificate/2367a831-34bd-4d81-bb17-2f79d08329a6"
+    AUTH0_CLIENT_ID: "PabWYDl71ibZ920e3XjoPIe0QoJVrhtY"
+    AUTH0_DOMAIN: "603.au.auth0.com"
+    API_BASE_URI: "https://sls-api.603.nu"
+    REMOTE_STATE_BUCKET: "603-terraform-remote-state"
+  parameter-store:
+    GA_ID: "/serverless-node-dynamodb-ui/ga-id"
+
+phases:
+  install:
+    commands:
+      # Workaround until CodeBuild/CodePipeline retains file permissions
+      - find ./infrastructure -name "*.bash" -exec chmod +x {} \;
+      - ./infrastructure/install.bash
+
+  pre_build:
+    commands:
+      # Workaround until TF supports creds via Task Roles when running on ECS or CodeBuild
+      # See: https://github.com/hashicorp/terraform/issues/8746
+      - export AWS_ACCESS_KEY_ID=`curl --silent http://169.254.170.2:80$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI | jq -r '.AccessKeyId'`
+      - export AWS_SECRET_ACCESS_KEY=`curl --silent http://169.254.170.2:80$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI | jq -r '.SecretAccessKey'`
+      - export AWS_SESSION_TOKEN=`curl --silent http://169.254.170.2:80$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI | jq -r '.Token'`
+
+  build:
+    commands:
+      - ./infrastructure/build-artifacts.bash
+      - ./infrastructure/deploy-infrastructure.bash
+      - ./infrastructure/upload-artifacts.bash

buildspec.yml

@@ -1,8 +1,8 @@
 # Deployment/Infrastructure
 
-This project is deployed to AWS on S3. CloudFront is used as a CDN. Route 53 is used for DNS.
+This project is built, tested and deployed to AWS by [codebuild-github-webhook](https://github.com/jch254/codebuild-github-webhook) and CodeBuild. Artifacts are served from S3. CloudFront is used as a CDN. Route 53 is used for DNS.
 
---
+---
 
 ### Deployment Prerequisites
 
@@ -15,33 +15,49 @@ To deploy to AWS, you must:
    1. Set your credentials as the environment variables `AWS_ACCESS_KEY_ID` and `AWS_SECRET_ACCESS_KEY`.
    1. Run `aws configure` and fill in the details it asks for.
    1. Run on an EC2 instance with an IAM Role.
-   1. Run via CodeBuild or ECS Task with an IAM Role.
- 1. Update the S3 backend in [main.tf](main.tf):
- ```
-terraform {
-   backend "s3" {
-      bucket = "YOUR_S3_BUCKET"
-      key = "serverless-node-dynamodb-ui.tfstate"
-      region = "YOUR_REGION"
-      encrypt= "true"
-   }
-}
-```
+   1. Run via CodeBuild or ECS Task with an IAM Role (see [buildspec-test.yml](../buildspec-test.yml) for workaround)
 
 #### Deploying infrastructure
 
-1. `terraform init`
-1. `terraform plan -var-file main.tfvars -out main.tfplan`
+1. Update and export all environment variables specified in the appropriate buildspec declaration (check all phases) and bash scripts
+1. Initialise Terraform:
+```
+terraform init \
+  -backend-config 'bucket=YOUR_S3_BUCKET' \
+  -backend-config 'key=YOUR_S3_KEY' \
+  -backend-config 'region=YOUR_REGION' \
+  -get=true \
+  -upgrade=true
+```
+1. `terraform plan -out main.tfplan`
 1. `terraform apply main.tfplan`
 
 #### Updating infrastructure
 
+1. Update and export all environment variables specified in the appropriate buildspec declaration (check all phases) and bash scripts
 1. Make necessary infrastructure code changes.
-1. `terraform init`
-1. `terraform plan -var-file main.tfvars -out main.tfplan`
+1. Initialise Terraform:
+```
+terraform init \
+  -backend-config 'bucket=YOUR_S3_BUCKET' \
+  -backend-config 'key=YOUR_S3_KEY' \
+  -backend-config 'region=YOUR_REGION' \
+  -get=true \
+  -upgrade=true
+```
+1. `terraform plan -out main.tfplan`
 1. `terraform apply main.tfplan`
 
 #### Destroying infrastructure (use with care)
 
-1. `terraform init`
-1. `terraform destroy -var-file main.tfvars`
+1. Update and export all environment variables specified in the appropriate buildspec declaration (check all phases) and bash scripts
+1. Initialise Terraform:
+```
+terraform init \
+  -backend-config 'bucket=YOUR_S3_BUCKET' \
+  -backend-config 'key=YOUR_S3_KEY' \
+  -backend-config 'region=YOUR_REGION' \
+  -get=true \
+  -upgrade=true
+```
+1. `terraform destroy`

infrastructure/README.md

@@ -1,5 +1,7 @@
 #!/bin/bash -ex
 
-yarn install
-export API_BASE_URI="https://sls-api.603.nu"
+echo Building artifacts...
+
 yarn run build
+
+echo Finished building artifacts

infrastructure/build-artifacts.bash

@@ -0,0 +1,36 @@
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Resource": [
+        "*"
+      ],
+      "Action": [
+        "logs:*",
+        "s3:*",
+        "codebuild:*",
+        "codepipeline:*",
+        "cloudwatch:*",
+        "cloudfront:*",
+        "route53:*",
+        "iam:*",
+        "ssm:DescribeParameters"
+      ]
+    },
+    {
+      "Effect": "Allow",
+      "Action": [
+        "kms:Decrypt"
+      ],
+      "Resource": ${kms_key_arns}
+    },
+    {
+      "Effect": "Allow",
+      "Action": [
+        "ssm:GetParameters"
+      ],
+      "Resource": ${ssm_parameter_arns}
+    }
+  ]
+}

infrastructure/codebuild-role-policy.tpl

@@ -1,7 +1,16 @@
 #!/bin/bash -ex
 
+echo Deploying infrastructure via Terraform...
+
 cd infrastructure
-terraform init
-terraform plan -var-file main.tfvars -out main.tfplan
+terraform init \
+  -backend-config "bucket=${REMOTE_STATE_BUCKET}" \
+  -backend-config "key=${TF_VAR_name}" \
+  -backend-config "region=${TF_VAR_region}" \
+  -get=true \
+  -upgrade=true
+terraform plan -out main.tfplan
 terraform apply main.tfplan
 cd ..
+
+echo Finished deploying infrastructure

infrastructure/deploy-infrastructure.bash

@@ -0,0 +1,7 @@
+#!/bin/bash -ex
+
+echo Installing dependencies...
+
+yarn install
+
+echo Finished installing dependencies

infrastructure/install.bash

@@ -1,8 +1,5 @@
 terraform {
   backend "s3" {
-    bucket = "603-terraform-remote-state"
-    key = "serverless-node-dynamodb-ui.tfstate"
-    region = "ap-southeast-2"
     encrypt= "true"
   }
 }
@@ -12,86 +9,57 @@ provider "aws" {
   version = "~> 0.1"
 }
 
-resource "aws_s3_bucket" "apex_bucket" {
-  bucket = "${var.dns_name}"
-  acl = "public-read"
-  force_destroy = true
+resource "aws_iam_role" "codebuild_role" {
+  name = "${var.name}-codebuild"
 
-  policy = <<POLICY
+  assume_role_policy = <<EOF
 {
-  "Version":"2012-10-17",
-  "Statement":[{
-    "Sid":"PublicReadForGetBucketObjects",
-    "Effect":"Allow",
-    "Principal": "*",
-    "Action":"s3:GetObject",
-    "Resource":["arn:aws:s3:::${var.dns_name}/*"]
-  }]
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Principal": {
+        "Service": "codebuild.amazonaws.com"
+      },
+      "Action": "sts:AssumeRole"
+    }
+  ]
+}
+EOF
 }
-POLICY
 
-  website {
-    index_document = "index.html"
-    error_document = "index.html"
+data "template_file" "codebuild_policy" {
+  template = "${file("./codebuild-role-policy.tpl")}"
+
+  vars {
+    kms_key_arns = "${var.kms_key_arns}"
+    ssm_parameter_arns = "${var.ssm_parameter_arns}"
   }
 }
 
-resource "aws_cloudfront_distribution" "cdn" {
-  origin {
-    domain_name = "${aws_s3_bucket.apex_bucket.website_endpoint}"
-    origin_id = "apex_bucket_origin"
-    custom_origin_config {
-      http_port = "80"
-      https_port = "443"
-      origin_protocol_policy = "http-only"
-      origin_ssl_protocols = ["TLSv1", "TLSv1.1", "TLSv1.2"]
-    }
-  }
-  enabled = true
-  aliases = ["${var.dns_name}"]
-  custom_error_response {
-    error_code = "404"
-    response_code = "200"
-    response_page_path ="/index.html"
-  }
-  price_class = "PriceClass_All"
-  default_cache_behavior {
-    allowed_methods = [ "DELETE", "GET", "HEAD", "OPTIONS", "PATCH", "POST", "PUT" ]
-    cached_methods = [ "GET", "HEAD" ]
-    target_origin_id = "apex_bucket_origin"
-    forwarded_values {
-      query_string = true
-      headers = ["*"]
-      cookies {
-        forward = "all"
-      }
-    }
-    viewer_protocol_policy = "redirect-to-https"
-    compress = true
-    min_ttl = 0
-    default_ttl = 3600
-    max_ttl = 86400
-  }
-  viewer_certificate {
-    acm_certificate_arn = "${var.acm_arn}"
-    ssl_support_method = "sni-only"
-    minimum_protocol_version = "TLSv1"
-  }
-  restrictions {
-    geo_restriction {
-      restriction_type = "none"
-    }
-  }
+resource "aws_iam_role_policy" "codebuild_policy" {
+  name = "${var.name}-codebuild-policy"
+  role = "${aws_iam_role.codebuild_role.id}"
+  policy = "${data.template_file.codebuild_policy.rendered}"
 }
 
-resource "aws_route53_record" "apex_route53_record" {
-  zone_id = "${var.route53_zone_id}"
-  name = "${var.dns_name}"
-  type = "A"
+module "codebuild_project" {
+  source = "github.com/jch254/terraform-modules//codebuild-project?ref=1.0.0"
 
-  alias {
-    name = "${aws_cloudfront_distribution.cdn.domain_name}"
-    zone_id = "${aws_cloudfront_distribution.cdn.hosted_zone_id}"
-    evaluate_target_health = false
-  }
+  name = "${var.name}"
+  codebuild_role_arn = "${aws_iam_role.codebuild_role.arn}"
+  build_docker_image = "${var.build_docker_image}"
+  build_docker_tag = "${var.build_docker_tag}"
+  source_type = "${var.source_type}"
+  buildspec = "${var.buildspec}"
+  source_location = "${var.source_location}"
+}
+
+module "webapp" {
+  source = "github.com/jch254/terraform-modules//web-app?ref=1.0.0"
+
+  bucket_name = "${var.bucket_name}"
+  dns_names = "${var.dns_names}"
+  route53_zone_id = "${var.route53_zone_id}"
+  acm_arn = "${var.acm_arn}"
 }