Misc fixes for deployment (issue #7) (#33)

* Fix CDN-related policies * Map content type to web artifact files * Remove unnecessary VPC link from APIGW integrations * Fix typo in PostgresIAMAuth policy statement * Remove sslcert from PG URL * Fix Lambda->RDS networking * S3 backend placeholder * Configure prisma logging after client init * terraform fmt
usdigitalresponse · Dec 7, 2023 · 8788378 · 8788378
1 parent e1e9ad3
commit 8788378
Show file tree

Hide file tree

Showing 6 changed files with 72 additions and 19 deletions.
diff --git a/api/src/lib/db.ts b/api/src/lib/db.ts
@@ -50,10 +50,11 @@ async function createPrismaClient() {
     datasourceUrl: datasourceUrl,
   })
 }
-createPrismaClient()
 
-handlePrismaLogging({
-  db,
-  logger,
-  logLevels: ['info', 'warn', 'error'],
+createPrismaClient().then(() => {
+  handlePrismaLogging({
+    db,
+    logger,
+    logLevels: ['info', 'warn', 'error'],
+  })
 })
diff --git a/terraform/api_gateway.tf b/terraform/api_gateway.tf
@@ -96,14 +96,10 @@ module "api_gateway" {
 
   integrations = {
     "POST /graphql" = {
-      lambda_arn      = module.lambda_function-graphql.lambda_function_arn
-      connection_type = "VPC_LINK"
-      vpc_link        = "api-service"
+      lambda_arn = module.lambda_function-graphql.lambda_function_arn
     }
     "GET /graphql" = {
-      lambda_arn      = module.lambda_function-graphql.lambda_function_arn
-      connection_type = "VPC_LINK"
-      vpc_link        = "api-service"
+      lambda_arn = module.lambda_function-graphql.lambda_function_arn
     }
   }
 }

diff --git a/terraform/functions.tf b/terraform/functions.tf
@@ -66,6 +66,18 @@ data "aws_iam_policy_document" "read_datadog_api_key_secret" {
   }
 }
 
+module "lambda_security_group" {
+  source  = "cloudposse/security-group/aws"
+  version = "2.2.0"
+  context = module.this.context
+
+  vpc_id           = data.aws_ssm_parameter.vpc_id.value
+  attributes       = ["lambda"]
+  allow_all_egress = true
+
+  create_before_destroy = true
+}
+
 module "lambda_artifacts_bucket" {
   source  = "cloudposse/s3-bucket/aws"
   version = "4.0.1"
@@ -116,8 +128,11 @@ module "lambda_function-graphql" {
   function_name = "${var.namespace}-graphql"
   description   = "GraphQL API server for the CPF Reporter service."
 
-  vpc_subnet_ids                    = local.private_subnet_ids
-  vpc_security_group_ids            = [module.postgres.security_group_id]
+  vpc_subnet_ids = local.private_subnet_ids
+  vpc_security_group_ids = [
+    module.lambda_security_group.id,
+    module.postgres.security_group_id,
+  ]
   attach_network_policy             = true
   role_permissions_boundary         = local.permissions_boundary_arn
   attach_cloudwatch_logs_policy     = true
@@ -130,7 +145,7 @@ module "lambda_function-graphql" {
     PostgresIAMAuth = {
       effect    = "Allow"
       actions   = ["rds-db:connect"]
-      resources = "${local.postgres_rds_connect_resource_base_arn}/${module.postgres.cluster_master_username}"
+      resources = ["${local.postgres_rds_connect_resource_base_arn}/${module.postgres.cluster_master_username}"]
     }
     GetPostgresSecret = {
       effect    = "Allow"
@@ -166,7 +181,9 @@ module "lambda_function-graphql" {
       module.postgres.cluster_endpoint,
       module.postgres.cluster_port,
       module.postgres.cluster_database_name,
-      join("&", ["sslmode=verify", "sslcert=rds-combined-ca-bundle.pem"])
+      join("&", [
+        "sslmode=verify",
+      ])
     )
     DATABASE_SECRET_SOURCE             = "ssm"
     DATABASE_SECRET_SSM_PARAMETER_PATH = aws_ssm_parameter.postgres_master_password.name

diff --git a/terraform/postgres.tf b/terraform/postgres.tf
@@ -56,6 +56,12 @@ module "postgres" {
   create_security_group          = true
   create_db_subnet_group         = true
   security_group_use_name_prefix = true
+  security_group_rules = {
+    from_lambda = {
+      type                     = "ingress"
+      source_security_group_id = module.lambda_security_group.id
+    }
+  }
 
   db_parameter_group_name         = aws_db_parameter_group.postgres15.id
   db_cluster_parameter_group_name = aws_rds_cluster_parameter_group.postgres15.id

diff --git a/terraform/versions.tf b/terraform/versions.tf
@@ -19,4 +19,6 @@ terraform {
       version = "3.5.1"
     }
   }
+
+  backend "s3" {}
 }
diff --git a/terraform/web.tf b/terraform/web.tf
@@ -14,7 +14,7 @@ module "cloudfront_to_origin_bucket_access_policy" {
           "${module.cdn_origin_bucket.bucket_arn}/${local.website_content_origin_path}/*",
           "${module.cdn_origin_bucket.bucket_arn}/${local.website_config_object_key}",
         ]
-        principles = [
+        principals = [
           {
             type        = "AWS"
             identifiers = [aws_cloudfront_origin_access_identity.default.iam_arn]
@@ -107,7 +107,7 @@ module "cdn_logs_bucket" {
         },
       ]
       expiration = {
-        days = var.log_retention_in_days
+        days = 90
       }
       noncurrent_version_transition = [
         {
@@ -116,7 +116,7 @@ module "cdn_logs_bucket" {
         },
       ]
       noncurrent_version_expiration = {
-        noncurrent_days = var.log_retention_in_days
+        noncurrent_days = 90
       }
     }
   ]
@@ -141,6 +141,35 @@ locals {
     var.website_origin_artifacts_dist_path,
     "${path.module}/../web/dist"
   )
+
+  extension_mime_types = {
+    bmp    = "image/bmp"
+    css    = "text/css"
+    csv    = "text/csv"
+    gif    = "image/gif"
+    htm    = "text/html"
+    html   = "text/html"
+    ico    = "image/vnd.microsoft.icon"
+    jpeg   = "image/jpeg"
+    jpg    = "image/jpeg"
+    js     = "text/javascript"
+    json   = "application/json"
+    jsonld = "application/ld+json"
+    otf    = "font/otf"
+    pdf    = "application/pdf"
+    png    = "image/png"
+    svg    = "image/svg+xml"
+    tif    = "image/tiff"
+    tiff   = "image/tiff"
+    ttf    = "font/ttf"
+    txt    = "text/plain"
+    woff   = "font/woff"
+    woff2  = "font/woff2"
+    xls    = "application/vnd.ms-excel"
+    xlsx   = "application/vnd.openxmlformats-officedocument.spreadsheetml.sheet"
+    xml    = "application/xml"
+    webp   = "image/webp"
+  }
 }
 
 resource "aws_s3_object" "website_deploy_config" {
@@ -150,6 +179,7 @@ resource "aws_s3_object" "website_deploy_config" {
   etag                   = md5(local.website_config_object_contents)
   source_hash            = md5(local.website_config_object_contents)
   server_side_encryption = "AES256"
+  content_type           = "text/javascript"
 
   depends_on = [module.cdn_origin_bucket]
 }
@@ -158,11 +188,12 @@ resource "aws_s3_object" "origin_dist_artifact" {
   for_each = fileset(local.website_origin_artifacts_dist_path, "**")
 
   bucket                 = module.cdn_origin_bucket.bucket_id
-  key                    = "${local.website_origin_artifacts_dist_path}/${each.value}"
+  key                    = "${local.website_content_origin_path}/${each.value}"
   source                 = "${local.website_origin_artifacts_dist_path}/${each.value}"
   source_hash            = filemd5("${local.website_origin_artifacts_dist_path}/${each.value}")
   etag                   = filemd5("${local.website_origin_artifacts_dist_path}/${each.value}")
   server_side_encryption = "AES256"
+  content_type           = local.extension_mime_types[reverse(split(".", each.value))[0]]
 
   depends_on = [module.cdn_origin_bucket]
 }
-Original file line number
+Diff line change
@@ Expand Up / @@ -19,4 +19,6 @@ terraform { @@
           version = "3.5.1"
         }
       }
+      backend "s3" {}
     }