added tfvars and deploy script

README.md

@@ -97,7 +97,7 @@ To run all the tests in the project, run the following from the root folder
 $ yarn test
 ```
 
-### Running lintint/formatting
+### Running linting/formatting
 
 To check for linting issues from ESLint and fix what's possible, from the root folder run the following
 
@@ -111,6 +111,28 @@ To format the code appropriately with Prettier (don't need this if format on sav
 $ yarn format
 ```
 
+## Deployment (WIP)
+
+The boilerplate is designed to be easily deployed on [AWS ECS](https://aws.amazon.com/ecs/) using [Terraform](https://www.terraform.io).
+
+You will need to [install Terraform](https://developer.hashicorp.com/terraform/tutorials/aws-get-started/install-cli) first. For Mac users, we recommend following the Homebrew installation.
+
+You will then need to create a file called `.auto.tfvars`, and you can follow the format as in the `.auto.tfvars.example` file. Variables in here correspond to the same environment variables in the `server` folder, except for `aws_account_id` which is the account ID for your AWS account (can be found by clicking your username in the top-right of the AWS console).
+
+To deploy, run
+
+```
+./deploy.sh
+```
+
+To tear down all infrastructure, run
+
+```
+terraform destroy
+```
+
+Due to the new (as of early 2024) nature of this AWS configuration, if you are encountering issues with deploying the project on AWS, then please use the old boilerplate and deploy on Heroku or another cloud platform as we have done in the past.
+
 ## Common Problems
 
 Fill in with problem scenario + solution as they arise

infrastructure/.auto.tfvars.example

@@ -0,0 +1,2 @@
+atlas_uri = ""
+aws_account_id = ""

infrastructure/.gitignore

@@ -1,3 +1,5 @@
 .terraform
 terraform.tfstate
-terraform.tfstate.backup
+terraform.tfstate.backup
+
+.auto.tfvars

infrastructure/deploy.sh

@@ -0,0 +1,3 @@
+terraform init
+terraform plan -out=tfplan -input=false
+terraform apply -input=false tfplan

infrastructure/main.tf

@@ -18,15 +18,6 @@ locals {
 provider "aws" {
   region = var.region
 }
-
-data "aws_secretsmanager_secret" "github_pat" {
-  name = "github-pat"
-}
-
-data "aws_secretsmanager_secret_version" "current_github_pat" {
-  secret_id = data.aws_secretsmanager_secret.github_pat.id
-}
-
 resource "aws_ecs_cluster" "cluster" {
   name = var.cluster_name
 
@@ -49,7 +40,7 @@ resource "aws_ecs_task_definition" "app" {
   requires_compatibilities = ["FARGATE"]
   cpu                      = "512"  # Adjust based on your needs
   memory                   = "2048" # Adjust based on your needs
-  execution_role_arn       = aws_iam_role.ecs_task_execution_role.arn
+  execution_role_arn       = data.aws_iam_role.ecs_task_execution_role.arn
 
   container_definitions = jsonencode([
     {
@@ -88,7 +79,7 @@ resource "aws_ecs_task_definition" "app" {
         }
       ],
       environment = [
-        { "name" : "ATLAS_URI", "value" : "<fill in>" },
+        { "name" : "ATLAS_URI", "value" : var.atlas_uri },
         { "name" : "COOKIE_SECRET", "value" : "any-string" },
         { "name" : "SENDGRID_API_KEY", "value" : "SG.sendgrid-api-key-from-above" },
         { "name" : "SENDGRID_EMAIL_ADDRESS", "value" : "sendgrid-sender-identity-email-from-above" }
@@ -113,67 +104,78 @@ resource "aws_ecs_service" "app_service" {
   launch_type     = "FARGATE"
 
   network_configuration {
-    subnets          = ["fill in", "fill in"]
+    subnets          = ["subnet here", "subnet here"]
     assign_public_ip = true
   }
 }
 
 # So that the ECS role can execute tasks
-resource "aws_iam_role" "ecs_task_execution_role" {
+# For CREATING a role
+# resource "aws_iam_role" "ecs_task_execution_role" {
+#   name = "ecs_task_execution_role"
+
+#   assume_role_policy = jsonencode({
+#     Version = "2012-10-17"
+#     Statement = [
+#       {
+#         Action = "sts:AssumeRole"
+#         Effect = "Allow"
+#         Principal = {
+#           Service = "ecs-tasks.amazonaws.com"
+#         }
+#       },
+#     ]
+#   })
+# }
+
+# For CREATING a policy
+# resource "aws_iam_policy" "cloudwatch_logs_policy" {
+#   name        = "ECSLogsPolicy"
+#   description = "Allow ECS Task Execution Role to push logs to CloudWatch"
+
+#   policy = jsonencode({
+#     Version = "2012-10-17",
+#     Statement = [
+#       {
+#         Effect = "Allow",
+#         Action = [
+#           "logs:CreateLogStream",
+#           "logs:CreateLogGroup"
+#         ],
+#         Resource = "arn:aws:logs:*:*:*"
+#       },
+#       {
+#         Effect = "Allow",
+#         Action = [
+#           "logs:PutLogEvents"
+#         ],
+#         Resource = [
+#           "arn:aws:logs:*:*:log-group:/ecs/*:log-stream:*",
+#           "arn:aws:logs:*:*:log-group:/ecs/*"
+#         ]
+#       }
+#     ]
+#   })
+# }
+
+# existing role/policy
+data "aws_iam_role" "ecs_task_execution_role" {
   name = "ecs_task_execution_role"
-
-  assume_role_policy = jsonencode({
-    Version = "2012-10-17"
-    Statement = [
-      {
-        Action = "sts:AssumeRole"
-        Effect = "Allow"
-        Principal = {
-          Service = "ecs-tasks.amazonaws.com"
-        }
-      },
-    ]
-  })
 }
 
-resource "aws_iam_policy" "cloudwatch_logs_policy" {
-  name        = "ECSLogsPolicy"
-  description = "Allow ECS Task Execution Role to push logs to CloudWatch"
-
-  policy = jsonencode({
-    Version = "2012-10-17",
-    Statement = [
-      {
-        Effect = "Allow",
-        Action = [
-          "logs:CreateLogStream",
-          "logs:CreateLogGroup"
-        ],
-        Resource = "arn:aws:logs:*:*:*"
-      },
-      {
-        Effect = "Allow",
-        Action = [
-          "logs:PutLogEvents"
-        ],
-        Resource = [
-          "arn:aws:logs:*:*:log-group:/ecs/*:log-stream:*",
-          "arn:aws:logs:*:*:log-group:/ecs/*"
-        ]
-      }
-    ]
-  })
+data "aws_iam_policy" "cloudwatch_logs_policy" {
+  arn = "arn:aws:iam::${var.aws_account_id}:policy/ECSLogsPolicy"
 }
 
 
 
 # Attach the policies to the role
 resource "aws_iam_role_policy_attachment" "ecs_task_execution_role_policy" {
-  role       = aws_iam_role.ecs_task_execution_role.name
+  role       = data.aws_iam_role.ecs_task_execution_role.name
   policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy"
 }
 
 resource "aws_iam_role_policy_attachment" "cloudwatch_logs_policy_attachment" {
-  role       = aws_iam_role.ecs_task_execution_role.name
-  policy_arn = aws_iam_policy.cloudwatch_logs_policy.arn
+  role       = data.aws_iam_role.ecs_task_execution_role.name
+  policy_arn = data.aws_iam_policy.cloudwatch_logs_policy.arn
 }

infrastructure/variables.tf

@@ -9,7 +9,7 @@ variable "github_repo_name" {
 }
 
 variable "region" {
-  default     = "us-east-2"
+  default     = "us-east-1"
   type        = string
   description = "Launch region for the ECS cluster"
 }
@@ -20,3 +20,10 @@ variable "cluster_name" {
   description = "Name of the ECS cluster"
 }
 
+variable "atlas_uri" {
+  type = string
+}
+
+variable "aws_account_id" {
+  type = string
+}