added terraform templates and bootstrap cdk templates

.github/workflows/aws-bootstrap-template.yml

@@ -0,0 +1,134 @@
+name: AWS Bootstrap Workflow
+
+on:
+  workflow_call:
+    inputs:
+      CONTEXT_FOLDER:
+        required: true
+        type: string
+      ENVIRONMENT_NAME:
+        required: true
+        type: string
+      TOOLKIT_STACK_NAME:
+        required: true
+        type: string
+      QUALIFIER:
+        required: true
+        type: string      
+
+permissions:
+  id-token: write
+  contents: read
+
+jobs:
+  check_changes:
+    name: Check Changes
+    runs-on: ubuntu-20.04
+    outputs:
+      infra_changed: ${{ steps.check_changes.outputs.infra_changed }}
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 2
+      - name: Check modified folders
+        id: check_changes
+        env:
+          CONTEXT_FOLDER: ${{ inputs.CONTEXT_FOLDER }}
+          CHANGE_FOLDER_NAME: ${{ inputs.CHANGE_FOLDER_NAME }}
+        run: |            
+          echo "=============== list modified files ==============="
+          git diff --name-only HEAD^ HEAD
+          
+          echo "========== check paths of modified files =========="
+          git diff --name-only HEAD^ HEAD >> files.txt
+          infra_changed=false
+          while IFS= read -r file
+          do
+            echo $file
+            if [[ $file == $CHANGE_FOLDER_NAME/* ]]; then
+              infra_changed=true
+              break
+            fi
+          done < files.txt
+          echo "infra_changed=$infra_changed" >> "$GITHUB_OUTPUT"
+
+  
+
+  synth_deploy_state_components:
+    name: Synth and Deploy Terraform State Components
+    runs-on: ubuntu-20.04
+    environment: ${{ inputs.ENVIRONMENT_NAME }}
+    needs: [check_changes, build_push_api_auth_lambda, build_push_cdc_events_lambda, build_push_cdc_auth_lambda]
+    # if: needs.check_changes.outputs.infra_changed == 'true'
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Get AWS Account ID
+        run: echo "CDK_DEFAULT_ACCOUNT=${{ vars.AWS_ACCOUNT }}" >> $GITHUB_ENV
+
+      - name: Get AWS Region
+        run: echo "CDK_DEFAULT_REGION=${{ vars.AWS_REGION }}" >> $GITHUB_ENV
+
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-skip-session-tagging: true
+          aws-region: ${{ vars.AWS_REGION }}
+          role-to-assume: ${{ vars.AWS_ROLE_ARN }}
+          role-duration-seconds: 1800
+          role-session-name: ci-deployment
+
+
+
+      - name: Install Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: '20.12.2'
+
+      - name: Install NPM Modules
+        run: "npm config set engine-strict true && npm ci"
+        working-directory: ${{ inputs.CONTEXT_FOLDER }}/phsa-plms-api-svc-infra
+
+      - name: Build
+        run: "npm run build"
+        working-directory: ${{ inputs.CONTEXT_FOLDER }}/phsa-plms-api-svc-infra
+
+      - name: Install AWS CDK
+        run: "npm install -g [email protected]"
+
+      - name: CDK Bootstrap
+        env:
+          TOOLKIT_STACK_NAME: ${{ inputs.TOOLKIT_STACK_NAME }}
+          QUALIFIER: ${{ inputs.QUALIFIER }}
+          BRANCH_NAME: ${{ inputs.BRANCH_NAME }}
+          ENV_NAME: ${{ inputs.ENVIRONMENT_NAME }}          
+        run: |
+          echo "Running CDK Bootstrap"
+          npx cdk bootstrap --toolkit-stack-name $TOOLKIT_STACK_NAME --qualifier $QUALIFIER --context branch-name=$BRANCH_NAME
+        working-directory: ${{ inputs.CONTEXT_FOLDER }}
+
+      - name: CDK Synth
+        env:
+          TOOLKIT_STACK_NAME: ${{ inputs.TOOLKIT_STACK_NAME }}
+          QUALIFIER: ${{ inputs.QUALIFIER }}
+          BRANCH_NAME: ${{ inputs.BRANCH_NAME }}
+          ENV_NAME: ${{ inputs.BRANCH_NAME }}          
+        run: |
+          echo "Running CDK Synth"
+          npx cdk synth --toolkit-stack-name $TOOLKIT_STACK_NAME --qualifier $QUALIFIER --context branch-name=$BRANCH_NAME
+        working-directory: ${{ inputs.CONTEXT_FOLDER }}
+
+
+
+      - name: CDK Deploy
+        id: cdk_deploy
+        env:
+          TOOLKIT_STACK_NAME: ${{ inputs.TOOLKIT_STACK_NAME }}
+          QUALIFIER: ${{ inputs.QUALIFIER }}
+          BRANCH_NAME: ${{ inputs.BRANCH_NAME }}
+          ENV_NAME: ${{ inputs.BRANCH_NAME }}          
+        run: |
+          npx cdk deploy --toolkit-stack-name $TOOLKIT_STACK_NAME --qualifier $QUALIFIER --require-approval never --all
+        working-directory: ${{ inputs.CONTEXT_FOLDER }}
+
+

.github/workflows/aws-template-terraform.yml

@@ -0,0 +1,108 @@
+name: AWS Bootstrap Workflow
+
+on:
+  workflow_call:
+    inputs:
+      CONTEXT_FOLDER:
+        required: true
+        type: string
+      ENVIRONMENT_NAME:
+        required: true
+        type: string
+      CHANGE_FOLDER_NAME:
+        required: true
+        type: string
+      TEST_BUCKET_NAME:
+        required: true
+        type: string 
+
+permissions:
+  id-token: write
+  contents: read
+
+jobs:
+  check_changes:
+    name: Check Changes
+    runs-on: ubuntu-20.04
+    outputs:
+      infra_changed: ${{ steps.check_changes.outputs.infra_changed }}
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 2
+      - name: Check modified folders
+        id: check_changes
+        env:
+          CONTEXT_FOLDER: ${{ inputs.CONTEXT_FOLDER }}
+          CHANGE_FOLDER_NAME: ${{ inputs.CHANGE_FOLDER_NAME }}
+        run: |            
+          echo "=============== list modified files ==============="
+          git diff --name-only HEAD^ HEAD
+          
+          echo "========== check paths of modified files =========="
+          git diff --name-only HEAD^ HEAD >> files.txt
+          infra_changed=false
+          while IFS= read -r file
+          do
+            echo $file
+            if [[ $file == $CHANGE_FOLDER_NAME/* ]]; then
+              infra_changed=true
+              break
+            fi
+          done < files.txt
+          echo "infra_changed=$infra_changed" >> "$GITHUB_OUTPUT"
+
+  deploy_infra:
+    name: Deploy Infra
+    runs-on: ubuntu-latest
+    environment: 
+      name: ${{ inputs.ENVIRONMENT_NAME }}
+    needs: [check_changes]
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v4    
+
+    - name: Configure AWS credentials
+      uses: aws-actions/configure-aws-credentials@v4
+      with:
+        role-skip-session-tagging: true
+        aws-region: ${{ vars.AWS_REGION }}
+        role-to-assume: ${{ vars.AWS_ROLE_ARN }}
+        role-duration-seconds: 1800
+        role-session-name: ci-deployment
+
+    - name: Setup Terraform
+      uses: hashicorp/setup-terraform@v3
+      with:
+        terraform_version: 1.9.0
+    - name: Terraform Init
+      id: init
+      env: 
+        CONTEXT_FOLDER: ${{ inputs.CONTEXT_FOLDER }}
+      run: |
+        terraform init -input=false
+      working-directory: ${{ inputs.CONTEXT_FOLDER }}
+    - name: Terraform Plan
+      id: plan
+      env: 
+        CONTEXT_FOLDER: ${{ inputs.CONTEXT_FOLDER }}
+        TF_VAR_test_s3_bucket_name: ${{ inputs.TEST_BUCKET_NAME }}
+      run: |
+        terraform plan -no-color -input=false
+      continue-on-error: true
+      working-directory: ${{ inputs.CONTEXT_FOLDER }}
+    - name: Terraform Plan Status
+      if: steps.plan.outcome == 'failure'
+      run: exit 1
+    - name: Terraform Apply
+      env: 
+        CONTEXT_FOLDER: ${{ inputs.CONTEXT_FOLDER }}
+        TF_VAR_test_s3_bucket_name: ${{ inputs.TEST_BUCKET_NAME }}
+      run: |
+        terraform apply --auto-approve -input=false
+      working-directory: ${{ inputs.CONTEXT_FOLDER }}
+
+
+
+
+

.github/workflows/deploy-infra-sandbox.yml

@@ -0,0 +1,18 @@
+name: Deploy AWS Infra to Sandbox
+
+on:
+  push:
+    branches: [feature-addAWSsetup]
+  workflow_dispatch:
+
+jobs:        
+  infrastructure_deploy_snd:
+    uses: ./.github/workflows/aws-template-terraform.yml
+    with:
+      CONTEXT_FOLDER: ./infrastructure/cloud/environments/sandbox
+      CHANGE_FOLDER_NAME: environments/sandbox
+      ENVIRONMENT_NAME: sandbox
+      TEST_BUCKET_NAME: jasper-test-bucket      
+    secrets: inherit
+
+

Makefile

@@ -0,0 +1,16 @@
+#!make
+
+
+export AWS_PROFILE ?= jasperlocal
+export AWS_DEFAULT_REGION ?= ca-central-1
+export AWS_ACCOUNT ?= 381491824201
+export TOOLKIT_STACK_NAME= CDK-Bootstrap-jasper-dev
+export QUALIFIER= jasperdev
+export BRANCH_NAME= dev
+export ENV_NAME= dev
+
+
+
+run-bootstrap-jasper:
+	@echo "Running bootstrap"
+	@cd infrastructure/jasper-aws-bootstrap && cdk bootstrap aws://$(AWS_ACCOUNT)/$(AWS_DEFAULT_REGION) --toolkit-stack-name $TOOLKIT_STACK_NAME --qualifier $QUALIFIER --profile $(AWS_PROFILE)

infrastructure/cloud/environments/sandbox/providers.tf

@@ -0,0 +1,28 @@
+terraform {
+  required_version = "~> 1.9.0"
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 5.0"
+    }
+
+    tls = {
+      source  = "hashicorp/tls"
+      version = "4.0.5"
+    }
+  }
+
+  backend "s3" {
+    bucket         = "terraform-remote-state-sandbox-12345"
+    key            = "terraform.tfstate"
+    region         = "ca-central-1"
+    dynamodb_table = "terraform-remote-state-lock-12345"
+  }
+
+}
+
+
+
+provider "aws" {
+  region = "ca-central-1"
+}

infrastructure/cloud/environments/sandbox/variables.tf

@@ -0,0 +1,6 @@
+
+
+variable test_s3_bucket_name {
+  type = string
+  description = "The name of the S3 bucket to create for testing"
+}

infrastructure/cloud/environments/sandbox/webapp.tf

@@ -0,0 +1,22 @@
+
+
+locals {
+  environment = "snd"
+  application_name = "jasper-aws"
+}
+
+module "security" {
+  source = "../../../modules/security"
+  environment = local.environment
+    application_name = local.application_name
+    kms_key_name = "jasper-kms-key"
+
+}
+
+module "storage" {
+  source = "../../../modules/storage"
+  environment = local.environment
+    application_name = local.application_name
+    kms_key_name = module.security.kms_key_alias
+    test_s3_bucket_name = var.test_s3_bucket_name
+}

infrastructure/cloud/modules/security/kms.tf

@@ -0,0 +1,20 @@
+data "aws_caller_identity" "current" {}
+
+# kms key for encryption
+resource "aws_kms_key" "kms_key" {
+  description             = "KMS key for encryption"
+  deletion_window_in_days = 10
+  enable_key_rotation     = true
+    is_enabled              = true
+  #   policy                  = data.aws_iam_policy_document.kms_policy.json
+  tags = {
+    Application="${var.application_name}-${var.environment}"
+    Name="${var.kms_key_name}-${var.environment}"
+    Environment="${var.environment}"
+  }
+}
+
+resource "aws_kms_alias" "kms_alias" {
+  name          = "alias/${var.kms_key_name}-${var.environment}"
+  target_key_id = aws_kms_key.kms_key.key_id
+}

infrastructure/cloud/modules/security/outputs.tf

@@ -0,0 +1,4 @@
+
+output kms_key_alias {
+  value = aws_kms_alias.kms_alias.name
+}

infrastructure/cloud/modules/security/variables.tf

@@ -0,0 +1,19 @@
+
+
+variable application_name {
+  type = string
+  description = "The name of the application"
+  default = "bcgov-jasper-aws-bootstrap"
+}
+
+variable environment {
+  type = string
+  description = "The environment to deploy the application to"
+  default = "dev"
+}
+
+variable kms_key_name {
+  type = string
+  description = "The name of the KMS key to create"
+  default = "jasper-kms-key"
+}