shared-mcp changes

docs/IACHOWTO.md

@@ -15,11 +15,24 @@ $ tfenv use 1.3.9
 
 2. make sure you set up an `AWS_PROFILE` in your `~/.aws/confg|credentials` files for the correct account/region
 
-3. then: `cd /terraform/veda-wfs3`
+3. then: `cd /terraform/<veda-wfs3> || <veda-wfs3-shared-mcp>`
 
-4. then: `AWS_PROFILE=<account> terraform init`
+4. terraform uses s3 as a backend to store state. if this is the first run for the system then the s3 bucket needs to exist before we run `terraform init`. Run the s3 script
 
-5. we also use Terraform "workspaces" so our infra state stays nicely separated in the same S3 bucket. Some quick samples of how to interact with that:
+  ```bash
+  $ cat init.tf | grep -a2 bucket
+  }
+  backend "s3" {
+    bucket         = "veda-wfs3-shared-mcp-prod-tf-state-bucket-v1"
+    key            = "root"
+    region         = "us-west-2"
+
+  bash ./scripts/init_tf_s3_backend.sh veda-wfs3-shared-mcp-prod-tf-state-bucket-v1 us-west-2
+  ```
+
+6. if this is the first run, then execute: `AWS_PROFILE=<account> terraform init`
+
+7. we also use Terraform "workspaces" so our infra state stays nicely separated in the same S3 bucket. Some quick samples of how to interact with that:
 
 ```bash
 $ AWS_PROFILE=<account> terraform workspace list        
@@ -29,6 +42,9 @@ $ AWS_PROFILE=<account> terraform workspace list
 $ AWS_PROFILE=<account> terraform workspace select west2-staging
   default
 * west2-staging
+
+# if this is the first run you might have to create it
+$ AWS_PROFILE=<account> terraform workspace new west2-staging
 ```
 
 6. before you `plan|apply` changes make sure you `cp envtf.template .envtf.sh` and change values in there for secrets needed

envtf.template

@@ -1,18 +1,6 @@
 #!/bin/sh
-# copy and rename this file to `.envtf.sh` and fill out values below
-
-###################################################################
-# only needed if you want to run `veda-wfs3-app/cd.sh` script
-# manually as a form of CD without CI
-###################################################################
-export TARGET_ENVIRONMENT=dev
-export TARGET_PROJECT_NAME=veda-wfs3
-
-##################################################################
-# currently we don't want to encrypt/decrypt and store secrets in
-# terraform/veda-wfs3/vars/*.tf. The basic workaround then
-# is to store them in AWS Secret Manager (where they will be used
-# by TF) and pump them locally into runs through OS env var(s)
-##################################################################
-# TODO: get this from AWS secret manager and hydrate locally, the SM key is `veda-wfs3-db-config`
-export TF_VAR_db_password=''
+######################################################################
+# run `./scripts/sync-env.sh` to quickly dump secret manager values to a file
+######################################################################
+export TF_VAR_vpc_id=''
+export TF_VAR_cloudfront_distribution_id=''

scripts/init_tf_s3_backend.sh

@@ -0,0 +1,12 @@
+#!/bin/bash
+
+BUCKET_NAME=$1
+REGION=$2
+
+# Check if the bucket exists
+if !aws s3 ls "s3://$BUCKET_NAME" 2>&1 | grep -q 'NoSuchBucket'; then
+  echo "Bucket exists, proceeding..."
+else
+  echo "Bucket does not exist, creating now..."
+  aws s3api create-bucket --bucket $BUCKET_NAME --region $REGION --create-bucket-configuration LocationConstraint=$REGION
+fi

scripts/sync-env.sh

@@ -0,0 +1,2 @@
+echo Loading environment secrets from $1
+aws secretsmanager get-secret-value --secret-id $1 --query SecretString --output text | jq -r "to_entries|map(\"TF_VAR_\(.key)=\(.value|tostring)\")|.[]" > .envtf.sh.new

terraform/modules/aws_ecs_service/main.tf

@@ -1,12 +1,3 @@
-########################################################################
-# Data Bits
-########################################################################
-data "aws_ecr_repository" "service" {
-  count = var.use_ecr ? 1 : 0
-  name  = var.ecr_repository_name
-}
-
-
 ########################################################################
 # IAM
 ########################################################################
@@ -64,7 +55,7 @@ data "aws_iam_policy_document" "ecs_ecr_access_attachment" {
     ]
 
     resources = [
-      data.aws_ecr_repository.service[0].arn,
+      var.ecr_repository_arn,
     ]
   }
 

terraform/modules/aws_ecs_service/variables.tf

@@ -113,7 +113,8 @@ variable "use_adot_as_sidecar" {
   description = "If enabled, add ADOT task definition to existing task definitions"
 }
 
-variable "ecr_repository_name" {}
+variable "ecr_repository_arn" {}
+
 variable "image" {}
 
 variable "load_balancer" {

terraform/veda-wfs3-shared-mcp/.gitignore

@@ -0,0 +1,3 @@
+*.tfstate
+.terraform
+*.zip

terraform/veda-wfs3-shared-mcp/cloudfront_cache_policy.tf

@@ -0,0 +1,24 @@
+resource "aws_cloudfront_cache_policy" "tfer--4135ea2d-6df8-44a3-9df3-4b5a84be39ad" {
+  comment     = "Policy with caching disabled"
+  default_ttl = "0"
+  max_ttl     = "0"
+  min_ttl     = "0"
+  name        = "Managed-CachingDisabled"
+
+  parameters_in_cache_key_and_forwarded_to_origin {
+    cookies_config {
+      cookie_behavior = "none"
+    }
+
+    enable_accept_encoding_brotli = "false"
+    enable_accept_encoding_gzip   = "false"
+
+    headers_config {
+      header_behavior = "none"
+    }
+
+    query_strings_config {
+      query_string_behavior = "none"
+    }
+  }
+}