feat: oonifindings container deployment (#57)

This diff creates a new ECS deployment for the `oonifindings` service.
We can land this after we have ooni/backend#850
working.

---------

Co-authored-by: decfox <[email protected]>

tf/environments/dev/main.tf

@@ -275,9 +275,9 @@ module "ooniapi_cluster" {
   vpc_id     = module.network.vpc_id
   subnet_ids = module.network.vpc_subnet_private[*].id
 
-  asg_min     = 2
+  asg_min     = 3
   asg_max     = 6
-  asg_desired = 2
+  asg_desired = 3
 
   instance_type = "t3.small"
 
@@ -407,6 +407,55 @@ module "ooniapi_oonirun" {
   )
 }
 
+
+#### OONI Findings service
+
+module "ooniapi_oonifindings_deployer" {
+  source = "../../modules/ooniapi_service_deployer"
+
+  service_name            = "oonifindings"
+  repo                    = "ooni/backend"
+  branch_name             = "master"
+  buildspec_path          = "ooniapi/services/oonifindings/buildspec.yml"
+  codestar_connection_arn = aws_codestarconnections_connection.oonidevops.arn
+
+  codepipeline_bucket = aws_s3_bucket.ooniapi_codepipeline_bucket.bucket
+
+  ecs_service_name = module.ooniapi_oonifindings.ecs_service_name
+  ecs_cluster_name = module.ooniapi_cluster.cluster_name
+}
+
+module "ooniapi_oonifindings" {
+  source = "../../modules/ooniapi_service"
+
+  vpc_id             = module.network.vpc_id
+  public_subnet_ids  = module.network.vpc_subnet_public[*].id
+  private_subnet_ids = module.network.vpc_subnet_private[*].id
+
+  service_name             = "oonifindings"
+  default_docker_image_url = "ooni/api-oonifindings:latest"
+  stage                    = local.environment
+  dns_zone_ooni_io         = local.dns_zone_ooni_io
+  key_name                 = module.adm_iam_roles.oonidevops_key_name
+  ecs_cluster_id           = module.ooniapi_cluster.cluster_id
+
+  task_secrets = {
+    POSTGRESQL_URL              = aws_secretsmanager_secret_version.oonipg_url.arn
+    JWT_ENCRYPTION_KEY          = aws_secretsmanager_secret_version.jwt_secret.arn
+    PROMETHEUS_METRICS_PASSWORD = aws_secretsmanager_secret_version.prometheus_metrics_password.arn
+  }
+
+  ooniapi_service_security_groups = [
+    module.ooniapi_cluster.web_security_group_id
+  ]
+
+  tags = merge(
+    local.tags,
+    { Name = "ooni-tier0-oonifindings" }
+  )
+}
+
+
 #### OONI Auth service
 
 module "ooniapi_ooniauth_deployer" {
@@ -485,6 +534,7 @@ module "ooniapi_frontend" {
   ooniapi_oonirun_target_group_arn   = module.ooniapi_oonirun.alb_target_group_id
   ooniapi_ooniauth_target_group_arn  = module.ooniapi_ooniauth.alb_target_group_id
   ooniapi_ooniprobe_target_group_arn = module.ooniapi_ooniprobe.alb_target_group_id
+  ooniapi_oonifindings_target_group_arn = module.ooniapi_oonifindings.alb_target_group_id
 
   ooniapi_service_security_groups = [
     module.ooniapi_cluster.web_security_group_id

tf/modules/ooniapi_frontend/main.tf

@@ -99,8 +99,21 @@ resource "aws_lb_listener_rule" "ooniapi_ooniprobe_rule" {
   }
 }
 
+resource "aws_lb_listener_rule" "ooniapi_oonifindings_rule" {
+  listener_arn = aws_alb_listener.ooniapi_listener_https.arn
+  priority     = 103
 
+  action {
+    type             = "forward"
+    target_group_arn = var.ooniapi_oonifindings_target_group_arn
+  }
 
+  condition {
+    path_pattern {
+      values = ["/api/v1/incidents/*"]
+    }
+  }
+}
 
 ## DNS
 

tf/modules/ooniapi_frontend/variables.tf

@@ -25,6 +25,10 @@ variable "ooniapi_ooniauth_target_group_arn" {
 variable "ooniapi_ooniprobe_target_group_arn" {
   description = "arn for the target group of the ooniprobe service"
 }
+variable "ooniapi_oonifindings_target_group_arn" {
+  description = "arn for the target group of the oonifindings service"
+}
+
 variable "dns_zone_ooni_io" {
   description = "id of the DNS zone for ooni_io"
 }