initial tf and github workflow

vonschtirlitz · vonschtirlitz · commit c63da56e4e96 · 2025-07-16T21:12:36.000-04:00
diff --git a/.github/workflows/build-and-deploy.yml b/.github/workflows/build-and-deploy.yml
@@ -0,0 +1,63 @@
+name: Build & Push RimWorld Hay Calc
+on:
+  # Build on every merge to main *and* on version tags like v1.2.3
+  push:
+    branches: [ main ]
+    tags:     [ 'v*' ]
+    paths:
+      - 'frontend/**'
+      - 'Dockerfile'
+      - '.github/workflows/build-and-deploy.yml'
+
+env:
+  AWS_REGION: us-east-1
+  ECR_REPOSITORY: rimworld-hay-calc
+  # This can be set in repo → Settings → Environments → prod → vars
+  ECR_REGISTRY: ${{ secrets.AWS_ACCOUNT_ID }}.dkr.ecr.${{ env.AWS_REGION }}.amazonaws.com
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write      # ✅ OIDC
+      contents: read
+
+    steps:
+      - name: 🛎️  Check out code
+        uses: actions/checkout@v4
+
+      # ---------- ① Configure AWS creds via OIDC ----------
+      - name: 🔐  Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/GitHubOIDCDeploy
+          aws-region: ${{ env.AWS_REGION }}
+
+      # ---------- ② Log in to ECR ----------
+      - name: 🔑  Login to Amazon ECR
+        uses: aws-actions/amazon-ecr-login@v2
+
+      # ---------- ③ Set image tag ----------
+      - name: 🏷️  Define image tag
+        id: meta
+        run: |
+          if [[ "${GITHUB_REF_TYPE}" == "tag" ]]; then
+            echo "IMAGE_TAG=${GITHUB_REF_NAME}" >> $GITHUB_OUTPUT
+          else
+            echo "IMAGE_TAG=sha-${GITHUB_SHA::7}" >> $GITHUB_OUTPUT
+          fi
+      - name: 💬  Show tag
+        run: echo "Pushing tag ${{ steps.meta.outputs.IMAGE_TAG }}"
+
+      # ---------- ④ Build & push (uses Docker layer cache) ----------
+      - name: 🐳  Build & push image
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          file: ./Dockerfile           # still at repo root
+          push: true
+          tags: |
+            ${{ env.ECR_REGISTRY }}/${{ env.ECR_REPOSITORY }}:${{ steps.meta.outputs.IMAGE_TAG }}
+            ${{ env.ECR_REGISTRY }}/${{ env.ECR_REPOSITORY }}:latest
+          cache-from: type=registry,ref=${{ env.ECR_REGISTRY }}/${{ env.ECR_REPOSITORY }}:buildcache
+          cache-to:   type=registry,ref=${{ env.ECR_REGISTRY }}/${{ env.ECR_REPOSITORY }}:buildcache,mode=max
diff --git a/.gitignore b/.gitignore
@@ -0,0 +1,27 @@
+# Logs
+logs
+*.log
+npm-debug.log*
+yarn-debug.log*
+yarn-error.log*
+pnpm-debug.log*
+lerna-debug.log*
+
+node_modules
+dist
+dist-ssr
+*.local
+
+# Editor directories and files
+.vscode/*
+!.vscode/extensions.json
+.idea
+.DS_Store
+*.suo
+*.ntvs*
+*.njsproj
+*.sln
+*.sw?
+
+.terraform/*
+.terraform.tfstate*
diff --git a/Dockerfile b/Dockerfile
@@ -0,0 +1,15 @@
+# ---------- build stage ----------
+    FROM node:20-slim AS builder
+    WORKDIR /app
+    COPY frontend/package*.json ./frontend/
+    WORKDIR /app/frontend
+    RUN npm ci
+    COPY frontend/ .
+    RUN npm run build          # outputs to /app/dist
+    
+    # ---------- runtime stage ----------
+    FROM nginx:1.27-alpine
+    COPY --from=builder /app/frontend/dist /usr/share/nginx/html
+    # Optional: replace default.conf to add /healthz
+    HEALTHCHECK CMD wget -qO- http://localhost/ || exit 1
+    EXPOSE 80
diff --git a/infra/envs/dev/backend.tf b/infra/envs/dev/backend.tf
@@ -0,0 +1,8 @@
+terraform {
+  backend "s3" {
+    bucket         = "rimworld-hay-calc-tfstate"
+    key            = "dev/terraform.tfstate"
+    region         = "us-east-1"
+    encrypt        = true
+  }
+}
diff --git a/infra/envs/dev/main.tf b/infra/envs/dev/main.tf
@@ -0,0 +1,12 @@
+module "rimworld_hay_calc" {
+  source = "../.."          # <- two levels up to the shared root module
+
+  # Pass through any vars that differ per-env
+  aws_region    = var.aws_region
+  github_repo   = var.github_repo
+  project_name  = var.project_name
+}
+
+# Re-expose useful outputs
+output "ecr_repo_url"   { value = module.rimworld_hay_calc.ecr_repo_url }
+output "github_oidc_role" { value = module.rimworld_hay_calc.github_oidc_role }
diff --git a/infra/envs/dev/terraform.tfvars b/infra/envs/dev/terraform.tfvars
@@ -0,0 +1,3 @@
+github_repo = "vonschtirlitz/rimworld-hay-calc"
+aws_region = "us-east-1"
+project_name = "rimworld-hay-calc"
diff --git a/infra/envs/dev/variables.tf b/infra/envs/dev/variables.tf
@@ -0,0 +1,3 @@
+variable "aws_region"   { type = string }
+variable "github_repo"  { type = string }
+variable "project_name" { type = string }
diff --git a/infra/main.tf b/infra/main.tf
@@ -0,0 +1,49 @@
+########################
+#  ECR REPOSITORY      #
+########################
+resource "aws_ecr_repository" "app" {
+  name                 = "${var.project_name}"
+  image_tag_mutability = "MUTABLE"
+  force_delete         = false
+
+  lifecycle {
+    prevent_destroy = true
+  }
+}
+
+########################
+#  GITHUB OIDC ROLE    #
+########################
+data "aws_caller_identity" "current" {}
+data "aws_iam_policy_document" "github_trust" {
+  statement {
+    effect = "Allow"
+    principals {
+      type        = "Federated"
+      identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:oidc-provider/token.actions.githubusercontent.com"]
+    }
+    actions = ["sts:AssumeRoleWithWebIdentity"]
+
+    condition {
+      test     = "StringEquals"
+      variable = "token.actions.githubusercontent.com:aud"
+      values   = ["sts.amazonaws.com"]
+    }
+
+    condition {
+      test     = "StringLike"
+      variable = "token.actions.githubusercontent.com:sub"
+      values   = ["repo:${var.github_repo}:*"]
+    }
+  }
+}
+
+resource "aws_iam_role" "github_deploy" {
+  name               = "${var.project_name}-github-oidc"
+  assume_role_policy = data.aws_iam_policy_document.github_trust.json
+}
+
+resource "aws_iam_role_policy_attachment" "ecr_power" {
+  role       = aws_iam_role.github_deploy.name
+  policy_arn = "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryPowerUser"
+}
diff --git a/infra/outputs.tf b/infra/outputs.tf
@@ -0,0 +1,7 @@
+output "ecr_repo_url" {
+  value = aws_ecr_repository.app.repository_url
+}
+
+output "github_oidc_role" {
+  value = aws_iam_role.github_deploy.arn
+}
diff --git a/infra/variables.tf b/infra/variables.tf
@@ -0,0 +1,23 @@
+variable "aws_region" {
+  type        = string
+  description = "AWS region to deploy into"
+  default     = "us-east-1"
+}
+
+variable "project_name" {
+  type        = string
+  description = "Used for namespacing resources"
+  default     = "rimworld-hay-calc"
+}
+
+variable "global_tags" {
+  type = map(string)
+  default = {
+    Project = "RimworldHayCalc"
+  }
+}
+
+variable "github_repo" {
+  description = "owner/repo used in the GitHub OIDC subject"
+  type        = string
+}
diff --git a/infra/versions.tf b/infra/versions.tf
@@ -0,0 +1,17 @@
+terraform {
+  required_version = ">= 1.7.0"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 5.50"   # or latest 5.x
+    }
+  }
+}
+
+provider "aws" {
+  region = var.aws_region
+  default_tags {
+    tags = var.global_tags     # applied to every AWS resource
+  }
+}

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+github_repo = "vonschtirlitz/rimworld-hay-calc"`
	`2`	`+aws_region = "us-east-1"`
	`3`	`+project_name = "rimworld-hay-calc"`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+variable "aws_region" { type = string }`
	`2`	`+variable "github_repo" { type = string }`
	`3`	`+variable "project_name" { type = string }`