Improve the AWS backend

This gets the AWS backend to the point where you can deploy the
backend, and then a mini environment without any actions outside of
the govuk-mini-environment-admin.

1 files changed, 63 insertions, 9 deletions

diff --git a/app/models/backends/terraform_aws.rb b/app/models/backends/terraform_aws.rb
index d45dfc7..c50e2de 100644
--- a/app/models/backends/terraform_aws.rb
+++ b/app/models/backends/terraform_aws.rb
@@ -55,11 +55,19 @@ class Backends::TerraformAws < ApplicationRecord
 
     GovukGuix::BuildJob.enqueue(
       mini_environment.id,
-      %w(whitehall government-frontend),
-      type: 'container-start-script',
-      app_domain: "#{slug}.#{domain}",
-      web_domain: "www.#{slug}.#{domain}",
-      use_https: 'certbot'
+      services: %w(whitehall government-frontend),
+      arguments: {
+        type: 'container-start-script',
+        app_domain: "#{slug}.#{domain}",
+        web_domain: "www.#{slug}.#{domain}",
+        use_https: 'certbot',
+        http_ports_mode: 'alternative',
+        read_bundle_install_input_as_tar_archive: true,
+        signon_instance_name: slug,
+        admin_environment_label: mini_environment.name,
+        read_bundle_install_input_as_tar_archive: 'true'
+      },
+      run_remotely_on_host: "ubuntu@guix-daemon.#{domain}"
     )
   end
 
@@ -83,10 +91,33 @@ class Backends::TerraformAws < ApplicationRecord
     end
   end
 
+  def deploy_backend
+    public_ip_address = ENV[
+      'GOVUK_MINI_ENVIRONMENT_ADMIN_PUBLIC_IP_ADDRESS'
+    ]
+
+    raise 'missing public ip address' if public_ip_address.nil?
+
+    TerraformWorkingDirectory.new(
+      terraform_state_id,
+      'terraform/aws/backend'
+    ).within_working_directory do
+      RubyTerraform.apply(
+        vars: common_terraform_variables.merge(
+          aws_vpc_id: vpc_id,
+          ssh_public_key: ssh_public_key,
+          mini_environment_admin_guix_public_key: guix_public_key,
+          mini_environment_admin_public_ip_address: public_ip_address
+        ),
+        auto_approve: true
+      )
+    end
+  end
+
   def within_terraform_working_directory(mini_environment, &block)
     TerraformWorkingDirectory.new(
       "mini_environment/#{mini_environment.id}",
-      'terraform/aws'
+      'terraform/aws/mini_environment'
     ).within_working_directory(&block)
   end
 
@@ -94,18 +125,41 @@ class Backends::TerraformAws < ApplicationRecord
     "https://signon.#{mini_environment.name.parameterize}.#{domain}"
   end
 
-  def terraform_variables(mini_environment)
+  def common_terraform_variables
     {
       aws_access_key: aws_access_key_id,
       aws_secret_key: aws_secret_access_key,
       aws_region: aws_region,
-      slug: mini_environment.name.parameterize,
       ssh_public_key: ssh_public_key,
-      start_command: mini_environment.backend_data['build_output']
+      aws_route_53_zone_id: route_53_zone_id,
+      aws_efs_file_system_id: efs_file_system_id
     }
   end
 
+  def terraform_variables(mini_environment)
+    common_terraform_variables.merge(
+      slug: mini_environment.name.parameterize,
+      start_command: mini_environment.backend_data['build_output'],
+      backend_remote_state_address: (
+        'http://localhost:3000' +
+        Rails
+          .application
+          .routes
+          .url_helpers
+          .terraform_http_backend_path(terraform_state_id)
+      )
+    )
+  end
+
+  def terraform_state_id
+    "backend/terraform_aws/#{id}"
+  end
+
   def ssh_public_key
     File.open("#{ENV['HOME']}/.ssh/id_rsa.pub", &:readline)
   end
+
+  def guix_public_key
+    "(entry #{File.read("/etc/guix/signing-key.pub")} (tag (guix import)))"
+  end
 end