Initial import of files without removing existing files

.gitignore

@@ -1,7 +1,6 @@
 *playbook.retry
 .DS_Store
-terraform.tfvars
-.terraform*
+.terraform/
 *.swp
 password_file*
-.vscode
+.vscode

aws_access/README.md

@@ -1,8 +1,11 @@
-### Getting started
+
+### What is this for?
+
+This set of terraform sets up any api users and relevant state buckets.
+
+## Getting started
 
 You'll need to assume the role of an account that has the permission to talk to the treetracker-infrastructure bucket to run terraform.
 
 Once you have your aws settings configured locally, you should be able to apply changes/ have access to the state bucket.
 
-### What is this for?
-This set of terraform sets up any api users and relevant state buckets.

env/tt/README.md

@@ -0,0 +1,3 @@
+This directory is the parent environment for TreeTracker.
+
+Sub-directories are cloud platforms.

env/tt/aws/README.md

@@ -0,0 +1,7 @@
+This is the parent directory of all AWS [cloud computing platform] environments.
+
+Each sub-directory here is a [AWS region](https://aws.amazon.com/about-aws/global-infrastructure/regions_az/), with the exception of `global`, which includes environments that are not *region*-specific.
+
+**IMPORTANT NOTE**
+ - Existing resources exist in the us-east-1 region, but this region is more unstable than others.
+   All new resources should be created in the us-east-2 region or a us-west region.

env/tt/aws/us-east-1/README.md

@@ -0,0 +1 @@
+This directory contains the configuration for the AWS region `us-east-1`.

env/tt/aws/us-east-1/backend.sh.tfvars

@@ -0,0 +1 @@
+region = "us-east-1"

env/tt/aws/us-east-1/dev/README.md

@@ -0,0 +1,5 @@
+This directory contains environments for AWS region us-east-1.
+
+Each sub-directory is an 'environment', or unit of configuration specific to one or several components/modules/resources, that form a logical unit (an "environment"). This is *configuration only*; all code is kept in a different directory.
+
+Put your configuration in these directories, and configure your deployment tools to refer to them for configuration. You can create Makefiles or other configuration to enable you to run deployment commands from these directories.

env/tt/aws/us-east-1/dev/backend.sh.tfvars

@@ -0,0 +1 @@
+bucket = "treetracker-us-east-1-development-terraform"

env/tt/aws/us-east-1/dev/terraform.sh.tfvars

@@ -0,0 +1,2 @@
+environment = "dev"
+environment_long = "development"

env/tt/aws/us-east-1/dev/web-apps/backend.sh.tfvars

@@ -0,0 +1 @@
+key = "tfstate/docean/sfo2/dev/terraform-web-apps.tfstate"

env/tt/aws/us-east-1/dev/web-apps/terraformsh.conf

@@ -0,0 +1 @@
+CD_DIR=../../../../../terraform/modules/root/web-apps

env/tt/aws/us-east-1/terraform.sh.tfvars

@@ -0,0 +1 @@
+aws_region = "us-east-1"

env/tt/docean/README.md

@@ -0,0 +1,13 @@
+This is the parent directory of all Digital Ocean [cloud computing platform] environments.
+
+Each sub-directory here is a [DitigalOcean region](https://docs.digitalocean.com/products/platform/availability-matrix/), with the exception of `global`, which includes environments that are not *region*-specific.
+
+**IMPORTANT NOTE**
+ - Existing resources exist in the SFO2 region, but this region is limited in use and should be moved away from.
+   From [region availability matrix](https://docs.digitalocean.com/products/platform/availability-matrix/):
+   ```
+   Due to limited capacity in NYC2, AMS2, SFO1, and SFO2,
+   only users who already have existing resources in those regions
+   can create more resources there.
+   ```
+   SFO3 is the preferred new region over SFO2, as it supports the most new services.

env/tt/docean/nyc1/backend.sh.tfvars

@@ -0,0 +1 @@
+region = "nyc1"

env/tt/docean/nyc1/dev/backend.sh.tfvars

@@ -0,0 +1,2 @@
+bucket = "treetracker-nyc1-development-terraform"
+endpoint = "https://nyc1.digitaloceanspaces.com"

env/tt/docean/nyc1/dev/do-bastion/backend.sh.tfvars

@@ -0,0 +1 @@
+key = "tfstate/tt/docean/nyc1/dev/do-bastion.tfstate"

env/tt/docean/nyc1/dev/do-bastion/terraform.sh.tfvars

@@ -0,0 +1 @@
+bastion_ssh_key_fingerprint = ["8c:9b:4c:e4:a5:b1:08:c7:3b:bc:b6:9a:21:86:3f:3d"]

env/tt/docean/nyc1/dev/do-bastion/terraformsh.conf

@@ -0,0 +1 @@
+CD_DIR=../../../../../terraform/modules/root/do-bastion

env/tt/docean/nyc1/dev/terraform.sh.tfvars

@@ -0,0 +1,2 @@
+environment = "dev"
+environment_long = "development"

env/tt/docean/nyc1/terraform.sh.tfvars

@@ -0,0 +1 @@
+do_region = "nyc1"

env/tt/docean/sfo2/README.md

@@ -0,0 +1,4 @@
+This directory contains environments for the DigitalOcean SFO2 region.
+
+Please note that SFO2 (this region) has limited capacity and new features are not available in this region.
+**All new resources should be created in SFO3.**

env/tt/docean/sfo2/backend.sh.tfvars

@@ -0,0 +1,5 @@
+# This region is "fake", in order to pass validation for the AWS S3 backend.
+# The 'endpoint' below points to the real backend s3 region.
+region = "eu-west-1"
+
+endpoint = "https://sfo2.digitaloceanspaces.com"

env/tt/docean/sfo2/dev/README.md

@@ -0,0 +1,5 @@
+This directory contains environments for DigitalOcean region SFO2.
+
+Each sub-directory is an 'environment', or unit of configuration specific to one or several components/modules/resources, that form a logical unit (an "environment"). This is *configuration only*; all code is kept in a different directory.
+
+Put your configuration in these directories, and configure your deployment tools to refer to them for configuration. You can create Makefiles or other configuration to enable you to run deployment commands from these directories.

env/tt/docean/sfo2/dev/airflow/ansible-env/group_vars/local

@@ -0,0 +1,8 @@
+postgres_db_host: db-postgresql-sfo2-nextgen-do-user-1067699-0.db.ondigitalocean.com
+postgres_db_port: 25060
+postgres_db_user: s_airflow
+postgres_db_name: treetracker
+database_sealed_secret: AgAnLgL+8LAv5tV1PE7d7A2L09Bdm4p8hjHqUL6bWx/Usgke8OlRYMrg3v8tZqj1pFiHMq9IE5Sm86TC+7SxHfMmEN44W/e4sdWYXxJ1y3CRY5Ie+3EL9vJOVysqejSD8UxeUA/9yJ/nfTLqLc9o/Ll5NAL1M0YIfUAx/yxZOYRRPOYuML10szXg0GeCO4Dm8Mx9TvTXOH256KWl/SHyHzP9OTXsyjUQ0n9PL3YhqnZWhNaL/ACSmfnmwl+XRizfaIVB+tb1NpgAKHkIjklPW2BhZV2/kda8JGhuKdVGnw6YXXhXWdO4Rt6DHCN1ioNa1i+mTzchh8gRSx7w1u2rv5eGAQWp8Fktcx6nKkHtwSXjMclCN9rA2Dukl5ID2aIb5eKejxzmWHKP0RNLLsrvZrR/xJcKJnot4Ojk1vbBjEE+PMER+u88uC219BT492vIwYAB5pklbZxwu0pehMB8m+IhFXRh3iGl7CmKGBem8SViInzvm740+N5wa/wVI/1Ch0pV6A5OMGt8a6SmsExvyhP9NdjE22BoY9Gy3WMQtqe86l+WlebWHN4IkMgVd+AppTZSJlWGcvgI222KfDFN/Sw0HUcwBNGRSLLvVzHx/VQPd6+vkF5WeyCqi6JsTYZ7WtMd2A3Gu0vm18imwCc6O4fkk0v7n+Jwkq9/ddIxN/bR1rScSroml6+WJQbYRJ2jM48Gd8LiuCCcqZVycOTJm2GH
+airflow_base_url: http://dev-k8s.treetracker.org/airflow
+deployment_branch: main
+airflow_admin_sealed_password: AgB65y0NYXPwnJgnV6Ar/1TfqsDCth51BdDZfQAiAsTyFRZpdido88hVXB7sVC65ShlIhJexqMtu0VUXZV4nFqDujtmgl5wJT3rAWTzuU54PP1W90g86UHXyzTa0fWZD6V6QXKynoKa5aLNBPNG1/4UxBolGQVVTQqZ733xPCzZ/rq6p7MXDD/cov1v4Nmxk3p69B5z11uNLGcslfKfTzL4eTNgUgqFNVuYLH5XlMSVi/mNGQ4GNOoz//NeVXSvvInxtUhArEhmKOVwcTxdHHaAF6sRIZsH0C8ikeNnIZ5BiqEuYyl9rbYnmGfV7efm7U6Ly0IT3XV7bosAL9mj4DolLnN0ZxyBxqd0srXDXxXzjdQF+H8RR68xu/lWHcrJEfZja4ZIZBk2x/LBiCJqaeLGWsER5GB9W3WphKpstK2UQdXa879TBKKq/evhvyR0sQi/Nf+KCLYtXA7RVLnnqUT5T0C89itU1CGJD+6aqZDEH8QZI2RwrorhLhK80NSBTtkECrdbQ1tuzU6R90j63HEhEccHwWlBSZpMFTbGRJURp/PD7EqEcSSLMJC7EA4tGGkNbbieonzBjtt9LF/DIiyV4Tjp9BoY/l3kuvgHvKSLQonyFbNmYzlc4ZUa1IkXuMVMcNS+KEGU5dWqa3vq5rPlRfmKS0h/OC4kjDjidCB5MPZlbKKcnHb58Z3ObYgTHrfLZAP/YTwwp/qbKKZBRFONa

env/tt/docean/sfo2/dev/airflow/ansible-env/inventory

@@ -0,0 +1,2 @@
+[local]
+localhost-py3 ansible_host=localhost ansible_python_interpreter=/usr/local/bin/python3

env/tt/docean/sfo2/dev/api_gateway/backend.sh.tfvars

@@ -0,0 +1,2 @@
+bucket = "greenstandtf"
+key = "tfvars/tt/docean/sfo2/terraform-api-gateway.tfstate"

env/tt/docean/sfo2/dev/api_gateway/terraform.sh.tfvars

@@ -0,0 +1,2 @@
+ambassador_host_domain_name = "dev-k8s.treetracker.org"
+ambassador_host_load_balancer_ip_address = "134.209.142.182"

env/tt/docean/sfo2/dev/api_gateway/terraformsh.conf

@@ -0,0 +1 @@
+CD_DIR=../../../../../../terraform/modules/root/api_gateway

env/tt/docean/sfo2/dev/aws_access/terraformsh.conf

@@ -0,0 +1 @@
+CD_DIR=../../../../../terraform/modules/root/aws_access

env/tt/docean/sfo2/dev/backend.sh.tfvars

@@ -0,0 +1 @@
+bucket = "treetracker-sfo2-development-terraform"

env/tt/docean/sfo2/dev/database-backup-storage/backend.sh.tfvars

@@ -0,0 +1 @@
+key = "tfstate/tt/docean/sfo2/dev/database-backup-storage.tfstate"

env/tt/docean/sfo2/dev/database-backup-storage/terraform.sh.tfvars

@@ -0,0 +1 @@
+treetracker_backup_bucket = "treetracker-development-backups"

env/tt/docean/sfo2/dev/database-backup-storage/terraformsh.conf

@@ -0,0 +1 @@
+CD_DIR=../../../../../terraform/modules/root/database-backup-storage

env/tt/docean/sfo2/dev/database-grants/backend.sh.tfvars

@@ -0,0 +1 @@
+key = "tfstate/tt/docean/sfo2/dev/terraform-database-grants.tfstate"

env/tt/docean/sfo2/dev/database-grants/terraform.sh.tfvars

@@ -0,0 +1,2 @@
+port = "25060"
+host = "db-postgresql-sfo2-nextgen-do-user-1067699-0.db.ondigitalocean.com"

env/tt/docean/sfo2/dev/database-grants/terraformsh.conf

@@ -0,0 +1 @@
+CD_DIR=../../../../../../terraform/modules/root/database-grants

env/tt/docean/sfo2/dev/database/terraform.sh.tfvars

@@ -0,0 +1 @@
+

env/tt/docean/sfo2/dev/database/terraformsh.conf

@@ -0,0 +1 @@
+CD_DIR=../../../../../terraform/modules/root/database

env/tt/docean/sfo2/dev/earnings/terraformsh.conf

@@ -0,0 +1 @@
+CD_DIR=../../../../../terraform/modules/root/earnings

env/tt/docean/sfo2/dev/kubernetes/backend.sh.tfvars

@@ -0,0 +1 @@
+key = "tfstate/tt/docean/sfo2/dev/terraform-kubernetes.tfstate"

env/tt/docean/sfo2/dev/kubernetes/terraform.sh.tfvars

@@ -0,0 +1 @@
+cluster_name = "prod-k8s-treetracker"

env/tt/docean/sfo2/dev/kubernetes/terraformsh.conf

@@ -0,0 +1 @@
+CD_DIR=../../../../../terraform/modules/root/database

env/tt/docean/sfo2/dev/monitoring/backend.sh.tfvars

@@ -0,0 +1 @@
+key = "tt/docean/sfo2/dev/terraform-monitoring.tfstate"

env/tt/docean/sfo2/dev/monitoring/terraform.sh.tfvars

@@ -0,0 +1 @@
+ssh_key_fingerprint = ["37:45:4a:cd:5e:72:46:48:8f:69:e9:98:4f:6e:27:e0"]

env/tt/docean/sfo2/dev/monitoring/terraformsh.conf

@@ -0,0 +1 @@
+CD_DIR=../../../../../terraform/modules/root/monitoring

env/tt/docean/sfo2/dev/terraform.sh.tfvars

@@ -0,0 +1,2 @@
+environment = "dev"
+environment_long = "development"

env/tt/docean/sfo2/terraform.sh.tfvars

@@ -0,0 +1 @@
+do_region = "sfo2"

scripts/terraform/terraform-apply-dev.sh

@@ -0,0 +1 @@
+terraform apply -var-file dev.env.tfvars

scripts/terraform/terraform-apply-prod.sh

@@ -0,0 +1 @@
+terraform apply -var-file prod.env.tfvars

scripts/terraform/terraform-apply-test.sh

@@ -0,0 +1 @@
+terraform apply -var-file test.env.tfvars

scripts/terraform/terraform-init.sh

@@ -0,0 +1 @@
+terraform init -backend-config backend-config.tfvars

scripts/terraform/terraform-plan-dev.sh

@@ -0,0 +1 @@
+terraform plan -var-file dev.env.tfvars

scripts/terraform/terraform-plan-prod.sh

@@ -0,0 +1 @@
+terraform plan -var-file prod.env.tfvars

scripts/terraform/terraform-plan-test.sh

@@ -0,0 +1 @@
+terraform plan -var-file test.env.tfvars

scripts/terraform/terraform-setup-aws-keys.sh

@@ -0,0 +1,9 @@
+#!/bin/bash
+
+# Retrieve keys from your netrc, specified as
+# machine sfo2.digitaloceanspaces.com login KEY password SECRET
+# Source this file before running terraform commands
+
+netrc_string=$(grep aws.treetracker.org ~/.netrc)
+export AWS_ACCESS_KEY_ID=$(echo $netrc_string | awk '{print $4}')
+export AWS_SECRET_ACCESS_KEY=$(echo $netrc_string | awk '{print $6}')

scripts/terraform/terraform-setup-keys-prod.sh

@@ -0,0 +1,9 @@
+#!/bin/bash
+
+# Retrieve keys from your netrc, specified as
+# machine sfo2.digitaloceanspaces.com login KEY password SECRET
+# Source this file before running terraform commands
+netrc_string=$(grep digitalocean.production.treetracker.org ~/.netrc)
+export AWS_ACCESS_KEY_ID=$(echo $netrc_string | awk '{print $4}')
+export AWS_SECRET_ACCESS_KEY=$(echo $netrc_string | awk '{print $6}')
+

terraform/modules/root/api_gateway/README.md

@@ -0,0 +1,9 @@
+## Running this terrform
+1. install terraform `brew install terraform`
+1. set up access to s3/spaces
+  1. create access key in control panel, note key id and access key
+  2. update ~/.netrc to hold access like with a line like `sfo2.digitaloceanspaces.com spaces login KEY_ID password ACCESS_KEY`
+1. load keys by running `source setup_keys.sh`
+1. `terraform init` get ready to run terraform
+1. `terraform plan` to see changes that will be applied
+1. `terraform apply` to apply those changes

terraform/modules/root/api_gateway/backend.tf

@@ -0,0 +1,23 @@
+terraform {
+  # DigitalOcean uses the S3 spec.
+  backend "s3" {
+
+    #bucket = "greenstandtf"
+    #key    = "terraform-api-gateway.tfstate"
+    #endpoint = "https://sfo2.digitaloceanspaces.com"
+
+    # DO uses the S3 backend. However, the S3 backend is hard-coded with AWS regions,
+    # so we have to hard-code an AWS region here to pass validation.
+    # the real 'endpoint' to a DigitalOcean region must be passed as an argument.
+    region = "eu-west-1"
+
+    # Deactivate a few checks as TF will attempt these against AWS
+
+    skip_credentials_validation = true
+
+    # skip_get_ec2_platforms = true
+    # skip_requesting_account_id = true
+
+    skip_metadata_api_check = true
+  }
+}

terraform/modules/root/api_gateway/dns.tf

@@ -0,0 +1,30 @@
+
+resource "digitalocean_domain" "ambassador-host" {
+  name = var.ambassador_host_domain_name
+  ip_address = var.ambassador_host_load_balancer_ip_address
+}
+
+resource "digitalocean_record" "CNAME-www" {
+  domain = digitalocean_domain.ambassador-host.name
+  type = "CNAME"
+  name = "www"
+  value = "@"
+}
+
+# this was included before environments were separated
+#resource "digitalocean_domain" "ambassador-host-test" {
+#  name = "test-k8s.treetracker.org"
+#  ip_address = "157.230.74.182"
+#}
+
+
+#resource "digitalocean_domain" "ambassador-host-test" {
+#  name = "test-k8s.treetracker.org"
+#  ip_address = "157.230.74.182"
+#}
+
+#resource "digitalocean_domain" "ambassador-host-prod" {
+#  name = "prod-k8s.treetracker.org"
+#  ip_address = "167.172.12.67"
+#}
+

terraform/modules/root/api_gateway/production.tfvars

@@ -0,0 +1,2 @@
+host_name = "prod-k8s.treetracker.org"
+load_balancer_ip_address = "167.172.12.67"

terraform/modules/root/api_gateway/provider.tf

@@ -0,0 +1,12 @@
+provider "digitalocean" {
+  token = var.do_token
+}
+
+terraform {
+  required_providers {
+    digitalocean = {
+      source = "digitalocean/digitalocean"
+      version = "1.22.2"
+    }
+  }
+}

terraform/modules/root/api_gateway/setup_keys.sh

@@ -0,0 +1,12 @@
+#!/bin/bash
+
+# Retrieve keys from your netrc, specified as
+# machine sfo2.digitaloceanspaces.com login KEY password SECRET
+# Source this file before running terraform commands
+netrc_string=$(grep sfo2.digitaloceanspaces.com ~/.netrc)
+export AWS_ACCESS_KEY_ID=$(echo $netrc_string | awk '{print $4}')
+export AWS_SECRET_ACCESS_KEY=$(echo $netrc_string | awk '{print $6}')
+
+netrc_string=$(grep aws.treetracker.org ~/.netrc)
+export TF_VAR_TREETRACKER_AWS_ACCESS_KEY_ID=$(echo $netrc_string | awk '{print $4}')
+export TF_VAR_TREETRACKER_AWS_SECRET_ACCESS_KEY=$(echo $netrc_string | awk '{print $6}')

terraform/modules/root/api_gateway/variables.tf

@@ -0,0 +1,4 @@
+variable "do_token" {}
+
+variable "host_name" {}
+variable "load_balancer_ip_address" {}

terraform/modules/root/aws_access/.terraform-version

@@ -0,0 +1 @@
+0.12.31

terraform/modules/root/aws_access/backend.tf

@@ -0,0 +1,8 @@
+
+terraform {
+  backend "s3" {
+    #bucket = "treetracker-infrastructure"
+    #key    = "cdn-info"
+    #region = "us-east-1"
+  }
+}

terraform/modules/root/aws_access/bulk-data-consumer.tf

@@ -0,0 +1,44 @@
+resource "aws_iam_user" "bulk_data_consumer" {
+  name = "Bulk-Data-Consumer-${var.environment}"
+}
+
+resource "aws_iam_access_key" "bulk_data_consumer_access_key" {
+  user = aws_iam_user.bulk_data_consumer.name
+}
+
+output "bulk_data_consumer_keyid" {
+  value = aws_iam_access_key.bulk_data_consumer_access_key.id
+}
+
+output "bulk_data_consumer_secret" {
+  value = aws_iam_access_key.bulk_data_consumer_access_key.secret
+}
+
+resource "aws_iam_user_policy" "bulk_data_consumer_policy" {
+  name = "bulk_data_consumer_policy"
+  user = aws_iam_user.bulk_data_consumer.name
+
+  policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement":[
+    {
+      "Sid": "Terraform0",
+      "Effect": "Allow",
+      "Action": "s3:GetObject",
+      "Resource": "arn:aws:s3:::${var.treetracker_batch_uploads_s3_bucket}/*"
+    },
+    {
+      "Sid": "Terraform1",
+      "Effect": "Allow",
+      "Action": [
+        "sqs:DeleteMessage",
+      "sqs:ReceiveMessage"
+      ],
+      "Resource": "arn:aws:sqs:${var.aws_region}:${var.aws_account_id}:${var.treetracker_queue_name}"
+    }
+  ]
+}
+EOF
+}
+