feat: whole bunch of website and cms changes

.envrc

@@ -1,3 +1,4 @@
 export CLOUDFLARE_ACCOUNT_ID="0aeb879de8e3cdde5fb3d413025222ce"
+export TERRAFORM_BACKEND_URL="https://terraform-state-backend.rawkode-academy.workers.dev"
 export TERRAFORM_BACKEND_BUCKET_NAME="rawkode-cloud-tfstate"
 

pnpm-workspace.yaml

@@ -9,6 +9,7 @@ packages:
  - "./projects/core-infrastructure/terraform-state-backend"
  - "./projects/rawkode.academy/website"
  - "./projects/rawkode.academy/cms"
+ - "./projects/rawkode.academy/cms/deploy"
  - "./projects/rawkode.cloud/tfstate"
  - "./projects/rawkode.community/ics-events"
  - "./projects/rawkode.studio"

projects/rawkode.academy/cms/.dockerignore

@@ -1,9 +1,10 @@
-.vscode
-build
-dist
-node_modules
-docker-compose.yaml
-Dockerfile
-Justfile
-README.md
-rome.json
+/.vscode
+/build
+/deploy
+/dist
+/docker-compose.yaml
+/Dockerfile
+/Justfile
+/node_modules
+/README.md
+/rome.json

projects/rawkode.academy/cms/.envrc

@@ -1,10 +1,11 @@
 op signin --account rawkodeacademy
 
 export NODE_ENV="dev"
-export SERVER_URL="http://localhost:3000"
 export CLOUDFLARE_API_TOKEN=op://sa.rawkode.academy/cloudflare/api
-export MONGODB_URI=mongodb://127.0.0.1/cms
-export PAYLOAD_SECRET=super-secret
-export OAUTH_CLIENT_ID="op://cms.rawkode.academy/GitHub/username"
-export OAUTH_CLIENT_SECRET="op://cms.rawkode.academy/GitHub/password"
-export OAUTH_BASE_URL="https://github.com"
+
+export APPSETTING_SERVER_URL="http://localhost:3000"
+export APPSETTING_MONGODB_URI=mongodb://127.0.0.1/cms
+export APPSETTING_PAYLOAD_SECRET=super-secret
+export APPSETTING_OAUTH_BASE_URL="https://github.com"
+export APPSETTING_OAUTH_CLIENT_ID="op://cms.rawkode.academy/GitHub/username"
+export APPSETTING_OAUTH_CLIENT_SECRET="op://cms.rawkode.academy/GitHub/password"

projects/rawkode.academy/cms/Dockerfile

@@ -26,9 +26,10 @@ WORKDIR /app
 
 ENV NODE_ENV=production
 
-COPY --from=build /app/dist ./
-COPY --from=build /app/node_modules ./node_modules
+COPY --from=build /app/build ./build
+COPY --from=build /app/dist ./dist
+COPY --from=build /app/node_modules ./node_modules
 
 EXPOSE 3000
 
-CMD ["node", "server.js"]
+CMD ["node", "dist/server.js"]

projects/rawkode.academy/cms/deploy/.envrc

@@ -0,0 +1,12 @@
+source_up ../../../.envrc
+source_up
+
+op signin --account rawkodeacademy.1password.eu
+
+export TF_HTTP_PASSWORD="op://sa-core-infrastructure/cloudflare/terraform-state-backend/password"
+export CLOUDFLARE_API_TOKEN="op://private/cloudflare/api-tokens/all-access"
+
+export ARM_SUBSCRIPTION_ID="op://sa-core-infrastructure/azure/subscriptionid"
+export ARM_TENANT_ID="op://sa-core-infrastructure/azure/tenantid"
+export ARM_CLIENT_ID="op://sa-core-infrastructure/azure/appid"
+export ARM_CLIENT_SECRET="op://sa-core-infrastructure/azure/password"

projects/rawkode.academy/cms/deploy/.gitignore

@@ -0,0 +1,11 @@
+*.d.ts
+*.js
+node_modules
+cdktf.out
+cdktf.log
+*terraform.*.tfstate*
+.gen
+.terraform
+tsconfig.tsbuildinfo
+!jest.config.js
+!setup.js

projects/rawkode.academy/cms/deploy/cdktf.json

@@ -0,0 +1,13 @@
+{
+ "app": "npx ts-node main.ts",
+ "context": {},
+ "language": "typescript",
+ "projectId": "a50eaad7-f318-4b9f-a7b5-76c059b44d67",
+ "sendCrashReports": "false",
+ "terraformModules": [],
+ "terraformProviders": [
+ "hashicorp/azurerm@~>3.65.0",
+ "hashicorp/random",
+ "cloudflare/cloudflare@~>4.10.0"
+ ]
+}

projects/rawkode.academy/cms/deploy/main.ts

@@ -0,0 +1,229 @@
+import { App, Fn, HttpBackend, TerraformStack } from "cdktf";
+import { AppServiceCertificateBinding } from "./.gen/providers/azurerm/app-service-certificate-binding";
+import { AppServiceCustomHostnameBinding } from "./.gen/providers/azurerm/app-service-custom-hostname-binding";
+import { AppServiceManagedCertificate } from "./.gen/providers/azurerm/app-service-managed-certificate";
+import { CosmosdbAccount } from "./.gen/providers/azurerm/cosmosdb-account";
+import { CosmosdbMongoDatabase } from "./.gen/providers/azurerm/cosmosdb-mongo-database";
+import { DataAzurermClientConfig } from "./.gen/providers/azurerm/data-azurerm-client-config";
+import { KeyVault } from "./.gen/providers/azurerm/key-vault";
+import { KeyVaultAccessPolicyA } from "./.gen/providers/azurerm/key-vault-access-policy";
+import { KeyVaultSecret } from "./.gen/providers/azurerm/key-vault-secret";
+import { LinuxWebApp } from "./.gen/providers/azurerm/linux-web-app";
+import { AzurermProvider } from "./.gen/providers/azurerm/provider";
+import { ResourceGroup } from "./.gen/providers/azurerm/resource-group";
+import { ServicePlan } from "./.gen/providers/azurerm/service-plan";
+import { DataCloudflareZone } from "./.gen/providers/cloudflare/data-cloudflare-zone";
+import { CloudflareProvider } from "./.gen/providers/cloudflare/provider";
+import { Record } from "./.gen/providers/cloudflare/record";
+import { Password } from "./.gen/providers/random/password";
+import { RandomProvider } from "./.gen/providers/random/provider";
+
+const terraformBackendUrl = `${
+ process.env.TERRAFORM_BACKEND_URL || ""
+}/states/cms.rawkode.academy`;
+
+class MyStack extends TerraformStack {
+ constructor(scope: App, name: string) {
+ super(scope, name);
+
+ new AzurermProvider(this, "azure", {
+ features: {},
+ });
+
+ new CloudflareProvider(this, "cloudflare", {});
+
+ const cloudflareZone = new DataCloudflareZone(this, "cloudflare-zone", {
+ name: "rawkode.academy",
+ });
+
+ new RandomProvider(this, "random", {});
+
+ const azureClientConfig = new DataAzurermClientConfig(
+ this,
+ "azure-client-config",
+ {},
+ );
+
+ const resourceGroup = new ResourceGroup(this, "resource-group", {
+ name: "cms.rawkode.academy",
+ location: "West Europe",
+ });
+
+ const servicePlan = new ServicePlan(this, "service-plan", {
+ name: "rawkode-academy-cms",
+ resourceGroupName: resourceGroup.name,
+ location: resourceGroup.location,
+ osType: "Linux",
+ skuName: "B1",
+ });
+
+ const keyVault = new KeyVault(this, "key-vault", {
+ name: "rawkode-academy-cms",
+ location: resourceGroup.location,
+ resourceGroupName: resourceGroup.name,
+ skuName: "standard",
+ tenantId: azureClientConfig.tenantId,
+ });
+
+ const cosmosDbAccount = new CosmosdbAccount(this, "cosmosdb-account", {
+ name: "rawkode-academy-cms",
+ resourceGroupName: resourceGroup.name,
+ location: resourceGroup.location,
+ offerType: "Standard",
+ kind: "MongoDB",
+ enableAutomaticFailover: false,
+ consistencyPolicy: {
+ consistencyLevel: "BoundedStaleness",
+ maxIntervalInSeconds: 300,
+ maxStalenessPrefix: 10000,
+ },
+ geoLocation: [
+ {
+ location: resourceGroup.location,
+ failoverPriority: 0,
+ },
+ ],
+ });
+
+ new CosmosdbMongoDatabase(this, "cosmosdb-mongo-database", {
+ name: "rawkode-academy-cms",
+ resourceGroupName: resourceGroup.name,
+ accountName: cosmosDbAccount.name,
+ throughput: 400,
+ });
+
+ const payloadSecret = new Password(this, "payload-secret", {
+ length: 32,
+ special: true,
+ minSpecial: 4,
+ upper: true,
+ minUpper: 4,
+ lower: true,
+ minLower: 4,
+ numeric: true,
+ minNumeric: 4,
+ });
+
+ const azurePayloadSecret = new KeyVaultSecret(
+ this,
+ "azure-payload-secret",
+ {
+ keyVaultId: keyVault.id,
+ name: "payload-secret",
+ value: payloadSecret.result,
+ },
+ );
+
+ const azureGitHubClientSecret = new KeyVaultSecret(
+ this,
+ "azure-github-client-secret",
+ {
+ keyVaultId: keyVault.id,
+ name: "github-client-secret",
+ value: process.env.APPSETTING_GITHUB_CLIENT_SECRET || "",
+ },
+ );
+
+ const linuxWebApp = new LinuxWebApp(this, "linux-web-app", {
+ name: "rawkode-academy-cms",
+ enabled: true,
+ servicePlanId: servicePlan.id,
+ location: resourceGroup.location,
+ resourceGroupName: resourceGroup.name,
+ httpsOnly: true,
+ identity: {
+ type: "SystemAssigned",
+ },
+ siteConfig: {
+ alwaysOn: true,
+ applicationStack: {
+ dockerRegistryUrl: "https://ghcr.io",
+ dockerImageName: "rawkodeacademy/cms",
+ },
+ },
+ appSettings: {
+ WEBSITES_PORT: "3000",
+ SERVER_URL: "https://cms.rawkode.academy",
+ MONGODB_URI: Fn.element(cosmosDbAccount.connectionStrings, 0),
+ OAUTH_BASE_URL: process.env.APPSETTING_OAUTH_BASE_URL || "",
+ OAUTH_CLIENT_ID: process.env.APPSETTING_OAUTH_CLIENT_ID || "",
+ OAUTH_CLIENT_SECRET: `@Microsoft.KeyVault(SecretUri=${azureGitHubClientSecret.versionlessId})`,
+ PAYLOAD_SECRET: `@Microsoft.KeyVault(SecretUri=${azurePayloadSecret.versionlessId})`,
+ },
+ });
+
+ const domainVerification = new Record(
+ this,
+ "cloudflare-record-verification",
+ {
+ zoneId: cloudflareZone.id,
+ name: "asuid.cms.rawkode.academy",
+ type: "TXT",
+ value: linuxWebApp.customDomainVerificationId,
+ ttl: 300,
+ proxied: false,
+ comment: "Managed by Terraform",
+ },
+ );
+
+ const dnsRecord = new Record(this, "cloudflare-record", {
+ zoneId: cloudflareZone.id,
+ name: "cms",
+ type: "CNAME",
+ value: linuxWebApp.defaultHostname,
+ ttl: 300,
+ proxied: false,
+ comment: "Managed by Terraform",
+ });
+
+ const hostnameBinding = new AppServiceCustomHostnameBinding(
+ this,
+ "app-service-custom-hostname-binding",
+ {
+ hostname: dnsRecord.hostname,
+ appServiceName: linuxWebApp.name,
+ resourceGroupName: resourceGroup.name,
+ timeouts: {
+ create: "10m",
+ },
+ dependsOn: [domainVerification],
+ },
+ );
+
+ const appServiceCertificate = new AppServiceManagedCertificate(
+ this,
+ "app-service-managed-certificate",
+ {
+ customHostnameBindingId: hostnameBinding.id,
+ },
+ );
+
+ new AppServiceCertificateBinding(this, "app-service-certificate-binding", {
+ hostnameBindingId: hostnameBinding.id,
+ sslState: "SniEnabled",
+ certificateId: appServiceCertificate.id,
+ });
+
+ new KeyVaultAccessPolicyA(this, "key-vault-access-policy", {
+ keyVaultId: keyVault.id,
+ tenantId: azureClientConfig.tenantId,
+ objectId: linuxWebApp.identity.principalId,
+ secretPermissions: ["Get"],
+ });
+ }
+}
+
+const app = new App();
+
+const stack = new MyStack(app, "deploy");
+
+new HttpBackend(stack, {
+ address: terraformBackendUrl,
+ username: "rawkodeacademy",
+ lockMethod: "PUT",
+ lockAddress: `${terraformBackendUrl}/lock`,
+ unlockMethod: "DELETE",
+ unlockAddress: `${terraformBackendUrl}/lock`,
+});
+
+app.synth();