Jamakase/add infra modules (#28)

* Add infra modules

* Add ignore

* Add management env

.github/workflows/frontend.yaml

@@ -42,12 +42,12 @@ jobs:
         id: login-cr
         uses: yc-actions/yc-cr-login@v2
         with:
-          yc-sa-json-credentials: ${{ secrets.YANDEX_AUTH_KEY }}
+          yc-sa-json-credentials: ${{ secrets.YANDEX_SA_KEY }}
       - run: |
           echo "Packaging docker image ..."
           tag="${DOCKER_REGISTRY}/app:${{ github.sha }}"
           docker build -t $tag -t ${DOCKER_REGISTRY}/app:latest .
           docker push ${DOCKER_REGISTRY}/app --all-tags
         env:
           NEXT_PUBLIC_API_URL: https://api.afana-propdoc.ru
-          DOCKER_REGISTRY: cr.yandex/
+          DOCKER_REGISTRY: cr.yandex/crpc50gkvq2bp251sfgb

infra/.gitignore

@@ -0,0 +1,119 @@
+### JetBrains template
+# Covers JetBrains IDEs: IntelliJ, RubyMine, PhpStorm, AppCode, PyCharm, CLion, Android Studio, WebStorm and Rider
+# Reference: https://intellij-support.jetbrains.com/hc/en-us/articles/206544839
+
+# User-specific stuff
+.idea/**/workspace.xml
+.idea/**/tasks.xml
+.idea/**/usage.statistics.xml
+.idea/**/dictionaries
+.idea/**/shelf
+
+# Generated files
+.idea/**/contentModel.xml
+
+# Sensitive or high-churn files
+.idea/**/dataSources/
+.idea/**/dataSources.ids
+.idea/**/dataSources.local.xml
+.idea/**/sqlDataSources.xml
+.idea/**/dynamic.xml
+.idea/**/uiDesigner.xml
+.idea/**/dbnavigator.xml
+
+# Gradle
+.idea/**/gradle.xml
+.idea/**/libraries
+
+# Gradle and Maven with auto-import
+# When using Gradle or Maven with auto-import, you should exclude module files,
+# since they will be recreated, and may cause churn.  Uncomment if using
+# auto-import.
+# .idea/artifacts
+# .idea/compiler.xml
+# .idea/jarRepositories.xml
+# .idea/modules.xml
+# .idea/*.iml
+# .idea/modules
+# *.iml
+# *.ipr
+
+# CMake
+cmake-build-*/
+
+# Mongo Explorer plugin
+.idea/**/mongoSettings.xml
+
+# File-based project format
+*.iws
+
+# IntelliJ
+out/
+
+# mpeltonen/sbt-idea plugin
+.idea_modules/
+
+# JIRA plugin
+atlassian-ide-plugin.xml
+
+# Cursive Clojure plugin
+.idea/replstate.xml
+
+# Crashlytics plugin (for Android Studio and IntelliJ)
+com_crashlytics_export_strings.xml
+crashlytics.properties
+crashlytics-build.properties
+fabric.properties
+
+# Editor-based Rest Client
+.idea/httpRequests
+
+# Android studio 3.1+ serialized cache file
+.idea/caches/build_file_checksums.ser
+
+### Terraform template
+# Local .terraform directories
+**/.terraform/*
+
+# .tfstate files
+*.tfstate
+*.tfstate.*
+
+# Crash log files
+crash.log
+
+# Exclude all .tfvars files, which are likely to contain sentitive data, such as
+# password, private keys, and other secrets. These should not be part of version
+# control as they are data points which are potentially sensitive and subject
+# to change depending on the environment.
+#
+*.tfvars
+
+# Ignore override files as they are usually used to override resources locally and so
+# are not checked in
+override.tf
+override.tf.json
+*_override.tf
+*_override.tf.json
+
+# Include override files you do wish to add to version control using negated pattern
+#
+# !example_override.tf
+
+# Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan
+# example: *tfplan*
+
+# Ignore CLI configuration files
+.terraformrc
+terraform.rc
+
+/yc-infra-test.iml
+/.idea/
+*.iml
+
+*-key.json
+
+terraform.tfvars
+
+id_ssh
+id_ssh.pub

infra/management/iam.tf

@@ -0,0 +1,14 @@
+resource "yandex_iam_service_account" "registry_pusher" {
+  name        = "registry-pusher"
+  description = "Service account for pushing to container registry"
+  folder_id   = var.folder_id
+}
+
+resource "yandex_container_registry_iam_binding" "registry_pusher" {
+  registry_id = yandex_container_registry.registry.id
+  role        = "container-registry.images.pusher"
+
+  members = [
+    "serviceAccount:${yandex_iam_service_account.registry_pusher.id}",
+  ]
+}

infra/management/provider.tf

@@ -0,0 +1,16 @@
+terraform {
+  required_providers {
+    yandex = {
+      source  = "yandex-cloud/yandex"
+      version = "~> 0.120.0"
+    }
+  }
+  required_version = ">= 1.7.4"
+
+}
+
+provider "yandex" {
+  cloud_id                 = var.cloud_id
+  folder_id                = var.folder_id
+  zone                     = "ru-central1-a"
+}

infra/management/registry.tf

@@ -0,0 +1,13 @@
+resource "yandex_container_registry" "registry" {
+  name = "registry"
+  folder_id = var.folder_id
+}
+
+resource "yandex_container_registry_iam_binding" "public_read_access" {
+  registry_id = yandex_container_registry.registry.id
+  role        = "container-registry.images.puller"
+
+  members = [
+    "system:allUsers",
+  ]
+}

infra/management/vars.tf

@@ -0,0 +1,7 @@
+variable "cloud_id" {
+  type = string
+}
+
+variable "folder_id" {
+  type = string
+}

infra/modules/app/cloud-config/cloud_config.yaml

@@ -0,0 +1,8 @@
+ssh_pwauth: no
+users:
+  - name: yc-user
+    sudo: ALL=(ALL) NOPASSWD:ALL
+    shell: /bin/bash
+    groups: sudo
+    ssh-authorized-keys:
+      - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDu/exbhpCNI5atDTYsS390r5on+nrTBLwDJKQl1Iz6O [email protected]"

infra/modules/app/main.tf

@@ -0,0 +1,102 @@
+locals {
+  ssh = var.ssh_key != null ? var.ssh_key : try(file(var.ssh_key_file))
+}
+
+data "yandex_compute_image" "container-optimized-image" {
+  family = "container-optimized-image"
+}
+
+resource "yandex_iam_service_account" "sa-instance" {
+  name        = "${var.project}-instance"
+  description = "service account to work with instance"
+}
+
+resource "yandex_vpc_security_group" "instance-sg" {
+  name        = "${var.project}-instance-sg"
+  description = "description for my security group"
+  network_id  = var.network_id
+
+  labels = {
+  }
+
+  ingress {
+    protocol       = "ANY"
+    description    = "https"
+    v4_cidr_blocks = ["0.0.0.0/0"]
+    port           = 443
+    }
+
+  ingress {
+    protocol       = "ANY"
+    description    = "https"
+    v4_cidr_blocks = ["0.0.0.0/0"]
+    port           = 80
+    }
+
+  ingress {
+    description       = "Communication inside this SG"
+    from_port         = -1
+    port              = -1
+    predefined_target = "self_security_group"
+    protocol          = "ANY"
+    to_port           = -1
+    v4_cidr_blocks    = []
+    v6_cidr_blocks    = []
+  }
+
+  ingress {
+    protocol       = "TCP"
+    description    = "ssh"
+    v4_cidr_blocks = ["0.0.0.0/0"]
+    port           = 22
+  }
+
+  egress {
+    protocol       = "ANY"
+    description    = "any"
+    v4_cidr_blocks = ["0.0.0.0/0"]
+    from_port      = 0
+    to_port        = 65535
+  }
+}
+
+resource "yandex_compute_instance" "backend" {
+  platform_id = var.platform_id
+
+  boot_disk {
+    initialize_params {
+      name     = "admin"
+      image_id = data.yandex_compute_image.container-optimized-image.id
+    }
+  }
+
+  service_account_id = yandex_iam_service_account.sa-instance.id
+
+  network_interface {
+    subnet_id      = var.subnet_id
+    nat            = true
+    nat_ip_address = var.nat_ip_address
+
+    #     security_group_ids = [yandex_vpc_security_group.group1.id]
+    security_group_ids = [yandex_vpc_security_group.instance-sg.id]
+  }
+
+  resources {
+    cores  = var.cpu
+    memory = var.memory
+    core_fraction = var.core_fraction
+  }
+  metadata = {
+    "ssh-keys" = <<-EOT
+                    yc-user:ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEi/t2y3WUENzZ2y8rvDzQu6+/GqQOvDqdaf8xLwCn0K [email protected]
+            EOT
+    docker-compose = var.compose_file
+    user-data = file("${path.module}/cloud-config/cloud_config.yaml")
+  }
+
+  lifecycle {
+    ignore_changes = [boot_disk[0].initialize_params[0].image_id]
+  }
+
+  allow_stopping_for_update = true
+}

infra/modules/app/output.tf

@@ -0,0 +1,7 @@
+output "server_ip" {
+  value = yandex_compute_instance.backend.network_interface.0.nat_ip_address
+}
+
+output "service_account_id" {
+  value = yandex_iam_service_account.sa-instance.id
+}

infra/modules/app/provider.tf

@@ -0,0 +1,7 @@
+terraform {
+  required_providers {
+    yandex = {
+      source  = "yandex-cloud/yandex"
+    }
+  }
+}

infra/modules/app/variables.tf

@@ -0,0 +1,65 @@
+variable "cpu" {
+  description = "Number of CPU cores for the instance"
+  type        = number
+  default     = 2
+}
+
+variable "memory" {
+  description = "Amount of memory (in GB) for the instance"
+  type        = number
+  default     = 2
+}
+
+variable "core_fraction" {
+  description = "Core fraction for the instance"
+  type        = number
+  default     = 100
+}
+
+variable "platform_id" {
+  description = "Platform ID"
+  type        = string
+  default     = "standard-v3"
+}
+
+variable "ssh_key" {
+  description = "SSH key for the instance"
+  type        = string
+  default     = null
+}
+
+variable "ssh_key_file" {
+  description = "Path to the SSH key file"
+  type        = string
+  default     = null
+}
+
+variable "project" {
+  description = "Project name"
+  type        = string
+}
+
+variable "folder_id" {
+  description = "Folder ID"
+  type        = string
+}
+
+variable "compose_file" {
+  description = "Compose file"
+  type        = string
+}
+
+variable "network_id" {
+  description = "Network ID"
+  type        = string
+}
+
+variable "subnet_id" {
+  description = "Subnet ID"
+  type        = string
+}
+
+variable "nat_ip_address" {
+  description = "NAT IP address"
+  type        = string
+}