Add iac/dev/ for single-EC2 dev environment#71
Conversation
Provisions an isolated dev environment on AWS: VPC 10.100.0.0/16 with a public subnet, t3.large Ubuntu 22.04 instance running the full docker-compose stack via setup.sh, security group scoped to an allowed_ips variable (no 0.0.0.0/0 exposure), and an IAM role for SSM Session Manager access (no SSH key required). State is stored in the existing openems-deployment-tf-state-file S3 bucket under a separate key (iac/dev/terraform.tfstate) so it does not collide with the production ECS deployment in iac/. User-data clones the local-deployment branch and runs setup.sh --edges 2 on first boot. Bootstrap takes ~10 min on a fresh instance. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> Signed-off-by: Alejandro Malbet <amalbet@gmail.com>
|
I should note right off the bat that this commit is applied to the
more comments to follow |
Signed-off-by: Aidan Barnes <66229298+aidan-barnes-axm@users.noreply.github.com>
|
|
Thanks for testing this Aidan — really helpful to have the init/plan/apply results. Two things we need from you to update the code before next apply attempt:
Once we have those, we'll push fixes and the apply/destroy errors should clear up (the tag mismatch is likely what's blocking both). |
I have sent you the state bucket and DynamoDB lock table names on Zulip already, wasn't sure if it's a good idea to publish backend configuration metadata on a public github repo.
c492c39 I didn't attach it to this PR but I did update provider.tf to tag ✔can verify that terraform apply and destroy completes without errors now and have updated test plan checklist accordingly- it was just a few missing permissions in the SCP that I have documented in PR #72 via commits. |
|
Thanks, I missed it. Got it now. |
- backend.tf: point to Aidan's state bucket (docker-openems-feature-dev-iac) and lock table (docker-openems-feature-dev-iac-state-lock) in the dev account - provider.tf: change Environment tag from "dev" to "aidev" to match the IAM policies Aidan configured for the dev account Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> Signed-off-by: Alejandro Malbet <amalbet@gmail.com>
S3 bucket and DynamoDB table names are now provided at init time via backend.tfvars (gitignored), not hardcoded in backend.tf. This keeps infrastructure metadata out of the public repo. Usage: terraform init -backend-config=backend.tfvars Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> Signed-off-by: Alejandro Malbet <amalbet@gmail.com>
Captures the explicit PR #71 scope decision (UI/Odoo/B2B/WS over plain HTTP, IP-allowlisted) so it's not silently normalized, and opens the team discussion for HTTPS options (self-signed, Caddy+LE, ALB+ACM) before the dev env becomes persistent. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> Signed-off-by: Alejandro Malbet <amalbet@gmail.com>
Summary
Adds
iac/dev/— an isolated Terraform module for a single-EC2 dev environment running the full docker-compose stack viasetup.sh. Intended as a low-risk starting point for AWS provisioning, separate from the existing ECS-basediac/module.What it provisions
10.100.0.0/16with a public subnet in a single AZ (isolated from existingiac/which uses10.0.0.0/16)t3.largeUbuntu 22.04, user-data bootstraps Docker + cloneslocal-deployment+ runssetup.sh --edges 2allowed_ipsvariable — no0.0.0.0/0exposure on any portPorts exposed to
allowed_ipsonly: 4200 (UI), 8082 (B2B), 10016 (Odoo), 8086 (InfluxDB).Design decisions
NET_ADMIN) and has no local persistent storage for InfluxDB. Single EC2 with docker-compose matches the architecture doc's Phase 1 recommendation and reuses the provensetup.shwe've been testing locally.openems-deployment-tf-state-filewith keyiac/dev/terraform.tfstate— no new S3/DynamoDB resources.terraform.tfvars+terraform apply(~10s, no instance disruption).lifecycle.ignore_changes: Prevents accidental instance replacement when the bootstrap script is edited. Re-bootstrapping requires explicit destroy + recreate.What's NOT in this PR
Builds on the architecture doc in #70.
Test plan
terraform initsucceeds against the existing state bucketterraform planshows a clean create for VPC + subnet + IGW + RT + SG + IAM + EC2terraform applycompletes without errorshttp://<public-ip>:4200serves the OpenEMS UIhttp://<public-ip>:8082/jsonrpcwith Basic auth returns a valid responseaws ssm start-session --target <instance-id>opens a shellallowed_ipsand re-applying only modifies the SGterraform destroycleans up all resources🤖 Generated with Claude Code