Docker cloud

[berkeli]

Implementation for Docker Cloud Project

What this PR includes:

• Simple go application
• Multi-stage dockerfile
• AWS Deployment via Github Actions

Extras:

• Terraform infrastrutcture code
• GH action to apply terraform

[sre-is-laura]

Couple of high level comments before I take a deeper look.

1. Big PRs like this one are harder to review; I know this isn't a typical work situation but in general, it's nicer to break work up a little more finely for review
2. When modifying or adding Terraform, it's nice to include the output of terraform plan for the reviewers. It proves the TF parses, and gives TF's idea of what it's going to do.
3. a quick writeup of what you're doing is good in the PR description, in this case I guess it's something like 'Solution to https://github.com/CodeYourFuture/immersive-go-course/tree/main/docker-cloud' but could be useful to know which sections are intended to be complete.

[sre-is-laura]

few nits but looks generally right to me

[berkeli]

Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
  + create
  ~ update in-place

Terraform will perform the following actions:

  # aws_ecrpublic_repository.docker_cloud will be updated in-place
  ~ resource "aws_ecrpublic_repository" "docker_cloud" {
        id              = "immersive-go-course/docker-cloud-berkeli"
      ~ tags            = {
          - "Projet" = "docker-cloud" -> null
        }
      ~ tags_all        = {
          + "Project"     = "docker-cloud"
          - "Projet"      = "docker-cloud" -> null
            # (2 unchanged elements hidden)
        }
        # (5 unchanged attributes hidden)

        # (1 unchanged block hidden)
    }

  # aws_ecs_cluster.docker_cloud will be created
  + resource "aws_ecs_cluster" "docker_cloud" {
      + arn                = (known after apply)
      + capacity_providers = (known after apply)
      + id                 = (known after apply)
      + name               = "docker-cloud"
      + tags_all           = {
          + "Environment" = "dev"
          + "Project"     = "docker-cloud"
          + "terraform"   = "true"
        }

      + default_capacity_provider_strategy {
          + base              = (known after apply)
          + capacity_provider = (known after apply)
          + weight            = (known after apply)
        }

      + setting {
          + name  = (known after apply)
          + value = (known after apply)
        }
    }

  # aws_ecs_service.docker_cloud will be created
  + resource "aws_ecs_service" "docker_cloud" {
      + cluster                            = (known after apply)
      + deployment_maximum_percent         = 200
      + deployment_minimum_healthy_percent = 100
      + desired_count                      = 1
      + enable_ecs_managed_tags            = false
      + enable_execute_command             = false
      + iam_role                           = (known after apply)
      + id                                 = (known after apply)
      + launch_type                        = "FARGATE"
      + name                               = "docker-cloud"
      + platform_version                   = (known after apply)
      + scheduling_strategy                = "REPLICA"
      + tags_all                           = {
          + "Environment" = "dev"
          + "Project"     = "docker-cloud"
          + "terraform"   = "true"
        }
      + task_definition                    = (known after apply)
      + wait_for_steady_state              = false

      + load_balancer {
          + container_name   = "docker-cloud"
          + container_port   = 80
          + target_group_arn = (known after apply)
        }

      + network_configuration {
          + assign_public_ip = true
          + security_groups  = (known after apply)
          + subnets          = [
              + "subnet-03b0676c6e0e233f6",
              + "subnet-06b26d73ebecfe272",
              + "subnet-0cd944bd2af61529c",
              + "subnet-0e602aa6f2c34c992",
              + "subnet-0ecd31c2e28e6372a",
              + "subnet-0fc25b20ad2205909",
            ]
        }
    }

  # aws_ecs_task_definition.docker_cloud will be created
  + resource "aws_ecs_task_definition" "docker_cloud" {
      + arn                      = (known after apply)
      + container_definitions    = jsonencode(
            [
              + {
                  + essential    = true
                  + image        = "public.ecr.aws/b8c6e9l3/immersive-go-course/docker-cloud-berkeli:latest"
                  + name         = "docker-cloud"
                  + portMappings = [
                      + {
                          + containerPort = 80
                          + hostPort      = 80
                          + protocol      = "tcp"
                        },
                    ]
                },
            ]
        )
      + cpu                      = "256"
      + family                   = "docker-cloud"
      + id                       = (known after apply)
      + memory                   = "512"
      + network_mode             = "awsvpc"
      + requires_compatibilities = [
          + "FARGATE",
        ]
      + revision                 = (known after apply)
      + skip_destroy             = false
      + tags_all                 = {
          + "Environment" = "dev"
          + "Project"     = "docker-cloud"
          + "terraform"   = "true"
        }
    }

  # aws_iam_policy.AllowPush will be created
  + resource "aws_iam_policy" "AllowPush" {
      + arn         = (known after apply)
      + description = "To push images to ecr public"
      + id          = (known after apply)
      + name        = "AllowPush-berkeli"
      + path        = "/"
      + policy      = jsonencode(
            {
              + Statement = [
                  + {
                      + Action   = [
                          + "ecr-public:InitiateLayerUpload",
                          + "ecr-public:UploadLayerPart",
                          + "ecr-public:PutImage",
                          + "ecr-public:CompleteLayerUpload",
                          + "ecr-public:BatchCheckLayerAvailability",
                        ]
                      + Effect   = "Allow"
                      + Resource = "*"
                    },
                ]
              + Version   = "2012-10-17"
            }
        )
      + policy_id   = (known after apply)
      + tags_all    = {
          + "Environment" = "dev"
          + "Project"     = "docker-cloud"
          + "terraform"   = "true"
        }
    }

  # aws_iam_policy.GetAuthorizationToken will be created
  + resource "aws_iam_policy" "GetAuthorizationToken" {
      + arn         = (known after apply)
      + description = "To get authorization token for github"
      + id          = (known after apply)
      + name        = "GetAuthorizationToken-berkeli"
      + path        = "/"
      + policy      = jsonencode(
            {
              + Statement = [
                  + {
                      + Action   = [
                          + "ecr-public:GetAuthorizationToken",
                          + "sts:GetServiceBearerToken",
                        ]
                      + Effect   = "Allow"
                      + Resource = "*"
                    },
                ]
              + Version   = "2012-10-17"
            }
        )
      + policy_id   = (known after apply)
      + tags_all    = {
          + "Environment" = "dev"
          + "Project"     = "docker-cloud"
          + "terraform"   = "true"
        }
    }

  # aws_iam_role.GitHubActionECRPublicPushImage will be created
  + resource "aws_iam_role" "GitHubActionECRPublicPushImage" {
      + arn                   = (known after apply)
      + assume_role_policy    = jsonencode(
            {
              + Statement = [
                  + {
                      + Action    = [
                          + "sts:AssumeRoleWithWebIdentity",
                        ]
                      + Condition = {
                          + StringEquals = {
                              + "token.actions.githubusercontent.com:aud" = "sts.amazonaws.com"
                            }
                          + StringLike   = {
                              + "token.actions.githubusercontent.com:sub" = "repo:berkeli/immersive-go:*"
                            }
                        }
                      + Effect    = "Allow"
                      + Principal = {
                          + Federated = "arn:aws:iam::297880250375:oidc-provider/token.actions.githubusercontent.com"
                        }
                    },
                ]
              + Version   = "2012-10-17"
            }
        )
      + create_date           = (known after apply)
      + force_detach_policies = false
      + id                    = (known after apply)
      + managed_policy_arns   = (known after apply)
      + max_session_duration  = 3600
      + name                  = "GitHubActionECRPublicPushImage-berkeli"
      + name_prefix           = (known after apply)
      + path                  = "/"
      + tags_all              = {
          + "Environment" = "dev"
          + "Project"     = "docker-cloud"
          + "terraform"   = "true"
        }
      + unique_id             = (known after apply)

      + inline_policy {
          + name   = (known after apply)
          + policy = (known after apply)
        }
    }

  # aws_iam_role_policy_attachment.AllowPush will be created
  + resource "aws_iam_role_policy_attachment" "AllowPush" {
      + id         = (known after apply)
      + policy_arn = (known after apply)
      + role       = "GitHubActionECRPublicPushImage-berkeli"
    }

  # aws_iam_role_policy_attachment.GetAuthorizationToken will be created
  + resource "aws_iam_role_policy_attachment" "GetAuthorizationToken" {
      + id         = (known after apply)
      + policy_arn = (known after apply)
      + role       = "GitHubActionECRPublicPushImage-berkeli"
    }

  # aws_lb.docker_cloud will be created
  + resource "aws_lb" "docker_cloud" {
      + arn                        = (known after apply)
      + arn_suffix                 = (known after apply)
      + desync_mitigation_mode     = "defensive"
      + dns_name                   = (known after apply)
      + drop_invalid_header_fields = false
      + enable_deletion_protection = false
      + enable_http2               = true
      + enable_waf_fail_open       = false
      + id                         = (known after apply)
      + idle_timeout               = 60
      + internal                   = false
      + ip_address_type            = (known after apply)
      + load_balancer_type         = "application"
      + name                       = "docker-cloud-load-balancer"
      + preserve_host_header       = false
      + security_groups            = (known after apply)
      + subnets                    = [
          + "subnet-03b0676c6e0e233f6",
          + "subnet-06b26d73ebecfe272",
          + "subnet-0cd944bd2af61529c",
          + "subnet-0e602aa6f2c34c992",
          + "subnet-0ecd31c2e28e6372a",
          + "subnet-0fc25b20ad2205909",
        ]
      + tags_all                   = {
          + "Environment" = "dev"
          + "Project"     = "docker-cloud"
          + "terraform"   = "true"
        }
      + vpc_id                     = (known after apply)
      + zone_id                    = (known after apply)

      + subnet_mapping {
          + allocation_id        = (known after apply)
          + ipv6_address         = (known after apply)
          + outpost_id           = (known after apply)
          + private_ipv4_address = (known after apply)
          + subnet_id            = (known after apply)
        }
    }

  # aws_lb_listener.docker_cloud will be created
  + resource "aws_lb_listener" "docker_cloud" {
      + arn               = (known after apply)
      + id                = (known after apply)
      + load_balancer_arn = (known after apply)
      + port              = 80
      + protocol          = "HTTP"
      + ssl_policy        = (known after apply)
      + tags_all          = {
          + "Environment" = "dev"
          + "Project"     = "docker-cloud"
          + "terraform"   = "true"
        }

      + default_action {
          + order            = (known after apply)
          + target_group_arn = (known after apply)
          + type             = "forward"
        }
    }

  # aws_lb_target_group.docker_cloud will be created
  + resource "aws_lb_target_group" "docker_cloud" {
      + arn                                = (known after apply)
      + arn_suffix                         = (known after apply)
      + connection_termination             = false
      + deregistration_delay               = "300"
      + id                                 = (known after apply)
      + ip_address_type                    = (known after apply)
      + lambda_multi_value_headers_enabled = false
      + load_balancing_algorithm_type      = (known after apply)
      + name                               = "docker-cloud-target-group"
      + port                               = 80
      + preserve_client_ip                 = (known after apply)
      + protocol                           = "HTTP"
      + protocol_version                   = (known after apply)
      + proxy_protocol_v2                  = false
      + slow_start                         = 0
      + tags_all                           = {
          + "Environment" = "dev"
          + "Project"     = "docker-cloud"
          + "terraform"   = "true"
        }
      + target_type                        = "ip"
      + vpc_id                             = "vpc-00f1563e89e95a994"

      + health_check {
          + enabled             = (known after apply)
          + healthy_threshold   = (known after apply)
          + interval            = (known after apply)
          + matcher             = (known after apply)
          + path                = (known after apply)
          + port                = (known after apply)
          + protocol            = (known after apply)
          + timeout             = (known after apply)
          + unhealthy_threshold = (known after apply)
        }

      + stickiness {
          + cookie_duration = (known after apply)
          + cookie_name     = (known after apply)
          + enabled         = (known after apply)
          + type            = (known after apply)
        }

      + target_failover {
          + on_deregistration = (known after apply)
          + on_unhealthy      = (known after apply)
        }
    }

  # aws_security_group.lb will be created
  + resource "aws_security_group" "lb" {
      + arn                    = (known after apply)
      + description            = "Managed by Terraform"
      + egress                 = [
          + {
              + cidr_blocks      = [
                  + "0.0.0.0/0",
                ]
              + description      = ""
              + from_port        = 0
              + ipv6_cidr_blocks = []
              + prefix_list_ids  = []
              + protocol         = "-1"
              + security_groups  = []
              + self             = false
              + to_port          = 0
            },
        ]
      + id                     = (known after apply)
      + ingress                = [
          + {
              + cidr_blocks      = [
                  + "0.0.0.0/0",
                ]
              + description      = ""
              + from_port        = 80
              + ipv6_cidr_blocks = []
              + prefix_list_ids  = []
              + protocol         = "tcp"
              + security_groups  = []
              + self             = false
              + to_port          = 80
            },
        ]
      + name                   = "docker-cloud"
      + name_prefix            = (known after apply)
      + owner_id               = (known after apply)
      + revoke_rules_on_delete = false
      + tags_all               = {
          + "Environment" = "dev"
          + "Project"     = "docker-cloud"
          + "terraform"   = "true"
        }
      + vpc_id                 = "vpc-00f1563e89e95a994"
    }

Plan: 12 to add, 1 to change, 0 to destroy.