Add pulumi to the project to start deploying infrastructure

We're using Pulumi here to deploy two things

- A Cloudfront distribution
- An OIDC provider

This required a small amount of reconfiguration of the linters to allow for the
slightly different settings that Pulumi requires.

We've added pulumi to the dev container so that it can be run from there.

We're also adding a GitHub Actions workflow to deploy the infrastructure
when the code is pushed to the main branch, using the OIDC provider (which has
been applied manually to bootstrap the process).

Author: iainlane

.devcontainer/Dockerfile.devcontainer

@@ -2,6 +2,8 @@ FROM ghcr.io/iainlane/dotfiles-rust-tools:git-24a7c0cfa3e9b909f954a85dd0b4163f60
 
 FROM public.ecr.aws/aws-cli/aws-cli:2.16.3 AS aws-cli
 
+FROM pulumi/pulumi-base:3.118.0 AS pulumi
+
 FROM mcr.microsoft.com/vscode/devcontainers/typescript-node:1-22-bookworm
 
 RUN apt-get update && export DEBIAN_FRONTEND=noninteractive \
@@ -13,6 +15,8 @@ RUN ln -s /usr/local/aws-cli/v2/current/bin/aws /usr/local/bin/aws
 
 COPY --from=rust-tools /usr/local/bin/* /usr/local/bin/
 
+COPY --from=pulumi /pulumi/bin/* /usr/bin/
+
 RUN corepack enable
 
 USER node

.devcontainer/devcontainer.json

@@ -10,7 +10,8 @@
     "source=${localWorkspaceFolderBasename}-node_modules-met.no,target=${containerWorkspaceFolder}/gen/met.no/node_modules,type=volume",
     "source=${localWorkspaceFolderBasename}-node_modules-geojs,target=${containerWorkspaceFolder}/gen/geojs/node_modules,type=volume",
     "source=${localWorkspaceFolderBasename}-yarn_cache,target=/home/node/.cache/yarn,type=volume",
-    "source=${localWorkspaceFolderBasename}-node_cache,target=/home/node/.cache/node,type=volume"
+    "source=${localWorkspaceFolderBasename}-node_cache,target=/home/node/.cache/node,type=volume",
+    "source=${localWorkspaceFolderBasename}-pulumi-config,target=/home/node/.pulumi,type=volume"
   ],
 
   "containerUser": "node",
@@ -20,6 +21,8 @@
     "AWS_SDK_LOAD_CONFIG": "true"
   },
 
+  "runArgs": ["--env-file", ".devcontainer/.env"],
+
   "onCreateCommand": "${containerWorkspaceFolder}/.devcontainer/onCreateCommand.sh",
 
   "customizations": {

.devcontainer/onCreateCommand.sh

@@ -6,6 +6,7 @@ sudo chown node:node /home/node/.cache
 sudo chown node:node /home/node/.cache/node
 sudo chown node:node /home/node/.cache/yarn
 sudo chown node:node node_modules */*/node_modules
+sudo chown node:node /home/node/.pulumi
 
 yarn install --immutable < /dev/null
-yarn serverless dynamodb install
+yarn serverless dynamodb install --stage=local

.github/workflows/oidc.yml

@@ -0,0 +1,59 @@
+on:
+  pull_request:
+
+  push:
+    branches:
+      - main
+
+name: Authenticate with AWS
+
+jobs:
+  oidc:
+    permissions:
+      contents: read
+      id-token: write
+      pull-requests: write
+
+    runs-on: ubuntu-latest
+
+    env:
+      AWS_REGION: eu-west-2
+      STATE_BUCKET: coldoutsi.de-pulumi-state
+
+    steps:
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
+        with:
+          audience: coldoutsi.de-dev
+          aws-region: ${{ env.AWS_REGION }}
+          role-to-assume: arn:aws:iam::072248381277:role/oidcRole-715afe8
+
+      - name: Print session info
+        run: aws sts get-caller-identity
+
+      - name: Check out
+        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
+
+      - name: Enable corepack
+        run: |
+          corepack enable
+
+      - name: Set up Node.js
+        uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
+        with:
+          node-version-file: "package.json"
+          cache: "yarn"
+
+      - name: Install dependencies
+        run: yarn workspace pulumi install --immutable
+
+      - name: Pulumi preview
+        uses: pulumi/actions@18b5a33fc447ab919feb61f2bb41147a1b30ab40 # v5.2.4
+        with:
+          cloud-url:
+            s3://${{ env.STATE_BUCKET }}?region=${{ env.AWS_REGION }}&awssdk=v2
+          stack-name: organization/coldoutsi.de/dev
+          command: preview
+          comment-on-pr: true
+          comment-on-summary: true
+          work-dir: pulumi

.gitignore

@@ -8,6 +8,7 @@ coverage/
 
 # Personal settings
 .vscode/settings.json
+.devcontainer/.env
 
 # Secrets in here
 .env*

CONTRIBUTING.md

@@ -39,9 +39,12 @@ environment which supports [dev containers][devcontainers].
 git clone https://github.com/iainlane/coldoutsi.de.git
 ```
 
-2. Open the project in the IDE
+2. If using AWS SSO and a non-default profile and/or region, create a file
+   `.devcontainer/.env` and set `AWS_PROFILE` and/or `AWS_REGION` accordingly.
 
-3. If using VS Code, click "Reopen in Container" when prompted. This will build
+3. Open the project in the IDE
+
+4. If using VS Code, click "Reopen in Container" when prompted. This will build
    and start the container with all the necessary dependencies installed.
 
 [devcontainers]: https://containers.dev/

eslint.config.mjs

@@ -78,6 +78,12 @@ export default tseslint.config(
       "unicorn/no-typeof-undefined": "error",
     },
   },
+  {
+    files: ["pulumi/**/*.ts"],
+    rules: {
+      "@typescript-eslint/no-unused-vars": "off",
+    },
+  },
   {
     files: ["**/*.test.ts"],
     ...jestPlugin.configs["flat/recommended"],

package.json

@@ -6,7 +6,8 @@
   "workspaces": {
     "packages": [
       "app",
-      "gen/*"
+      "gen/*",
+      "pulumi"
     ]
   },
   "type": "module",

pulumi/.gitignore

@@ -0,0 +1,2 @@
+bin/
+node_modules/

pulumi/Pulumi.dev.yaml

@@ -0,0 +1,6 @@
+secretsprovider: awskms://12e131e6-2150-4361-913b-803c04bd5ed5?region=eu-west-2&awssdk=v2
+encryptedkey: AQICAHhLE3kXzgyhKhfd8kMt7I2EBNdrJw7DPra9AQz3o1duvwFP5X23eeRpxqRKtjmP4VNoAAAAfjB8BgkqhkiG9w0BBwagbzBtAgEAMGgGCSqGSIb3DQEHATAeBglghkgBZQMEAS4wEQQMDGX3lZXomIJHHVIMAgEQgDuk/UkIZt7A+8db7RGO9aWvexlDZxGmSK6m7Wda/LXX0gblOSKbjyYxW+cheqvz0Jvx8fkHNPep0dZgSA==
+config:
+  gitHubRepo: iainlane/coldoutsi.de
+  targetDomain: dev
+  targetZone: coldoutsi.de