Migrate OWASP Nest to Zappa for serverless deployment

.gitignore

@@ -17,15 +17,23 @@ __pycache__
 .python_history
 .python-version
 .ruff_cache
+**/.terraform/
+*.tfstate
+*.tfstate.*
 .venv/
 .vscode
 *.code-workspace
 *.key
 *.log
 *.pdf
 *.pem
+backend/*nest-backend-dev*.zip
+backend/*nest-backend-dev*.tar.gz
+backend/*nest-backend-staging*.zip
+backend/*nest-backend-staging*.tar.gz
 backend/data/backup*
 backend/staticfiles
+backend/zappa_settings.json
 frontend/blob-report/
 frontend/coverage
 frontend/dist
@@ -36,6 +44,7 @@ frontend/pnpm-debug.log*
 frontend/test-results/
 frontend/yarn-debug.log*
 frontend/yarn-error.log*
+infrastructure/terraform.tfvars
 logs
 node_modules/
 TODO

.pre-commit-config.yaml

@@ -9,6 +9,14 @@ repos:
           - --strict
         exclude: (.github|pnpm-lock.yaml)
 
+  - repo: https://github.com/antonbabenko/pre-commit-terraform
+    rev: v1.92.0
+    hooks:
+      - id: terraform_fmt
+        files: ^infrastructure/.*\.tf$
+      - id: terraform_tflint
+        files: ^infrastructure/.*\.tf$
+
   - repo: https://github.com/astral-sh/ruff-pre-commit
     rev: v0.14.0
     hooks:

backend/pyproject.toml

@@ -48,6 +48,7 @@ strawberry-graphql = { extras = [ "django" ], version = "^0.283.2" }
 strawberry-graphql-django = "^0.66.0"
 thefuzz = "^0.22.1"
 pyparsing = "^3.2.3"
+zappa = "^0.60.2"
 
 [tool.poetry.group.dev.dependencies]
 djlint = "^1.36.4"

backend/zappa_settings.example.json

@@ -0,0 +1,39 @@
+{
+  "staging": {
+    "app_function": "wsgi.application",
+    "django_settings": "settings.staging",
+    "environment_variables": {
+      "DJANGO_ALGOLIA_APPLICATION_ID": "${DJANGO_ALGOLIA_APPLICATION_ID}",
+      "DJANGO_ALGOLIA_WRITE_API_KEY": "${DJANGO_ALGOLIA_WRITE_API_KEY}",
+      "DJANGO_ALLOWED_HOSTS": "${DJANGO_ALLOWED_HOSTS}",
+      "DJANGO_AWS_ACCESS_KEY_ID": "${DJANGO_AWS_ACCESS_KEY_ID}",
+      "DJANGO_AWS_SECRET_ACCESS_KEY": "${DJANGO_AWS_SECRET_ACCESS_KEY}",
+      "DJANGO_CONFIGURATION": "Staging",
+      "DJANGO_DB_HOST": "${DJANGO_DB_HOST}",
+      "DJANGO_DB_NAME": "${DJANGO_DB_NAME}",
+      "DJANGO_DB_USER": "${DJANGO_DB_USER}",
+      "DJANGO_DB_PORT": "${DJANGO_DB_PORT}",
+      "DJANGO_DB_PASSWORD": "${DJANGO_DB_PASSWORD}",
+      "DJANGO_OPEN_AI_SECRET_KEY": "${DJANGO_OPEN_AI_SECRET_KEY}",
+      "DJANGO_REDIS_HOST": "${DJANGO_REDIS_HOST}",
+      "DJANGO_REDIS_PASSWORD": "${DJANGO_REDIS_PASSWORD}",
+      "DJANGO_SECRET_KEY": "${DJANGO_SECRET_KEY}",
+      "DJANGO_SENTRY_DSN": "${DJANGO_SENTRY_DSN}",
+      "DJANGO_SLACK_BOT_TOKEN": "${DJANGO_SLACK_BOT_TOKEN}",
+      "DJANGO_SLACK_SIGNING_SECRET": "${DJANGO_SLACK_SIGNING_SECRET}"
+    },
+    "manage_roles": true,
+    "project_name": "nest-backend",
+    "runtime": "python3.13",
+    "s3_bucket": "${ZAPPA_S3_BUCKET}",
+    "slim_handler": true,
+    "vpc_config": {
+      "SecurityGroupIds": ["${AWS_VPC_SECURITY_GROUP}"],
+      "SubnetIds": [
+        "${AWS_VPC_SUBNET_A}",
+        "${AWS_VPC_SUBNET_B}",
+        "${AWS_VPC_SUBNET_C}"
+      ]
+    }
+  }
+}

infrastructure/README.md

@@ -0,0 +1,105 @@
+# Infrastructure
+
+This document provides instructions on how to manage the infrastructure for this project using Terraform and Zappa.
+
+## Terraform
+
+### Prerequisites
+
+- Terraform
+- An AWS account with credentials configured locally.
+
+### Usage
+
+1.  **Initialize Terraform:**
+
+    ```bash
+    terraform init
+    ```
+
+2.  **Plan the changes:**
+
+    ```bash
+    terraform plan
+    ```
+
+3.  **Apply the changes:**
+
+    ```bash
+    terraform apply
+    ```
+
+### Variables
+
+You can override the default values by creating a `terraform.tfvars` file in the `infrastructure/` directory.
+
+# TODO: Provide an example terraform.tfvars with important vars
+
+
+### Outputs
+
+Get the output values using the `terraform output` command. These outputs will be used for Zappa configuration.
+
+
+```bash
+terraform output
+```
+
+```bash
+terraform output -raw db_password redis_auth_token
+```
+
+## Zappa Deployment
+
+The Django backend deployment is managed by Zappa, this also includes the API Gateway, IAM roles, and Lambda Function provision.
+
+### Install poetry dependencies
+
+1.  **Install dependencies using Poetry:**
+
+    ```bash
+    poetry install
+    ```
+
+2.  **Activate the virtual environment:**
+
+    ```bash
+    eval $(poetry env activate)
+    ```
+
+3.  **Create a `zappa_settings.json` file:**
+
+    ```bash
+    cp zappa_settings.example.json zappa_settings.json
+    ```
+
+Replace all variables in the copied `zappa_settings.json` with appropriate secrets.
+# TODO: explain this step
+
+4.  **Deploy staging:**
+
+    ```bash
+    zappa deploy staging
+    ```
+
+Once deployed, Zappa will provide you with a URL. You can use this URL to test the API.
+
+### Updating
+After making necessary changes, you may run the following command to update the deployment.
+```bash
+zappa update staging
+```
+
+### Cleaning Up
+
+To delete the deployment, you can use the following command:
+
+```bash
+zappa undeploy local
+```
+
+Then run this command to destroy the terraform infrastructure:
+
+```bash
+terraform destroy
+```

infrastructure/main.tf

@@ -0,0 +1,117 @@
+terraform {
+  required_version = ">= 1.0"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 6.0"
+    }
+    random = {
+      source  = "hashicorp/random"
+      version = "~> 3.0"
+    }
+  }
+}
+
+locals {
+  common_tags = {
+    Environment = var.environment
+    ManagedBy   = "Terraform"
+    Project     = var.project_name
+  }
+  django_environment_variables = {
+    DJANGO_ALGOLIA_APPLICATION_ID = var.django_algolia_application_id
+    DJANGO_ALGOLIA_WRITE_API_KEY  = var.django_algolia_write_api_key
+    DJANGO_ALLOWED_HOSTS          = var.django_allowed_hosts
+    DJANGO_AWS_ACCESS_KEY_ID      = var.django_aws_access_key_id
+    DJANGO_AWS_SECRET_ACCESS_KEY  = var.django_aws_secret_access_key
+    DJANGO_CONFIGURATION          = var.django_configuration
+    DJANGO_DB_HOST                = var.django_db_host
+    DJANGO_DB_NAME                = var.django_db_name
+    DJANGO_DB_USER                = var.django_db_user
+    DJANGO_DB_PORT                = var.django_db_port
+    DJANGO_DB_PASSWORD            = var.django_db_password
+    DJANGO_OPEN_AI_SECRET_KEY     = var.django_open_ai_secret_key
+    DJANGO_REDIS_HOST             = var.django_redis_host
+    DJANGO_REDIS_PASSWORD         = var.django_redis_password
+    DJANGO_SECRET_KEY             = var.django_secret_key
+    DJANGO_SENTRY_DSN             = var.django_sentry_dsn
+    DJANGO_SLACK_BOT_TOKEN        = var.django_slack_bot_token
+    DJANGO_SLACK_SIGNING_SECRET   = var.django_slack_signing_secret
+  }
+}
+
+module "networking" {
+  source = "./modules/networking"
+
+  vpc_cidr             = var.vpc_cidr
+  public_subnet_cidrs  = var.public_subnet_cidrs
+  private_subnet_cidrs = var.private_subnet_cidrs
+  availability_zones   = var.availability_zones
+  project_name         = var.project_name
+  environment          = var.environment
+}
+
+module "security" {
+  source = "./modules/security"
+
+  vpc_id       = module.networking.vpc_id
+  db_port      = var.db_port
+  redis_port   = var.redis_port
+  project_name = var.project_name
+  environment  = var.environment
+}
+
+module "storage" {
+  source = "./modules/storage"
+
+  zappa_s3_bucket = var.zappa_s3_bucket
+  project_name    = var.project_name
+  environment     = var.environment
+}
+
+module "database" {
+  source = "./modules/database"
+
+  common_tags                = local.common_tags
+  db_allocated_storage       = var.db_allocated_storage
+  db_backup_retention_period = var.db_backup_retention_period
+  db_engine_version          = var.db_engine_version
+  db_instance_class          = var.db_instance_class
+  db_name                    = var.db_name
+  db_password                = var.db_password
+  db_storage_type            = var.db_storage_type
+  db_subnet_ids              = module.networking.private_subnet_ids
+  db_username                = var.db_username
+  environment                = var.environment
+  project_name               = var.project_name
+  proxy_security_group_ids   = [module.security.rds_proxy_sg_id]
+  security_group_ids         = [module.security.rds_sg_id]
+}
+
+module "cache" {
+  source = "./modules/cache"
+
+  common_tags           = local.common_tags
+  environment           = var.environment
+  project_name          = var.project_name
+  redis_auth_token      = var.redis_auth_token
+  redis_engine_version  = var.redis_engine_version
+  redis_node_type       = var.redis_node_type
+  redis_num_cache_nodes = var.redis_num_cache_nodes
+  redis_port            = var.redis_port
+  security_group_ids    = [module.security.redis_sg_id]
+  subnet_ids            = module.networking.private_subnet_ids
+}
+
+module "ecs" {
+  source = "./modules/ecs"
+
+  aws_region                   = var.aws_region
+  common_tags                  = local.common_tags
+  django_environment_variables = local.django_environment_variables
+  environment                  = var.environment
+  lambda_sg_id                 = module.security.lambda_sg_id
+  private_subnet_ids           = module.networking.private_subnet_ids
+  project_name                 = var.project_name
+}