Commit fixes, changes for things noticed during video

Author: davidsilva

README.md

@@ -123,7 +123,7 @@ A lot of `ci.yml` is self-explanatory but here are some notes to help clarify so
 
 ![Infrastructure Diagram](images/Interview-Prep-Infrastructure-v2.drawio.png)
 
-The diagram above illustrates the major parts of the application infrastructure:
+The diagram above illustrates the major parts of the application infrastructure. Here are some descriptions and notes:
 
 * **Interview Prep VPC**: "The Virtual Private Cloud (VPC) is a logically isolated network within the AWS cloud where we can launch and manage AWS resources. It provides a secure environment to group and connect related resources and services, such as EC2 instances, RDS databases, and ECS clusters. The VPC allows us to define our own IP address range, create subnets, and configure route tables and network gateways, ensuring that our infrastructure is both secure and scalable." (GitHub Copilot came up with such a great explanation here that I'm just going to use it as-is.)
 * **Availability zones A and B**: `us-east-1a` and `us-east-1b`. These zones, along with their corresponding public and private subnets, enhance the app's resilience. Currently, one task each for the ECS frontend and backend is deployed, but this can be scaled to distribute tasks across both availability zones.
@@ -142,6 +142,13 @@ The diagram above illustrates the major parts of the application infrastructure:
 * **RDS-hosted Postgres database instance**: The application uses an instance of Postgres hosted by the AWS Relational Database Service. It runs in the private subnets.
 * **Migrate Lambda function**: This is a function run by the GitHub workflow. A workflow step packages up the migration files with the Lambda function itself and then invokes the function.
 * **Route 53-hosted domains**: `dev.interviewprep.onyxdevtutorials.com` and `api.dev.interviewprep.onyxdevtutorials.com`. The DNS configuration in Route 53 connects the frontend and backend domains to the load balancer. This is achieved using alias records that point to the load balancer's DNS name and zone ID.
+* **CIDR Blocks**: CIDR (Classless Inter-Domain Routing) blocks are used to define IP address ranges within the VPC.
+  * **VPC CIDR Block**: This is set to `10.0.0.0/16`, allowing for 65,536 possible IP addresses -- which is plenty for this project.
+  * **Subnet CIDR Blocks**: Each subnet gets 256 IP addresses:
+    * **Public Subnet A**: 10.0.1.0/24 provides 256 IP addresses.
+    * **Public Subnet B**: 10.0.2.0/24 provides 256 IP addresses.
+    * **Private Subnet A**: 10.0.3.0/24 provides 256 IP addresses.
+    * **Private Subnet B**: 10.0.4.0/24 provides 256 IP addresses.
 
 ## Costs
 
@@ -261,6 +268,16 @@ Once you're connected to the bastion host, you can directly access the database:
 
 `psql -h <db-endpoint> -U <username> -d <db-name>`
 
+Once connected to the database, you can type `\l` to list all the databases managed by the PostgreSQL server you are connected to.
+
+Type `\dt` to list all the tables in the current database.
+
+Type `\d products` or `\d users` to get information about each of these tables.
+
+## Add New Migration File
+
+Assuming CWD is `backend`, `npx knex migrate:make <migration-file-name> --knexfile ./src/knexFile.ts --migrations-directory ../migrations`.
+
 ## Version History
 
 ### 0.1.0

terraform/environments/development/main.tf

@@ -43,7 +43,6 @@ module "rds" {
   db_username = var.db_username
   db_password = var.db_password
   db_sg_id    = module.security_groups.db_sg_id
-  lambda_sg_id = module.security_groups.lambda_sg_id
   environment = var.environment
 }
 

terraform/environments/development/outputs.tf

@@ -48,6 +48,11 @@ output "ecs_task_execution_role_arn" {
   value       = module.iam.ecs_task_execution_role_arn
 }
 
+output "ecs_task_role_arn" {
+  description = "The ARN of the ECS task role"
+  value       = module.iam.ecs_task_role_arn
+}
+
 output "lambda_exec_role_arn" {
   description = "The ARN of the Lambda execution role"
   value       = module.iam.lambda_exec_role_arn

terraform/modules/ecr/main.tf

@@ -1,8 +1,9 @@
 resource "aws_ecr_repository" "frontend" {
   name = "interview-prep-frontend"
-  image_tag_mutability = "MUTABLE"
+  image_tag_mutability = "MUTABLE" # Allows using a tag like "latest" to refer to the latest version of the image.
+  # Allows you to enable or disable automatic scanning of container images for vulnerabilities when they are pushed to the repository.
   image_scanning_configuration {
-    scan_on_push = true
+    scan_on_push = true # Images are automatically scanned for vulnerabilities when they are pushed to the repository.
   }
 
     tags = {
@@ -14,8 +15,9 @@ resource "aws_ecr_repository" "frontend" {
 resource "aws_ecr_repository" "backend" {
   name = "interview-prep-backend"
   image_tag_mutability = "MUTABLE"
+  # Allows you to enable or disable automatic scanning of container images for vulnerabilities when they are pushed to the repository.
   image_scanning_configuration {
-    scan_on_push = true
+    scan_on_push = true # Images are automatically scanned for vulnerabilities when they are pushed to the repository.
   }
 
     tags = {

terraform/modules/ecs/main.tf

@@ -4,17 +4,23 @@ resource "aws_ecs_cluster" "main" {
 
 resource "aws_ecs_task_definition" "frontend" {
     family                   = "${var.environment}-frontend-ecs-task"
+    // "awsvpc" mode provides each task with its own elastic network interface (ENI)
+    // and a primary private IP address, allowing tasks to have full networking features
     network_mode             = "awsvpc"
+    // Specifies that the task requires Fargate launch type
+    // Fargate is a serverless compute engine for containers that works with ECS
     requires_compatibilities = ["FARGATE"]
     cpu                      = "256"
     memory                   = "512"
     execution_role_arn = var.ecs_task_execution_role
+    # task_role_arn is used for task-level permissions, e.g., AmazonS3ReadOnlyAccess, AmazonSSMReadOnlyAccess. It allows the ECS tasks to interact with other AWS services.
     task_role_arn = var.ecs_task_role_arn
 
     container_definitions = jsonencode([
         {
             name = "frontend"
             image = "${var.frontend_repository_url}:latest"
+            # If this container stops or fails, the entire task is considered to have failed, and ECS will stop all other containers in the task.
             essential = true
             portMappings = [
                 {
@@ -38,6 +44,9 @@ resource "aws_ecs_task_definition" "frontend" {
                 }
             ],
             linuxParameters = {
+                # An init process is run inside the container.
+                # The init process handles reaping zombie processes, which are child processes that have completed execution but still have an entry in the process table.
+                # This can help prevent resource leaks and ensure that the container environment remains clean and efficient.
                 initProcessEnabled = true
             }
         }
@@ -46,17 +55,23 @@ resource "aws_ecs_task_definition" "frontend" {
 
 resource "aws_ecs_task_definition" "backend" {
     family                   = "${var.environment}-backend-ecs-task"
+    // "awsvpc" mode provides each task with its own elastic network interface (ENI)
+    // and a primary private IP address, allowing tasks to have full networking features
     network_mode             = "awsvpc"
+    // Specifies that the task requires Fargate launch type
+    // Fargate is a serverless compute engine for containers that works with ECS
     requires_compatibilities = ["FARGATE"]
     cpu                      = "256"
     memory                   = "512"
     execution_role_arn = var.ecs_task_execution_role
+    # task_role_arn is used for task-level permissions, e.g., AmazonS3ReadOnlyAccess, AmazonSSMReadOnlyAccess. It allows the ECS tasks to interact with other AWS services.
     task_role_arn = var.ecs_task_role_arn
 
     container_definitions = jsonencode([
         {
             name = "backend"
             image = "${var.backend_repository_url}"
+            # If this container stops or fails, the entire task is considered to have failed, and ECS will stop all other containers in the task.
             essential = true
             portMappings = [
                 {
@@ -84,6 +99,9 @@ resource "aws_ecs_task_definition" "backend" {
                 }
             },
             linuxParameters = {
+                # An init process is run inside the container.
+                # The init process handles reaping zombie processes, which are child processes that have completed execution but still have an entry in the process table.
+                # This can help prevent resource leaks and ensure that the container environment remains clean and efficient.
                 initProcessEnabled = true
             }
         }
@@ -109,6 +127,8 @@ resource "aws_ecs_service" "frontend" {
         container_port   = 80
     }
 
+    # You can use the ecs execute-command feature to run commands inside your containers.
+    # This is useful for debugging, troubleshooting, and managing your containers without needing SSH access or exposing additional ports.
     enable_execute_command = true
 }
 
@@ -131,6 +151,8 @@ resource "aws_ecs_service" "backend" {
         container_port   = 3000
     }
 
+    # You can use the ecs execute-command feature to run commands inside your containers.
+    # This is useful for debugging, troubleshooting, and managing your containers without needing SSH access or exposing additional ports.
     enable_execute_command = true
 }
 

terraform/modules/iam/main.tf

@@ -1,3 +1,4 @@
+# Role used by ECS agent to perform actions on your behalf when launching and managing tasks. Common actions: Pulling images from ECR, writing logs to CloudWatch, etc.
 resource "aws_iam_role" "ecs_task_execution_role" {
     name = "${var.environment}-ecs-task-execution-role"
     assume_role_policy = jsonencode({
@@ -18,16 +19,18 @@ resource "aws_iam_role" "ecs_task_execution_role" {
     }
 }
 
+# Policies attached are AmazonEC2ContainerRegistryReadOnly and AmazonECSTaskExecutionRolePolicy
 resource "aws_iam_role_policy_attachment" "ecs_task_execution_role_policy" {
     role       = aws_iam_role.ecs_task_execution_role.name
     policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy"
 }
 
-resource "aws_iam_role_policy_attachment" "ecr_pull_policy" {
-    role       = aws_iam_role.ecs_task_execution_role.name
-    policy_arn = "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly"
-}
+# resource "aws_iam_role_policy_attachment" "ecr_pull_policy" {
+#     role       = aws_iam_role.ecs_task_execution_role.name
+#     policy_arn = "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly"
+# }
 
+# Role is assumed by the ECS tasks themselves. It allows the containers running within the tasks to interact with other AWS services. Common actions: reading from or writing to S3 buckets; accessing secrets from SSM Parameter Store; interacting with DynamoDB tables, etc. Here, because we don't attach any policies, the role does not grant any permissions to perform actions on AWS resources.
 resource "aws_iam_role" "ecs_task_role" {
     name = "${var.environment}-ecs-task-role"
     assume_role_policy = jsonencode({
@@ -48,16 +51,6 @@ resource "aws_iam_role" "ecs_task_role" {
     }
 }
 
-resource "aws_iam_role_policy_attachment" "ecs_task_role_policy" {
-    role       = aws_iam_role.ecs_task_role.name
-    policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy"
-}
-
-# resource "aws_iam_role_policy_attachment" "ecs_task_role_ssm_policy" {
-#     role       = aws_iam_role.ecs_task_role.name
-#     policy_arn = "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"
-# }
-
 resource "aws_iam_role" "lambda_exec" {
     name = "${var.environment}-interview-prep-lambda-exec"
     assume_role_policy = jsonencode({
@@ -116,13 +109,13 @@ resource "aws_iam_policy" "lambda_exec_policy" {
                     "arn:aws:ssm:${var.region}:${var.account_id}:parameter/interview-prep/${var.environment}/*"
                 ]
             },
-            {
-                Effect = "Allow",
-                Action = [
-                    "kms:Decrypt"
-                ],
-                Resource = "arn:aws:kms:${var.region}:${var.account_id}:key/169ce983-7b59-4ff6-9c74-533af48cf478"
-            },
+            # {
+            #     Effect = "Allow",
+            #     Action = [
+            #         "kms:Decrypt"
+            #     ],
+            #     Resource = "arn:aws:kms:${var.region}:${var.account_id}:key/169ce983-7b59-4ff6-9c74-533af48cf478"
+            # },
         ]
     })
 }

terraform/modules/rds/main.tf

@@ -18,8 +18,8 @@ resource "aws_db_instance" "postgres" {
     password             = var.db_password
     vpc_security_group_ids = [var.db_sg_id]
     db_subnet_group_name = aws_db_subnet_group.postgres.name
-    skip_final_snapshot = true
-    apply_immediately = false
+    skip_final_snapshot = true # Because I don't need a backup before deletion.
+    apply_immediately = false # This parameter determines whether modifications to the RDS instance are applied immediately or during the next maintenance window.
     tags = {
         Name        = "${var.environment}-interview-prep-db"
         Environment = var.environment

terraform/modules/rds/variables.tf

@@ -25,11 +25,6 @@ variable "db_sg_id" {
     type = string
 }
 
-variable "lambda_sg_id" {
-    description = "The ID of the security group for the Lambda function"
-    type = string  
-}
-
 variable "environment" {
     description = "The environment for the resources (e.g., development, staging, production)"
     type = string

terraform/modules/security_groups/main.tf

@@ -181,4 +181,14 @@ resource "aws_security_group_rule" "allow_bastion_to_db" {
     protocol = "tcp"
     source_security_group_id = aws_security_group.bastion_sg.id
     security_group_id = aws_security_group.db_sg.id
+}
+
+resource "aws_security_group_rule" "allow_backend_to_db" {
+    type = "ingress"
+    from_port = 5432
+    to_port = 5432
+    protocol = "tcp"
+    source_security_group_id = aws_security_group.backend_sg.id
+    security_group_id = aws_security_group.db_sg.id
+    description = "Allow backend to access the db"
 }

terraform/modules/vpc/main.tf

@@ -1,7 +1,7 @@
 resource "aws_vpc" "interview_prep_vpc" {
     cidr_block = var.vpc_cidr
-    enable_dns_support = true
-    enable_dns_hostnames = true
+    enable_dns_support = true # Allows instances within the VPC to resolve domain names to IP addresses using the Amazon-provided DNS server.
+    enable_dns_hostnames = true # Allows instances to receive DNS hostnames that can be resolved to their private IP addresses.
     tags = {
         Name = "interview-prep-vpc"
         Environment = var.environment
@@ -17,14 +17,15 @@ resource "aws_internet_gateway" "igw" {
 }
 
 resource "aws_nat_gateway" "nat_gw" {
-    allocation_id = aws_eip.nat_eip.id
+    allocation_id = aws_eip.nat_eip.id # An identifier for an Elastic IP (EIP) that has been allocated in your AWS account. Used to associate the Elastic IP with a NAT Gateway, ensuring that the NAT Gateway has a static public IP address.
     subnet_id = var.public_subnet_a_id
     tags = {
         Name = "interview-prep-nat-gw"
         Environment = var.environment
     }
 }
 
+# Allocate an Elastic IP address for the NAT Gateway.
 resource "aws_eip" "nat_eip" {
     tags = {
         Name = "interview-prep-nat-eip"
@@ -35,7 +36,7 @@ resource "aws_eip" "nat_eip" {
 resource "aws_route_table" "public" {
     vpc_id = aws_vpc.interview_prep_vpc.id
     route {
-        cidr_block = "0.0.0.0/0"
+        cidr_block = "0.0.0.0/0" # Direct all outbound traffic to the internet gateway.
         gateway_id = aws_internet_gateway.igw.id
     }
     tags = {
@@ -57,7 +58,7 @@ resource "aws_route_table_association" "public_b" {
 resource "aws_route_table" "private" {
     vpc_id = aws_vpc.interview_prep_vpc.id
     route {
-        cidr_block = "0.0.0.0/0"
+        cidr_block = "0.0.0.0/0" # Direct all outbound traffic to the NAT Gateway.
         nat_gateway_id = aws_nat_gateway.nat_gw.id
     }
     tags = {