More changes made during the video

Author: davidsilva

.github/workflows/ci.yml

@@ -160,8 +160,8 @@ jobs:
             outputfile.txt
         env:
           NODE_ENV: development
-          DATABASE_URL: postgres://${{ secrets.DB_USERNAME }}:${{ secrets.DB_PASSWORD }}@${{ secrets.DB_HOST }}:${{ secrets.DB_PORT }}/${{ secrets.DB_NAME }}
 
+      # sets up Docker Buildx to enable advanced build features in the workflow.
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v1
 

terraform/modules/api_gateway/main.tf

@@ -6,22 +6,24 @@ resource "aws_api_gateway_rest_api" "api" {
 resource "aws_api_gateway_resource" "proxy" {
     rest_api_id = aws_api_gateway_rest_api.api.id
     parent_id   = aws_api_gateway_rest_api.api.root_resource_id
-    path_part   = "{proxy+}"
+    path_part   = "{proxy+}" # Path part that acts as a catch-all proxy for any request path.
 
-    depends_on = [ aws_api_gateway_rest_api.api ]
+    depends_on = [ aws_api_gateway_rest_api.api ] # Ensure the API is created before creating the resource.
 }
 
 resource "aws_api_gateway_method" "proxy_method" {
     rest_api_id = aws_api_gateway_rest_api.api.id
     resource_id = aws_api_gateway_resource.proxy.id
-    http_method = "ANY"
-    authorization = "NONE"
-    api_key_required = false
+    http_method = "ANY" # Handle every type of HTTP request
+    authorization = "NONE" # No authorization required (yet)
+    api_key_required = false # No API key required (yet)
     request_parameters = {
       "method.request.path.proxy" = true
     }
+  # This configuration allows the API Gateway to serve as a proxy for my actual backend application, handling all types of HTTP requests and forwarding them to the backend.
 }
 
+// Define the OPTIONS method for the proxy resource (for CORS preflight requests)
 resource "aws_api_gateway_method" "proxy_options" {
     rest_api_id = aws_api_gateway_rest_api.api.id
     resource_id = aws_api_gateway_resource.proxy.id
@@ -30,12 +32,14 @@ resource "aws_api_gateway_method" "proxy_options" {
     api_key_required = false
 }
 
+# Define the integration between the proxy resource and the backend application. Basically, the API Gateway will forward all requests to the backend application.
 resource "aws_api_gateway_integration" "proxy_integration" {
     rest_api_id = aws_api_gateway_rest_api.api.id
     resource_id = aws_api_gateway_resource.proxy.id
     http_method = aws_api_gateway_method.proxy_method.http_method
     type = "HTTP_PROXY"
     integration_http_method = "ANY"
+    # Load balancer knows that port 3000 is the backend application
     uri = "http://${var.lb_dns_name}:3000/{proxy}"
     request_parameters = {
       "integration.request.path.proxy" = "method.request.path.proxy"
@@ -66,6 +70,7 @@ resource "aws_api_gateway_integration" "health_integration" {
     uri = "http://${var.lb_dns_name}:3000/health"
 }
 
+# Defines how API Gateway should handle the OPTIONS method for the proxy resource. In this case, it uses a MOCK integration to generate a mock response.
 resource "aws_api_gateway_integration" "proxy_options_integration" {
     rest_api_id = aws_api_gateway_rest_api.api.id
     resource_id = aws_api_gateway_resource.proxy.id
@@ -76,6 +81,9 @@ resource "aws_api_gateway_integration" "proxy_options_integration" {
     }
 }
 
+# In Amazon API Gateway, an aws_api_gateway_method_response specifies the possible responses from an API Gateway, while an aws_api_gateway_integration_response maps the response from an integration to the API Gateway response. 
+
+# This resource specifies the response parameters (headers) that the integration should return. It is part of the integration setup and tells API Gateway what to include in the response when the OPTIONS method is called.
 resource "aws_api_gateway_integration_response" "proxy_options_integration_response" {
     rest_api_id = aws_api_gateway_rest_api.api.id
     resource_id = aws_api_gateway_resource.proxy.id
@@ -88,6 +96,7 @@ resource "aws_api_gateway_integration_response" "proxy_options_integration_respo
     }
 }
 
+# This resource specifies the method response parameters (headers) that the method should return. It is part of the method setup and ensures that the headers specified in the integration response are actually included in the final response sent to the client.
 resource "aws_api_gateway_method_response" "proxy_options_response" {
     rest_api_id = aws_api_gateway_rest_api.api.id
     resource_id = aws_api_gateway_resource.proxy.id
@@ -109,15 +118,18 @@ resource "aws_api_gateway_deployment" "api_deployment" {
     ]
     rest_api_id = aws_api_gateway_rest_api.api.id
 
+    # This effectively triggers a redeployment whenever I do `terraform apply`, even if there are no actual changes to the configuration. I need to experiment with this setting.
     triggers = {
       redeployment = "${timestamp()}"
     }
 
+    # Minimize downtime by creating the new deployment before destroying the old one. And... because I don't think AWS would let me destroy the API given that it's in use by the load balancer.
     lifecycle {
         create_before_destroy = true
     }
 }
 
+# An API Gateway stage is a logical reference to a lifecycle state of your API (for example, dev, test, prod). Stages are used to manage and deploy different versions of your API, allowing you to test changes in a development environment before promoting them to production.
 resource "aws_api_gateway_stage" "api_stage" {
     deployment_id = aws_api_gateway_deployment.api_deployment.id
     rest_api_id = aws_api_gateway_rest_api.api.id
@@ -132,11 +144,11 @@ resource "aws_api_gateway_stage" "api_stage" {
 resource "aws_api_gateway_method_settings" "api_method_settings" {
     rest_api_id = aws_api_gateway_rest_api.api.id
     stage_name = aws_api_gateway_stage.api_stage.stage_name
-    method_path = "*/*"
+    method_path = "*/*" # The path and method for which these settings apply. The format is HTTP_METHOD/RESOURCE_PATH. You can use */* to apply the settings to all methods and resources.
     settings {
-        metrics_enabled = true
-        logging_level = "INFO"
-        data_trace_enabled = true
+        metrics_enabled = true # Enable CloudWatch metrics for the method.
+        logging_level = "INFO" # E.g., INFO, ERROR
+        data_trace_enabled = true # Can generate a large volume of log data, especially for APIs with high traffic or large payloads.
     }
 }
 
@@ -145,6 +157,10 @@ resource "aws_cloudwatch_log_group" "api_gateway_log_group" {
     retention_in_days = 7
 }
 
+# IAM stuff should probably be in IAM module.
+
+# It could be to have a root-level configuration to enable logging for the various modules.
+
 resource "aws_iam_role" "api_gateway_cloudwatch_role" {
     name = "${var.environment}-interview-prep-api-gateway-cloudwatch-role"
     assume_role_policy = jsonencode({
@@ -185,16 +201,18 @@ resource "aws_iam_role_policy_attachment" "api_gateway_cloudwatch_policy_attachm
     role = aws_iam_role.api_gateway_cloudwatch_role.name
 }
 
+# custom_domain_name and custom_domain_zone_id are output and used in the dns module.
 resource "aws_api_gateway_domain_name" "custom_domain" {
   domain_name = "api.dev.interviewprep.onyxdevtutorials.com"
 
   endpoint_configuration {
-    types = ["EDGE"]
+    types = ["EDGE"] # The endpoint type (EDGE, REGIONAL, or PRIVATE)
   }
 
-  certificate_arn = var.certificate_arn
+  certificate_arn = var.certificate_arn # The ARN of the SSL certificate to use for the custom domain.
 }
 
+# Used to map the custom domain to the API Gateway stage.
 resource "aws_api_gateway_base_path_mapping" "custom_domain_mapping" {
   api_id = aws_api_gateway_rest_api.api.id
   stage_name = aws_api_gateway_stage.api_stage.stage_name

terraform/modules/bastion/main.tf

@@ -3,7 +3,7 @@ resource "aws_instance" "bastion" {
   instance_type = var.instance_type
   subnet_id = var.public_subnet_id
   vpc_security_group_ids = [var.bastion_sg_id]
-  key_name = var.key_name
+  key_name = var.key_name # SSH key pair name
 
   tags = {
     Name = "${var.environment}-interview-prep-bastion"

terraform/modules/iam/main.tf

@@ -25,11 +25,6 @@ resource "aws_iam_role_policy_attachment" "ecs_task_execution_role_policy" {
     policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy"
 }
 
-# resource "aws_iam_role_policy_attachment" "ecr_pull_policy" {
-#     role       = aws_iam_role.ecs_task_execution_role.name
-#     policy_arn = "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly"
-# }
-
 # Role is assumed by the ECS tasks themselves. It allows the containers running within the tasks to interact with other AWS services. Common actions: reading from or writing to S3 buckets; accessing secrets from SSM Parameter Store; interacting with DynamoDB tables, etc. Here, because we don't attach any policies, the role does not grant any permissions to perform actions on AWS resources.
 resource "aws_iam_role" "ecs_task_role" {
     name = "${var.environment}-ecs-task-role"
@@ -71,6 +66,7 @@ resource "aws_iam_role" "lambda_exec" {
     }
 }
 
+# The ec2 permissions are needed because the Lambda function is running in a VPC and needs to create and delete network interfaces.
 resource "aws_iam_policy" "lambda_exec_policy" {
     name = "${var.environment}-interview-prep-lambda-exec-policy"
     description = "Policy for Lambda execution role"
@@ -109,13 +105,6 @@ resource "aws_iam_policy" "lambda_exec_policy" {
                     "arn:aws:ssm:${var.region}:${var.account_id}:parameter/interview-prep/${var.environment}/*"
                 ]
             },
-            # {
-            #     Effect = "Allow",
-            #     Action = [
-            #         "kms:Decrypt"
-            #     ],
-            #     Resource = "arn:aws:kms:${var.region}:${var.account_id}:key/169ce983-7b59-4ff6-9c74-533af48cf478"
-            # },
         ]
     })
 }

terraform/modules/load_balancer/main.tf

@@ -1,13 +1,13 @@
 resource "aws_lb" "this" {
   name               = "${var.environment}-interview-prep-lb"
-  internal           = false
-  load_balancer_type = "application"
+  internal           = false # Set to false to create an internet-facing load balancer
+  load_balancer_type = "application" # Other types include network and gateway
   security_groups    = var.security_groups
   subnets            = var.public_subnet_ids
 
-  enable_deletion_protection = false
-  enable_http2               = false
-  enable_cross_zone_load_balancing = true
+  enable_deletion_protection = false # Set to true to enable accidental deletion protection
+  enable_http2               = false # Set to true to enable HTTP/2
+  enable_cross_zone_load_balancing = true # Set to true to enable cross-zone load balancing. This distributes incoming requests evenly across all registered targets in all enabled Availability Zones.
 
   tags = {
     Name        = "${var.environment}-interview-prep-lb"
@@ -20,7 +20,7 @@ resource "aws_lb_target_group" "frontend" {
   port     = 80
   protocol = "HTTP"
   vpc_id   = var.vpc_id
-  target_type = "ip"
+  target_type = "ip" # Other types include instance and lambda
 
   health_check {
     path                = var.frontend_health_check_path
@@ -66,7 +66,7 @@ resource "aws_lb_listener" "http_frontend" {
 
   default_action {
     type             = "forward"
-    target_group_arn = aws_lb_target_group.frontend.arn
+    target_group_arn = aws_lb_target_group.frontend.arn # Refer to the ECS module to see how the target group ARN is passed to the ECS service.
   }
 }
 
@@ -77,6 +77,6 @@ resource "aws_lb_listener" "http_backend" {
 
   default_action {
     type             = "forward"
-    target_group_arn = aws_lb_target_group.backend.arn
+    target_group_arn = aws_lb_target_group.backend.arn # Refer to the ECS module to see how the target group ARN is passed to the ECS service.
   }
 }