add AWS amplify (#79)

* add AWS amplify

* add pulumi config for production & staging

* add workflows for infra updates

* remove test key

.github/workflows/deploy_infra.yml

@@ -0,0 +1,107 @@
+name: Library - Deploy Infra only - Generic
+on:
+  workflow_call:
+    inputs:
+      refspec:
+        description: "The commit SHA"
+        type: string
+        required: True
+      environment:
+        description: "Environment to deploy to"
+        type: string
+        required: true
+
+jobs:
+  deploy_preview:
+    name: Preview - Deploying AWS Infra
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+        with:
+          ref: ${{ inputs.refspec }}
+          fetch-depth: 0
+      - name: Install 1Password CLI
+        uses: 1password/install-cli-action@v1
+      - name: Configure 1Password Service Account
+        uses: 1password/load-secrets-action/configure@v1
+        with:
+          service-account-token: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
+      - name: Load secret
+        id: op-load-secret
+        uses: 1password/load-secrets-action@v1
+        with:
+          export-env: true
+        env:
+          AWS_ACCESS_KEY_ID: op://DevOps/passport-${{ inputs.environment }}-secrets/ci/AWS_ACCESS_KEY_ID
+          AWS_SECRET_ACCESS_KEY: op://DevOps/passport-${{ inputs.environment }}-secrets/ci/AWS_SECRET_ACCESS_KEY
+          PULUMI_ACCESS_TOKEN: op://DevOps/passport-${{ inputs.environment }}-secrets/ci/PULUMI_ACCESS_TOKEN
+          # CLOUDFLARE_API_TOKEN  should be moved to staking secret
+          CLOUDFLARE_API_TOKEN: op://DevOps/passport-${{ inputs.environment }}-secrets/ci/CLOUDFLARE_API_TOKEN
+      - name: Prepare to Deploy to AWS
+        uses: passportxyz/gh-workflows/.github/actions/prepare_deploy_to_aws@v1
+      - name: Preview Deploy
+        uses: passportxyz/gh-workflows/.github/actions/deploy_to_aws@v1
+        with:
+          docker_tag: ${{ inputs.refspec }}
+          stack_name: gitcoin/id-staking-v2/${{ inputs.environment }}
+          aws_region: us-west-2
+          pulumi_command: preview
+          pulumi_diff: true
+          AWS_ACCESS_KEY_ID: ${{ env.AWS_ACCESS_KEY_ID }}
+          AWS_SECRET_ACCESS_KEY: ${{ env.AWS_SECRET_ACCESS_KEY }}
+          PULUMI_ACCESS_TOKEN: ${{ env.PULUMI_ACCESS_TOKEN }}
+          OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
+          CLOUDFLARE_API_TOKEN: ${{ env.CLOUDFLARE_API_TOKEN }}
+
+  deploy_confirm:
+    name: Review Approval Pending
+    needs: [deploy_preview]
+    runs-on: ubuntu-latest
+    environment: ${{ inputs.environment }}
+    steps:
+      - name: Approve Release to Review (check pulumi preview)
+        run: |
+          echo "Ref" ${{ inputs.refspec }}
+
+  deploy_backends:
+    name: Deploying AWS Infra
+    needs: [deploy_preview, deploy_confirm]
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+        with:
+          ref: ${{ inputs.refspec }}
+          fetch-depth: 0
+      - name: Install 1Password CLI
+        uses: 1password/install-cli-action@v1
+      - name: Configure 1Password Service Account
+        uses: 1password/load-secrets-action/configure@v1
+        with:
+          service-account-token: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
+      - name: Load secret
+        id: op-load-secret
+        uses: 1password/load-secrets-action@v1
+        with:
+          export-env: true
+        env:
+          AWS_ACCESS_KEY_ID: op://DevOps/passport-${{ inputs.environment }}-secrets/ci/AWS_ACCESS_KEY_ID
+          AWS_SECRET_ACCESS_KEY: op://DevOps/passport-${{ inputs.environment }}-secrets/ci/AWS_SECRET_ACCESS_KEY
+          PULUMI_ACCESS_TOKEN: op://DevOps/passport-${{ inputs.environment }}-secrets/ci/PULUMI_ACCESS_TOKEN
+          # CLOUDFLARE_API_TOKEN  should be moved to staking secret
+          CLOUDFLARE_API_TOKEN: op://DevOps/passport-${{ inputs.environment }}-secrets/ci/CLOUDFLARE_API_TOKEN
+      - name: Prepare to Deploy to AWS
+        uses: passportxyz/gh-workflows/.github/actions/prepare_deploy_to_aws@v1
+      - name: Deploy to AWS
+        uses: passportxyz/gh-workflows/.github/actions/deploy_to_aws@v1
+        with:
+          docker_tag: ${{ inputs.refspec }}
+          stack_name: gitcoin/passport/${{ inputs.environment }}
+          aws_region: us-west-2
+          pulumi_command: up
+          AWS_ACCESS_KEY_ID: ${{ env.AWS_ACCESS_KEY_ID }}
+          AWS_SECRET_ACCESS_KEY: ${{ env.AWS_SECRET_ACCESS_KEY }}
+          PULUMI_ACCESS_TOKEN: ${{ env.PULUMI_ACCESS_TOKEN }}
+          OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
+          CLOUDFLARE_API_TOKEN: ${{ env.CLOUDFLARE_API_TOKEN }}

.github/workflows/deploy_infra_production.yml

@@ -0,0 +1,31 @@
+name: Deploy Infra to Production
+
+on:
+  workflow_dispatch:
+    inputs:
+      commit:
+        description: "Leave blank to use current HEAD, or provide an override commit SHA"
+        type: string
+
+jobs:
+  ref:
+    name: Load Commit Ref
+    runs-on: ubuntu-latest
+    steps:
+      - id: ref
+        uses: passportxyz/gh-workflows/.github/actions/load_commit_ref@v1
+        with:
+          commit: ${{ inputs.commit }}
+
+    outputs:
+      version_tag: ${{ steps.ref.outputs.version_tag }}
+      refspec: ${{ steps.ref.outputs.refspec }}
+
+  deploy-infra:
+    name: Deploy Infra to Production
+    needs: [ref]
+    uses: ./.github/workflows/deploy_infra.yml
+    with:
+      refspec: ${{ needs.ref.outputs.refspec }}
+      environment: production
+    secrets: inherit

.github/workflows/deploy_infra_review.yml

@@ -0,0 +1,34 @@
+name: Deploy Infra to Review
+
+on:
+  push:
+    branches: [main]
+  workflow_dispatch:
+    inputs:
+      commit:
+        description: "Leave blank to use current HEAD, or provide an override commit SHA"
+        type: string
+        required: false
+
+jobs:
+  ref:
+    name: Load Commit Ref
+    runs-on: ubuntu-latest
+    steps:
+      - id: ref
+        uses: passportxyz/gh-workflows/.github/actions/load_commit_ref@v1
+        with:
+          commit: ${{ inputs.commit }}
+
+    outputs:
+      version_tag: ${{ steps.ref.outputs.version_tag }}
+      refspec: ${{ steps.ref.outputs.refspec }}
+
+  deploy-infra:
+    name: Deploy Infra to Review
+    needs: [ref]
+    uses: ./.github/workflows/deploy_infra.yml
+    with:
+      refspec: ${{ needs.ref.outputs.refspec }}
+      environment: review
+    secrets: inherit

.github/workflows/deploy_infra_staging.yml

@@ -0,0 +1,31 @@
+name: Deploy Infra to Staging
+
+on:
+  workflow_dispatch:
+    inputs:
+      commit:
+        description: "Leave blank to use current HEAD, or provide an override commit SHA"
+        type: string
+
+jobs:
+  ref:
+    name: Load Commit Ref
+    runs-on: ubuntu-latest
+    steps:
+      - id: ref
+        uses: passportxyz/gh-workflows/.github/actions/load_commit_ref@v1
+        with:
+          commit: ${{ inputs.commit }}
+
+    outputs:
+      version_tag: ${{ steps.ref.outputs.version_tag }}
+      refspec: ${{ steps.ref.outputs.refspec }}
+
+  deploy-infra:
+    name: Deploy Infra to Staging
+    needs: [ref]
+    uses: ./.github/workflows/deploy_infra.yml
+    with:
+      refspec: ${{ needs.ref.outputs.refspec }}
+      environment: staging
+    secrets: inherit

app/.env-sample

@@ -27,5 +27,3 @@ NEXT_PUBLIC_MAX_LEGACY_ROUND_ID=
 NEXT_PUBLIC_INTERCOM_APP_ID=
 
 NEXT_PUBLIC_GA_ID=id
-
-SAMPLE_KEY=just_a_test_key_1

infra/.gitignore

@@ -0,0 +1,2 @@
+/bin/
+/node_modules/

infra/aws/Pulumi.production.yaml

@@ -0,0 +1,2 @@
+config:
+  aws:region: us-west-2

infra/aws/Pulumi.review.yaml

@@ -0,0 +1,2 @@
+config:
+  aws:region: us-west-2

infra/aws/Pulumi.staging.yaml

@@ -0,0 +1,2 @@
+config:
+  aws:region: us-west-2

infra/aws/Pulumi.yaml

@@ -0,0 +1,7 @@
+name: id-staking-v2
+runtime: nodejs
+description: Pulumi IaC for id-staking-v2-app
+config:
+  pulumi:tags:
+    value:
+      pulumi:template: ""