Add dev environment

pulumi/Pulumi.dev.yaml

@@ -0,0 +1,3 @@
+config:
+  observability:posthog_api_key:
+    secure: AAABAACLeD5lasJAmY66NyJXtacSmTSMj/PiXtmBNIHeBfLx2HA3mhTzyWkPZnD9j8MCYPbtnjJiWeZBzOROWVKEcKpuysV/FV5CDoHCJg==

pulumi/config.dev.yaml

@@ -0,0 +1,167 @@
+---
+
+config:
+  build_site24x7: False
+  build_tbpulumi: True
+
+resources:
+  tb:secrets:PulumiSecretsManager:
+    secrets:
+      secret_names:
+        - posthog_api_key
+
+  tb:network:MultiCidrVpc:
+    fluentbit:
+      # The observability project has all of 10.202.0.0/16 assigned to it, but let's not soak all
+      # those up just serving fluent-bit. This CIDR gets us 10.202.0.0 -> 10.202.3.255.
+      cidr_block: 10.202.0.0/22
+      subnets:
+        eu-central-1a:
+          - 10.202.0.0/23  # 10.202.0.0 - 10.202.1.255
+        eu-central-1b:
+          - 10.202.2.0/23  # 10.202.2.0 - 10.202.3.255
+      # Allow traffic out via an IGW so we can talk to Posthog and other services
+      enable_internet_gateway: True
+      egress_via_internet_gateway: True
+      # Required for load balancing Fargate containers
+      enable_dns_hostnames: True
+      endpoint_interfaces:
+        - logs
+        - secretsmanager
+      additional_routes:
+        - destination_cidr_block: 10.2.0.0/16  # mailstrom-dev
+          vpc_peering_connection_id: pcx-018f09af30c2dce6c
+
+  tb:fargate:AutoscalingFargateCluster:
+    fluentbit:
+      cluster: {}
+
+      container_security_groups:
+        fluentbit:
+          fluentbit-http:
+            rules:
+              ingress:
+                - description: Allow traffic from the load balancer to the container
+                  # Sources are set in code
+                  protocol: tcp
+                  from_port: 1337
+                  to_port: 1337
+              egress:
+                - description: Allow traffic from the container out to the Internet
+                  protocol: tcp
+                  from_port: 0
+                  to_port: 65535
+                  cidr_blocks:
+                    - 0.0.0.0/0
+
+      secrets:
+        fluentbit:
+          - arn:aws:secretsmanager:eu-central-1:768512802988:secret:observability/dev/posthog_api_key*
+
+      ssm_params: {}
+
+      task_definitions:
+        fluentbit:
+          container_definitions:
+            - name: fluentbit
+              environment:
+                - name: ENV
+                  value: dev
+                - name: FLUENTBIT_LOG_LEVEL
+                  value: info
+                - name: FLUENTBIT_VERSION
+                  value: 4.2.2
+                - name: FLUENTBIT_STALWART_DELETE_KEYS
+                  value: contents
+                - name: FLUENTBIT_STALWART_HASH_KEYS
+                  value: from,to
+              secrets:
+                - name: POSTHOG_API_KEY
+                  valueFrom: arn:aws:secretsmanager:eu-central-1:768512802988:secret:observability/dev/posthog_api_key-e3UEK4
+              image: 768512802988.dkr.ecr.eu-central-1.amazonaws.com/thunderbird/fluent-bit:7b9c3eed77ed
+              logConfiguration:
+                logDriver: awslogs
+                options:
+                  awslogs-group: observability-dev-fargate-fluentbit-loggroup-fluentbit
+                  awslogs-region: eu-central-1
+                  awslogs-stream-prefix: observability/dev/fluentbit/
+              portMappings:
+                - containerPort: 1337
+                  protocol: tcp
+              restartPolicy:
+                enabled: yes
+                restartAttemptPeriod: 300
+          cpu: 512
+          family: fluentbit
+          memory: 1024
+          network_mode: awsvpc
+          requires_compatibilities:
+            - FARGATE
+
+      load_balancer_security_groups:
+        fluentbit-http:
+          description: Governs access to the fluent-bit-http load balancer in dev
+          rules:
+            ingress:
+              - from_port: 443
+                to_port: 443
+                protocol: tcp
+                cidr_blocks:
+                  - 10.2.0.0/16  # stalwart-dev
+                description: Allow access from stalwart-dev
+            egress:
+              - from_port: 0
+                to_port: 65535
+                protocol: all
+                cidr_blocks:
+                  - 0.0.0.0/0
+
+      load_balancers:
+        fluentbit-http:
+          enable_cross_zone_load_balancing: yes
+          internal: yes
+          ip_address_type: ipv4
+          load_balancer_type: application
+          name: fluentbit-http-dev
+          preserve_host_header: yes
+
+      targets:
+        stalwart-metrics:
+          name: dev-telemetry-http
+          health_check:
+            protocol: HTTP
+            # fluentbit is set up to throw away records submitted to this endpoint
+            path: /health/check
+            port: 1337
+            # I wish it wasn't like this. fluentbit will not accept non-POST methods, but these health checks cannot be
+            # made with custom methods. Therefore, we expect a 400 Bad Request as a sign of health. *shrug*
+            matcher: "400"
+          port: 1337
+          protocol: HTTP
+          # Next two options are required for ECS services; ref:
+          # https://docs.aws.amazon.com/AmazonECS/latest/developerguide/alb.html
+          target_type: ip
+          ip_address_type: ipv4
+
+      listeners:
+        fluentbit-http:
+          stalwart-metrics:
+            # This cert is for fluentbit-dev.tb.pro
+            certificate_arn: arn:aws:acm:eu-central-1:768512802988:certificate/04dd0573-a3cc-4c19-b483-a868876c63b0
+            port: 443
+            protocol: HTTPS
+
+      services:
+        fluentbit:
+          assign_public_ip: yes
+          container_name: fluentbit
+          container_port: 1337
+          load_balancer: fluentbit-http
+          service:
+            desired_count: 2
+          target: stalwart-metrics
+
+      autoscalers:
+        fluentbit:
+          min_capacity: 2
+          max_capacity: 4