Make currently active region a terraform parameter (#359)

devksingh4 · web-flow · commit 28f55505ebd6 · 2025-10-28T21:12:06.000-05:00
Allows for easily switching the region currently serving traffic

&lt;!-- This is an auto-generated comment: release notes by coderabbit.ai
--&gt;
## Summary by CodeRabbit

* **New Features**
* Multi-region support: frontend now routes to region-specific endpoints
and honors a selectable active region at runtime.
* Secondary-region compute and queue components added to enable regional
failover and lower latency; CDN origins and routing are region-aware.

* **Chores**
* Deployment tooling updated to accept and validate a configured active
region in prod and QA plans; build scripts now propagate the
active-region setting.
&lt;!-- end of auto-generated comment: release notes by coderabbit.ai --&gt;
diff --git a/Makefile b/Makefile
@@ -1,6 +1,7 @@
 prod_aws_account = 298118738376
 dev_aws_account = 427040638965
 current_aws_account := $(shell aws sts get-caller-identity --query Account --output text)
+current_active_region = "us-east-2"
 
 src_directory_root = src/
 dist_ui_directory_root = dist_ui/
@@ -48,14 +49,14 @@ local:
 deploy_prod:
 	@echo "Deploying Terraform..."
 	terraform -chdir=terraform/envs/prod init -lockfile=readonly
-	terraform -chdir=terraform/envs/prod plan -out=tfplan
+	terraform -chdir=terraform/envs/prod plan -out=tfplan -var="current_active_region=$(current_active_region)"
 	terraform -chdir=terraform/envs/prod apply -auto-approve tfplan
 	rm terraform/envs/prod/tfplan
 
 deploy_qa:
 	@echo "Deploying Terraform..."
 	terraform -chdir=terraform/envs/qa init -lockfile=readonly
-	terraform -chdir=terraform/envs/qa plan -out=tfplan
+	terraform -chdir=terraform/envs/qa plan -out=tfplan -var="current_active_region=$(current_active_region)"
 	terraform -chdir=terraform/envs/qa apply -auto-approve tfplan
 	rm terraform/envs/qa/tfplan
 
diff --git a/terraform/envs/prod/main.tf b/terraform/envs/prod/main.tf
@@ -37,7 +37,12 @@ locals {
     main = module.sqs_queues.main_queue_arn
     sqs  = module.sqs_queues.sales_email_queue_arn
   }
+  queue_arns_usw2 = {
+    main = module.sqs_queues_usw2.main_queue_arn
+    sqs  = module.sqs_queues_usw2.sales_email_queue_arn
+  }
   DynamoReplicationRegions = toset(["us-west-2"])
+  deployment_env           = "prod"
 }
 
 module "sqs_queues" {
@@ -93,7 +98,7 @@ module "lambdas" {
   region                           = "us-east-2"
   source                           = "../../modules/lambdas"
   ProjectId                        = var.ProjectId
-  RunEnvironment                   = "prod"
+  RunEnvironment                   = local.deployment_env
   CurrentOriginVerifyKey           = module.origin_verify.current_origin_verify_key
   PreviousOriginVerifyKey          = module.origin_verify.previous_origin_verify_key
   PreviousOriginVerifyKeyExpiresAt = module.origin_verify.previous_invalid_time
@@ -102,14 +107,21 @@ module "lambdas" {
 }
 
 module "frontend" {
-  source                = "../../modules/frontend"
-  BucketPrefix          = local.primary_bucket_prefix
-  CoreLambdaHost        = module.lambdas.core_function_url
+  source       = "../../modules/frontend"
+  BucketPrefix = local.primary_bucket_prefix
+  CoreLambdaHost = {
+    "us-east-2" = module.lambdas.core_function_url
+    "us-west-2" = module.lambdas_usw2.core_function_url
+  }
+  CoreSlowLambdaHost = {
+    "us-east-2" = module.lambdas.core_slow_function_url
+    "us-west-2" = module.lambdas_usw2.core_slow_function_url
+  }
+  CurrentActiveRegion   = var.current_active_region
   OriginVerifyKey       = module.origin_verify.current_origin_verify_key
   ProjectId             = var.ProjectId
   CoreCertificateArn    = var.CoreCertificateArn
   CorePublicDomain      = var.CorePublicDomain
-  CoreSlowLambdaHost    = module.lambdas.core_slow_function_url
   IcalPublicDomain      = var.IcalPublicDomain
   LinkryPublicDomain    = var.LinkryPublicDomain
   LinkryEdgeFunctionArn = module.lambdas.linkry_redirect_function_arn
@@ -133,6 +145,39 @@ resource "aws_lambda_event_source_mapping" "queue_consumer" {
   function_response_types = ["ReportBatchItemFailures"]
 }
 
+// Multi-Region Failover: us-west-2
+
+module "lambdas_usw2" {
+  region                           = "us-west-2"
+  source                           = "../../modules/lambdas"
+  ProjectId                        = var.ProjectId
+  RunEnvironment                   = local.deployment_env
+  CurrentOriginVerifyKey           = module.origin_verify.current_origin_verify_key
+  PreviousOriginVerifyKey          = module.origin_verify.previous_origin_verify_key
+  PreviousOriginVerifyKeyExpiresAt = module.origin_verify.previous_invalid_time
+  LogRetentionDays                 = var.LogRetentionDays
+  EmailDomain                      = var.EmailDomain
+}
+
+module "sqs_queues_usw2" {
+  region                        = "us-west-2"
+  depends_on                    = [module.lambdas_usw2]
+  source                        = "../../modules/sqs"
+  resource_prefix               = var.ProjectId
+  core_sqs_consumer_lambda_name = module.lambdas_usw2.core_sqs_consumer_lambda_name
+}
+
+resource "aws_lambda_event_source_mapping" "queue_consumer_usw2" {
+  region                  = "us-west-2"
+  depends_on              = [module.lambdas_usw2, module.sqs_queues_usw2]
+  for_each                = local.queue_arns_usw2
+  batch_size              = 5
+  event_source_arn        = each.value
+  function_name           = module.lambdas_usw2.core_sqs_consumer_lambda_arn
+  function_response_types = ["ReportBatchItemFailures"]
+}
+
+
 // This section last: moved records into modules
 moved {
   from = aws_dynamodb_table.app_audit_log
diff --git a/terraform/envs/prod/variables.tf b/terraform/envs/prod/variables.tf
@@ -48,3 +48,13 @@ variable "IcalPublicDomain" {
   type    = string
   default = "ical.acm.illinois.edu"
 }
+
+variable "current_active_region" {
+  type        = string
+  description = "Currently active AWS region"
+
+  validation {
+    condition     = contains(["us-east-2", "us-west-2"], var.current_active_region)
+    error_message = "Invalid value for current_active_region"
+  }
+}
diff --git a/terraform/envs/qa/main.tf b/terraform/envs/qa/main.tf
@@ -31,9 +31,6 @@ provider "aws" {
 data "aws_caller_identity" "current" {}
 data "aws_region" "current" {}
 
-locals {
-  DynamoReplicationRegions = toset(["us-west-2"])
-}
 
 
 module "sqs_queues" {
@@ -53,6 +50,8 @@ locals {
     main = module.sqs_queues_usw2.main_queue_arn
     sqs  = module.sqs_queues_usw2.sales_email_queue_arn
   }
+  DynamoReplicationRegions = toset(["us-west-2"])
+  deployment_env           = "dev"
 }
 
 module "dynamo" {
@@ -86,7 +85,7 @@ module "archival" {
   depends_on       = [module.dynamo]
   source           = "../../modules/archival"
   ProjectId        = var.ProjectId
-  RunEnvironment   = "dev"
+  RunEnvironment   = local.deployment_env
   LogRetentionDays = var.LogRetentionDays
   MonitorTables    = ["${var.ProjectId}-audit-log", "${var.ProjectId}-events", "${var.ProjectId}-room-requests"]
   BucketPrefix     = local.primary_bucket_prefix
@@ -102,7 +101,7 @@ module "lambdas" {
   region                           = "us-east-2"
   source                           = "../../modules/lambdas"
   ProjectId                        = var.ProjectId
-  RunEnvironment                   = "dev"
+  RunEnvironment                   = local.deployment_env
   CurrentOriginVerifyKey           = module.origin_verify.current_origin_verify_key
   PreviousOriginVerifyKey          = module.origin_verify.previous_origin_verify_key
   PreviousOriginVerifyKeyExpiresAt = module.origin_verify.previous_invalid_time
@@ -111,10 +110,17 @@ module "lambdas" {
 }
 
 module "frontend" {
-  source                = "../../modules/frontend"
-  BucketPrefix          = local.primary_bucket_prefix
-  CoreLambdaHost        = module.lambdas.core_function_url
-  CoreSlowLambdaHost    = module.lambdas.core_slow_function_url
+  source       = "../../modules/frontend"
+  BucketPrefix = local.primary_bucket_prefix
+  CoreLambdaHost = {
+    "us-east-2" = module.lambdas.core_function_url
+    "us-west-2" = module.lambdas_usw2.core_function_url
+  }
+  CoreSlowLambdaHost = {
+    "us-east-2" = module.lambdas.core_slow_function_url
+    "us-west-2" = module.lambdas_usw2.core_slow_function_url
+  }
+  CurrentActiveRegion   = var.current_active_region
   OriginVerifyKey       = module.origin_verify.current_origin_verify_key
   ProjectId             = var.ProjectId
   CoreCertificateArn    = var.CoreCertificateArn
@@ -138,7 +144,7 @@ module "lambdas_usw2" {
   region                           = "us-west-2"
   source                           = "../../modules/lambdas"
   ProjectId                        = var.ProjectId
-  RunEnvironment                   = "dev"
+  RunEnvironment                   = local.deployment_env
   CurrentOriginVerifyKey           = module.origin_verify.current_origin_verify_key
   PreviousOriginVerifyKey          = module.origin_verify.previous_origin_verify_key
   PreviousOriginVerifyKeyExpiresAt = module.origin_verify.previous_invalid_time
diff --git a/terraform/envs/qa/variables.tf b/terraform/envs/qa/variables.tf
@@ -49,3 +49,13 @@ variable "PrioritySNSAlertArn" {
   type    = string
   default = "arn:aws:sns:us-east-2:427040638965:infra-monitor-alerts"
 }
+
+variable "current_active_region" {
+  type        = string
+  description = "Currently active AWS region"
+
+  validation {
+    condition     = contains(["us-east-2", "us-west-2"], var.current_active_region)
+    error_message = "Invalid value for current_active_region"
+  }
+}
diff --git a/terraform/modules/frontend/main.tf b/terraform/modules/frontend/main.tf
@@ -125,24 +125,34 @@ resource "aws_cloudfront_distribution" "app_cloudfront_distribution" {
     origin_access_control_id = aws_cloudfront_origin_access_control.frontend_oac.id
     domain_name              = aws_s3_bucket.frontend.bucket_regional_domain_name
   }
-  origin {
-    origin_id   = "LambdaFunction"
-    domain_name = var.CoreLambdaHost
-    custom_origin_config {
-      http_port              = 80
-      https_port             = 443
-      origin_protocol_policy = "https-only"
-      origin_ssl_protocols   = ["TLSv1", "TLSv1.1", "TLSv1.2"]
+
+  # Dynamic origins for each region's Lambda function
+  dynamic "origin" {
+    for_each = var.CoreLambdaHost
+    content {
+      origin_id   = "LambdaFunction-${origin.key}"
+      domain_name = origin.value
+      custom_origin_config {
+        http_port              = 80
+        https_port             = 443
+        origin_protocol_policy = "https-only"
+        origin_ssl_protocols   = ["TLSv1", "TLSv1.1", "TLSv1.2"]
+      }
     }
   }
-  origin {
-    origin_id   = "SlowLambdaFunction"
-    domain_name = var.CoreSlowLambdaHost
-    custom_origin_config {
-      http_port              = 80
-      https_port             = 443
-      origin_protocol_policy = "https-only"
-      origin_ssl_protocols   = ["TLSv1", "TLSv1.1", "TLSv1.2"]
+
+  # Dynamic origins for each region's Slow Lambda function
+  dynamic "origin" {
+    for_each = var.CoreSlowLambdaHost
+    content {
+      origin_id   = "SlowLambdaFunction-${origin.key}"
+      domain_name = origin.value
+      custom_origin_config {
+        http_port              = 80
+        https_port             = 443
+        origin_protocol_policy = "https-only"
+        origin_ssl_protocols   = ["TLSv1", "TLSv1.1", "TLSv1.2"]
+      }
     }
   }
   default_root_object = "index.html"
@@ -173,7 +183,7 @@ resource "aws_cloudfront_distribution" "app_cloudfront_distribution" {
   }
   ordered_cache_behavior {
     path_pattern             = "/api/v1/syncIdentity"
-    target_origin_id         = "SlowLambdaFunction"
+    target_origin_id         = "SlowLambdaFunction-${var.CurrentActiveRegion}"
     viewer_protocol_policy   = "redirect-to-https"
     allowed_methods          = ["DELETE", "GET", "HEAD", "OPTIONS", "PATCH", "POST", "PUT"]
     cached_methods           = ["GET", "HEAD"]
@@ -187,7 +197,7 @@ resource "aws_cloudfront_distribution" "app_cloudfront_distribution" {
   }
   ordered_cache_behavior {
     path_pattern             = "/api/v1/events*"
-    target_origin_id         = "LambdaFunction"
+    target_origin_id         = "LambdaFunction-${var.CurrentActiveRegion}"
     viewer_protocol_policy   = "redirect-to-https"
     allowed_methods          = ["DELETE", "GET", "HEAD", "OPTIONS", "PATCH", "POST", "PUT"]
     cached_methods           = ["GET", "HEAD"]
@@ -201,7 +211,7 @@ resource "aws_cloudfront_distribution" "app_cloudfront_distribution" {
   }
   ordered_cache_behavior {
     path_pattern             = "/api/v1/organizations*"
-    target_origin_id         = "LambdaFunction"
+    target_origin_id         = "LambdaFunction-${var.CurrentActiveRegion}"
     viewer_protocol_policy   = "redirect-to-https"
     allowed_methods          = ["DELETE", "GET", "HEAD", "OPTIONS", "PATCH", "POST", "PUT"]
     cached_methods           = ["GET", "HEAD"]
@@ -215,7 +225,7 @@ resource "aws_cloudfront_distribution" "app_cloudfront_distribution" {
   }
   ordered_cache_behavior {
     path_pattern             = "/api/*"
-    target_origin_id         = "LambdaFunction"
+    target_origin_id         = "LambdaFunction-${var.CurrentActiveRegion}"
     viewer_protocol_policy   = "redirect-to-https"
     allowed_methods          = ["DELETE", "GET", "HEAD", "OPTIONS", "PATCH", "POST", "PUT"]
     cached_methods           = ["GET", "HEAD"]
@@ -232,23 +242,28 @@ resource "aws_cloudfront_distribution" "app_cloudfront_distribution" {
 
 resource "aws_cloudfront_distribution" "ical_cloudfront_distribution" {
   http_version = "http2and3"
-  origin {
-    origin_id   = "LambdaFunction"
-    domain_name = var.CoreLambdaHost
-    origin_path = "/api/v1/ical"
-    custom_origin_config {
-      http_port              = 80
-      https_port             = 443
-      origin_protocol_policy = "https-only"
-      origin_ssl_protocols   = ["TLSv1", "TLSv1.1", "TLSv1.2"]
+
+  # Dynamic origins for each region's Lambda function
+  dynamic "origin" {
+    for_each = var.CoreLambdaHost
+    content {
+      origin_id   = "LambdaFunction-${origin.key}"
+      domain_name = origin.value
+      origin_path = "/api/v1/ical"
+      custom_origin_config {
+        http_port              = 80
+        https_port             = 443
+        origin_protocol_policy = "https-only"
+        origin_ssl_protocols   = ["TLSv1", "TLSv1.1", "TLSv1.2"]
+      }
     }
   }
   aliases         = [var.IcalPublicDomain]
   enabled         = true
   is_ipv6_enabled = true
   default_cache_behavior {
     compress                 = true
-    target_origin_id         = "LambdaFunction"
+    target_origin_id         = "LambdaFunction-${var.CurrentActiveRegion}"
     viewer_protocol_policy   = "redirect-to-https"
     allowed_methods          = ["GET", "HEAD"]
     cached_methods           = ["GET", "HEAD"]
diff --git a/terraform/modules/frontend/variables.tf b/terraform/modules/frontend/variables.tf
@@ -4,13 +4,18 @@ variable "ProjectId" {
 }
 
 variable "CoreLambdaHost" {
-  type        = string
-  description = "Host for Lambda Function URL"
+  type        = map(string)
+  description = "Map of region to Lambda Function URL host"
 }
 
 variable "CoreSlowLambdaHost" {
+  type        = map(string)
+  description = "Map of region to Slow Lambda Function URL host"
+}
+
+variable "CurrentActiveRegion" {
   type        = string
-  description = "Host for Slow Lambda Function URL"
+  description = "Currently active AWS region for primary routing"
 }
 
 variable "CorePublicDomain" {

Original file line number	Diff line number	Diff line change
`@@ -4,13 +4,18 @@ variable "ProjectId" {`
`4`	`4`	`}`
`5`	`5`
`6`	`6`	`variable "CoreLambdaHost" {`
`7`		`- type = string`
`8`		`- description = "Host for Lambda Function URL"`
	`7`	`+ type = map(string)`
	`8`	`+ description = "Map of region to Lambda Function URL host"`
`9`	`9`	`}`
`10`	`10`
`11`	`11`	`variable "CoreSlowLambdaHost" {`
	`12`	`+ type = map(string)`
	`13`	`+ description = "Map of region to Slow Lambda Function URL host"`
	`14`	`+}`
	`15`	`+`
	`16`	`+variable "CurrentActiveRegion" {`
`12`	`17`	`type = string`
`13`		`- description = "Host for Slow Lambda Function URL"`
	`18`	`+ description = "Currently active AWS region for primary routing"`
`14`	`19`	`}`
`15`	`20`
`16`	`21`	`variable "CorePublicDomain" {`