feat: Install Application-Flask template (#1)

* Install Application-Flask template

* Configure project and add local secrets override

.dockleconfig

@@ -0,0 +1,8 @@
+# This file is allows you to specify a list of files that is acceptable to Dockle
+# To allow multiple files, use a list of names, example below. Make sure to remove the leading #
+# DOCKLE_ACCEPT_FILES="file1,path/to/file2,file3/path,etc"
+# https://github.com/goodwithtech/dockle#accept-suspicious-environment-variables--files--file-extensions
+# DOCKLE_ACCEPT_FILES="file1,path/to/file2,file3/path,etc"
+
+# The apiflask/settings file is a stub file that apiflask creates, and has no sensitive data in. We are ignoring it since it is unused
+DOCKLE_ACCEPT_FILES=app/.venv/lib/python3.12/site-packages/apiflask/settings.py

.github/pull_request_template.md

@@ -0,0 +1,28 @@
+- [ ] Update PR Title to follow this pattern: `[INTENT]: [MESSAGE]`
+
+> The title will become a one-line commit message in the git log, so be as concise and specific as possible -- refer to [How to Write a Git Commit Message](https://cbea.ms/git-commit/). Prepend [Conventional Commit](https://www.conventionalcommits.org/en/v1.0.0/#summary) intent (`fix:`, `feat:`, `chore:`, `ci:`, `docs:`, `style:`, `refactor:`, `perf:`, `test:`).
+
+## Ticket
+
+Resolves #{TICKET NUMBER or URL or description}
+
+
+## Changes
+
+> What was added, updated, or removed in this PR.
+> Prefer small PRs; try to limit to 300 lines of code changes
+> * https://blog.logrocket.com/using-stacked-pull-requests-in-github/
+> * https://opensource.com/article/18/6/anatomy-perfect-pull-request
+> * https://developers.google.com/blockly/guides/modify/contribute/write_a_good_pr
+
+
+## Context for reviewers
+
+> Background context, more in-depth details of the implementation, and anything else you'd like to call out or ask reviewers.
+> Add comments to your code under the "Files Changed" tab to explain complex logic or code
+> * https://betterprogramming.pub/how-to-make-a-perfect-pull-request-3578fb4c112
+
+
+## Testing
+
+> Provide evidence that the code works as expected. Explain what was done for testing and the results of the test plan. Include screenshots, [GIF demos](https://www.cockos.com/licecap/), shell commands or output to help show the changes working as expected. ProTip: you can drag and drop or paste images into this textbox.

.github/workflows/ci-app.yml

@@ -0,0 +1,51 @@
+name: CI - App
+
+on:
+  push:
+    branches:
+      - main
+    paths:
+      - app/**
+      - .github/workflows/ci-app.yml
+  pull_request:
+    paths:
+      - app/**
+      - .github/workflows/ci-app.yml
+
+defaults:
+  run:
+    working-directory: ./app
+
+jobs:
+  # As an enhancement, it is possible to share the built docker image and share
+  # it across jobs as described in:
+  # https://docs.github.com/en/actions/using-workflows/storing-workflow-data-as-artifacts#passing-data-between-jobs-in-a-workflow
+  lint:
+    name: Lint
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+
+      - name: Run format check
+        run: make format-check
+
+      - name: Run linting
+        run: make lint
+  security-scan:
+    name: Security scan
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+
+      - name: Run security linting
+        run: make lint-security
+  test:
+    name: Test
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+
+      - name: Start tests
+        run: |
+          make test-audit
+          make test-coverage

.github/workflows/ci-openapi.yml

@@ -0,0 +1,42 @@
+# Update OpenAPI docs so that they remain up to date with the application
+name: Update OpenAPI Docs
+
+on:
+  pull_request:
+    paths:
+      - app/**
+      - Makefile
+      - .github/workflows/ci-openapi.yml
+
+defaults:
+  run:
+    working-directory: ./app
+
+# Only trigger run one update of the OpenAPI spec at a time on the branch.
+# If new commits are pushed to the branch, cancel in progress runs and start
+# a new one.
+concurrency:
+  group: ${{ github.head_ref }}
+  cancel-in-progress: true
+
+
+jobs:
+  update-openapi-docs:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          # Checkout the feature branch associated with the pull request
+          ref: ${{ github.head_ref }}
+
+      - name: Update OpenAPI spec
+        run: make openapi-spec
+
+      - name: Push changes
+        run: |
+          git config user.name nava-platform-bot
+          git config user.email [email protected]
+          git add --all
+          # Commit changes (if no changes then no-op)
+          git diff-index --quiet HEAD || git commit -m "Update OpenAPI spec"
+          git push

.gitignore

@@ -0,0 +1,22 @@
+# Ignore Terraform lock files
+# As of Feb 2023, Terraform lock files, while well intentioned, have a tendency
+# to get into a confusing state that requires recreating the lock file, which 
+# defeats the purpose. Moreover, lock files are per environment, which can make
+# it difficult for people to upgrade dependencies (e.g. upgrade an AWS provider)
+# across environments if certain environments are locked down (e.g. production).
+.terraform.lock.hcl
+
+# MacOS files
+.DS_Store
+
+# Ignore develop-specific VS code settings files
+.vscode
+
+# Ignore local environment variables which can contain environment secrets
+.env
+.envrc
+
+# Python testing stuff
+*__pycache__*
+
+docker-compose.override.yml

.hadolint.yaml

@@ -0,0 +1,11 @@
+# List of settings and ignore or safelist findings for the hadolint scanner
+# For more information on any settings you can specify, see the actions' documentation here
+# https://github.com/hadolint/hadolint#configure
+failure-threshold: warning
+ignored: []
+override:
+  info: 
+    # Casts the apt-get install <package>=<version> finding as info
+    # We have this set since there is no way to specify version for
+    #  build-essentials in the Dockerfile
+    - DL3008

README.md

@@ -0,0 +1,5 @@
+# Nava Labs Decision Support Tool
+Welcome! You are at the root of the Nava Labs Decision Support Tool pilot repo.
+
+## Local Development
+To set up your local development environment, follow the instructions in [Getting Started](docs/app/getting-started.md).

app/.gitignore

@@ -0,0 +1,31 @@
+# Python compiled/optimized files
+__pycache__/
+*.py[cod]
+*$py.class
+
+# Python packaging stuff
+dist/
+*.egg-info
+
+# Python testing stuff
+.coverage*
+coverage.*
+.testmondata
+.pytest_cache/
+
+# Python virtual environments
+.venv
+
+# Environment variables
+.env
+.envrc
+
+# mypy
+.mypy_cache
+
+# VSCode Workspace
+*.code-workspace
+.vscode
+
+# Poetry installer local error logs
+poetry-installer-error-*.log

app/.python-version

@@ -0,0 +1 @@
+3.12

app/Dockerfile

@@ -0,0 +1,112 @@
+# Use the official python3 image based on Debian 11 "Bullseye".
+# https://hub.docker.com/_/python
+
+# The build stage that will be used to deploy to the various environments
+# needs to be called `release` in order to integrate with the repo's
+# top-level Makefile
+FROM python:3-slim AS base
+
+# Install poetry, the package manager.
+# https://python-poetry.org
+RUN pip install --no-cache-dir poetry==1.5
+
+RUN apt-get update \
+    # Install security updates
+    # https://pythonspeed.com/articles/security-updates-in-docker/
+    && apt-get upgrade --yes \
+    && apt-get install --no-install-recommends --yes \
+    build-essential \
+    libpq-dev \
+    postgresql \
+    wget \
+    # Reduce the image size by clear apt cached lists
+    # Complies with https://github.com/codacy/codacy-hadolint/blob/master/codacy-hadolint/docs/description/DL3009.md
+    && rm -fr /var/lib/apt/lists/* \
+    && rm /etc/ssl/private/ssl-cert-snakeoil.key
+
+ARG RUN_UID
+ARG RUN_USER
+
+# The following logic creates the RUN_USER home directory and the directory where
+# we will be storing the application in the image. This runs when the user is not root
+RUN : "${RUN_USER:?RUN_USER and RUN_UID need to be set and non-empty.}" && \
+    [ "${RUN_USER}" = "root" ] || \
+    (useradd --create-home --create --user-group --home "/home/${RUN_USER}" --uid ${RUN_UID} "${RUN_USER}" \
+    && mkdir /app \
+    && chown -R ${RUN_UID} "/home/${RUN_USER}" /app)
+
+#-----------
+# Dev image
+#-----------
+
+FROM base AS dev
+ARG RUN_USER
+USER ${RUN_USER}
+WORKDIR /app
+
+COPY pyproject.toml poetry.lock ./
+# Explicitly create a new virtualenv to avoid getting overridden by mounted .venv folders
+RUN poetry config virtualenvs.in-project false && poetry env use python
+# Install all dependencies including dev dependencies
+RUN poetry install --no-root --with dev
+
+COPY . /app
+
+# Set the host to 0.0.0.0 to make the server available external
+# to the Docker container that it's running in.
+ENV HOST=0.0.0.0
+
+# Run the application.
+CMD ["poetry", "run", "python", "-m", "src"]
+
+#---------
+# Release
+#---------
+
+FROM base AS release
+ARG RUN_USER
+
+# Gunicorn requires this workaround to create writable temporary directory in
+# our readonly root file system. https://github.com/aws/containers-roadmap/issues/736
+RUN mkdir -p /tmp
+VOLUME ["/tmp"]
+
+# TODO(https://github.com/navapbc/template-application-flask/issues/23) Productionize the Docker image
+
+WORKDIR /app
+
+COPY . /app
+
+# Remove any existing virtual environments that might exist. This
+# might happen if testing out building the release image from a local machine
+# that has a virtual environment within the project app folder.
+RUN rm -fr /app/.venv
+
+# Set virtualenv location to be in project to be easy to find
+# This will create a virtualenv in /app/.venv/
+# See https://python-poetry.org/docs/configuration/#virtualenvsin-project
+# See https://python-poetry.org/docs/configuration/#using-environment-variables
+ENV POETRY_VIRTUALENVS_IN_PROJECT=true
+
+# Install production runtime dependencies only
+RUN poetry install --no-root --only main
+
+# Build the application binary (python wheel) defined in pyproject.toml
+# Note that this will only copy over python files, and files stated in the
+# include section in pyproject.toml. Also note that if you change the name or
+# version section in pyproject.toml, you will need to change the dist/... to match
+# or the application will not build
+RUN poetry build --format wheel && poetry run pip install 'dist/decision_support_tool-0.1.0-py3-none-any.whl'
+
+# Add project's virtual env to the PATH so we can directly run poetry scripts
+# defined in pyproject.toml
+ENV PATH="/app/.venv/bin:$PATH"
+
+# Set the host to 0.0.0.0 to make the server available external
+# to the Docker container that it's running in.
+ENV HOST=0.0.0.0
+
+USER ${RUN_USER}
+
+# Run the application.
+CMD ["poetry", "run", "gunicorn", "src.app:create_app()"]