updating terraform folder

USSBA · May 24, 2024 · 29969be · 29969be
1 parent 32d9aba
commit 29969be
Show file tree

Hide file tree

Showing 7 changed files with 95 additions and 19 deletions.
diff --git a/terraform/.terraform.lock.hcl b/terraform/.terraform.lock.hcl
diff --git a/terraform/IA-3231.sh b/terraform/IA-3231.sh
@@ -0,0 +1,18 @@
+#!/bin/bash
+
+WORKSPACE=`terraform workspace show`
+SERVICE='hubzone-api'
+
+SGID=`aws ec2 describe-security-groups --query "SecurityGroups[?contains(GroupName, '${WORKSPACE}-${SERVICE}-fg-svc-sg') && starts_with(GroupName, '${WORKSPACE}')].GroupId" --output text`
+terraform import \
+  "module.api.aws_security_group_rule.fargate_egress" \
+  "${SGID}_egress_all_0_0_0.0.0.0/0"
+
+SGID=`aws ec2 describe-security-groups --query "SecurityGroups[?contains(GroupName, '${WORKSPACE}-${SERVICE}-fg-alb') && starts_with(GroupName, '${WORKSPACE}')].GroupId" --output text`
+terraform import \
+  "module.api.aws_security_group_rule.alb_egress" \
+  "${SGID}_egress_all_0_0_0.0.0.0/0"
+
+terraform import \
+  "module.api.aws_security_group_rule.alb_egress_ipv6[0]" \
+  "${SGID}_egress_all_0_0_::/0"
diff --git a/terraform/fargate.tf b/terraform/fargate.tf
@@ -18,7 +18,7 @@ locals {
 
 module "api" {
   source  = "USSBA/easy-fargate-service/aws"
-  version = "~> 7.0"
+  version = "~> 11.0"
 
   # cloudwatch logging
   log_group_name              = "/ecs/${terraform.workspace}/${local.env.service_name}"
@@ -27,18 +27,19 @@ module "api" {
   # access logs
   # note: bucket permission may need to be adjusted
   # https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-access-logs.html#access-logging-bucket-permissions
-  alb_log_bucket_name = local.env.log_bucket
-  alb_log_prefix      = "${terraform.workspace}/alb/${local.env.service_name}"
+  alb_log_bucket_name = "${local.account_id}-${local.region}-logs"
+  alb_log_prefix      = "alb/${local.env.service_name}/${terraform.workspace}"
 
   family                 = "${terraform.workspace}-${local.env.service_name}-fg"
   task_cpu               = local.env.task_cpu_rails
   task_memory            = local.env.task_memory_rails
   enable_execute_command = true
+  ipv6                   = false
   #alb_idle_timeout      = 60
 
   ## If the ecs task needs to access AWS API for any reason, grant
   ## it permissions with this parameter and the policy resource below
-  #task_policy_json       = data.aws_iam_policy_document.fargate.json
+  task_policy_json = data.aws_iam_policy_document.fargate.json
 
   # Deployment
   enable_deployment_rollbacks        = true
@@ -81,14 +82,19 @@ module "api" {
 }
 
 ## If the ecs task needs to access AWS API for any reason, grant it permissions with this
-#
-#data "aws_iam_policy_document" "fargate" {
-#  statement {
-#    sid = "AllResources"
-#    actions = [
-#      "s3:ListAllMyBuckets",
-#      "s3:GetBucketLocation",
-#    ]
-#    resources = ["*"]
-#  }
-#}
+
+data "aws_iam_policy_document" "fargate" {
+  statement {
+    sid = "AllResources"
+    actions = [
+      "s3:GetObject",
+      "s3:PutObject",
+      "s3:List*",
+      "s3:GetBucketLocation",
+    ]
+    resources = [
+      "${data.aws_s3_bucket.logs.arn}",
+      "${data.aws_s3_bucket.logs.arn}/*"
+    ]
+  }
+}
diff --git a/terraform/infrastructure-resources.tf b/terraform/infrastructure-resources.tf
@@ -72,3 +72,7 @@ data "aws_sns_topic" "alerts" {
   for_each = toset(["green", "yellow", "red", "security"])
   name     = "${local.account_name}-teams-${each.value}-notifications"
 }
+
+data "aws_s3_bucket" "logs" {
+  bucket = "${local.account_ids[terraform.workspace]}-${local.region}-logs"
+}
diff --git a/terraform/locals.tf b/terraform/locals.tf
@@ -26,7 +26,6 @@ locals {
       rails_port        = 3001
       task_cpu_rails    = "256"
       task_memory_rails = "512"
-      log_bucket        = "${local.account_id}-logs"
 
       health_check_path             = "/api/aws-hc"
       desired_container_count_rails = 1 # the starting number of containers

diff --git a/terraform/versions.tf b/terraform/versions.tf
@@ -1,10 +1,9 @@
 terraform {
+  required_version = "1.6.1"
   required_providers {
     aws = {
-      version = ">= 3.69, < 5.0"
+      version = "~> 5.0"
       source  = "hashicorp/aws"
     }
   }
-  required_version = "~> 1.0"
 }
-
diff --git a/terraform/write-tfvars.sh b/terraform/write-tfvars.sh
@@ -0,0 +1,4 @@
+#!/bin/bash
+
+TAG=`terraform state show module.api.aws_ecs_task_definition.fargate | grep -E 'image\s+=' | cut -d: -f2 | sed -e 's/"//g'`
+echo "image_tag = \"${TAG}\"" > terraform.tfvars