diff --git a/terraform/.terraform.lock.hcl b/terraform/.terraform.lock.hcl new file mode 100644 index 0000000..ae065e1 --- /dev/null +++ b/terraform/.terraform.lock.hcl @@ -0,0 +1,46 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/hashicorp/aws" { + version = "5.12.0" + constraints = "~> 5.0" + hashes = [ + "h1:3Gchmc4oyFvWh3B4tEOQN5UOCd0bfp0P4fEgdpatmlo=", + "h1:i28TUsgqoKs891cyDU0V9fFAwEz/RqbwF8sQShLfNq0=", + "zh:0953565eb67ece49556dc9046c77322dc6c76e0ae6fa0c9fd6710b6afa2588c9", + "zh:43676f3592c127a971719cc37b9199967376fb05d445b356f1545609e2b84bf8", + "zh:46422ab8044b35e90f422ffabc17fa043ec8e4a33e3df2f8b305d63a950c0edb", + "zh:4d34f024a82d31d10b5a9498d26fca71e3e35c543dfc5185c94c3205bc4dba22", + "zh:51be0eeb882f041fc2679bd621e64cd775d013ae003055cea013c9d630c15dfb", + "zh:7ca9252befa7271899febde25b679a73f90dbdb700cbbfec07d29389a3937131", + "zh:8325b2152be0534a718e497a3273cf6c42880e78f290dc35024feef2e0af8e97", + "zh:98f0c4d4c190cf4897cb9075a538f42f2998566e9f2d15755901fbb4862f8b32", + "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425", + "zh:a71e0bc6754bb3924b31727d80f05b04fa65247c009ffdfd2a715a01d95b373d", + "zh:a82ae67ce3d4c7aaae761a592275b8cac5e9965a30b2dba951c1d965b3121006", + "zh:c5510eca023cec89557a8244648bf8ad9a0cd3189b6abf6dcceba30e3b2e8c6d", + "zh:cd11fe9c83793e838b6f90a55840fc45e7c106b358a68f0a88db09a29a321c9a", + "zh:e451ad353f219a2922b92e786a93c31658168b896317be127798cddfa9a99363", + "zh:e4b70a70e925b9ccb7d44e17fd8e7b89aa744a965f298f8bb2480a5c96f3c4f0", + ] +} + +provider "registry.terraform.io/hashicorp/random" { + version = "3.5.1" + hashes = [ + "h1:IL9mSatmwov+e0+++YX2V6uel+dV6bn+fC/cnGDK3Ck=", + "h1:VSnd9ZIPyfKHOObuQCaKfnjIHRtR7qTw19Rz8tJxm+k=", + "zh:04e3fbd610cb52c1017d282531364b9c53ef72b6bc533acb2a90671957324a64", + "zh:119197103301ebaf7efb91df8f0b6e0dd31e6ff943d231af35ee1831c599188d", + "zh:4d2b219d09abf3b1bb4df93d399ed156cadd61f44ad3baf5cf2954df2fba0831", + "zh:6130bdde527587bbe2dcaa7150363e96dbc5250ea20154176d82bc69df5d4ce3", + "zh:6cc326cd4000f724d3086ee05587e7710f032f94fc9af35e96a386a1c6f2214f", + "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", + "zh:b6d88e1d28cf2dfa24e9fdcc3efc77adcdc1c3c3b5c7ce503a423efbdd6de57b", + "zh:ba74c592622ecbcef9dc2a4d81ed321c4e44cddf7da799faa324da9bf52a22b2", + "zh:c7c5cde98fe4ef1143bd1b3ec5dc04baf0d4cc3ca2c5c7d40d17c0e9b2076865", + "zh:dac4bad52c940cd0dfc27893507c1e92393846b024c5a9db159a93c534a3da03", + "zh:de8febe2a2acd9ac454b844a4106ed295ae9520ef54dc8ed2faf29f12716b602", + "zh:eab0d0495e7e711cca367f7d4df6e322e6c562fc52151ec931176115b83ed014", + ] +} diff --git a/terraform/IA-3231.sh b/terraform/IA-3231.sh new file mode 100755 index 0000000..d821916 --- /dev/null +++ b/terraform/IA-3231.sh @@ -0,0 +1,18 @@ +#!/bin/bash + +WORKSPACE=`terraform workspace show` +SERVICE='hubzone-api' + +SGID=`aws ec2 describe-security-groups --query "SecurityGroups[?contains(GroupName, '${WORKSPACE}-${SERVICE}-fg-svc-sg') && starts_with(GroupName, '${WORKSPACE}')].GroupId" --output text` +terraform import \ + "module.api.aws_security_group_rule.fargate_egress" \ + "${SGID}_egress_all_0_0_0.0.0.0/0" + +SGID=`aws ec2 describe-security-groups --query "SecurityGroups[?contains(GroupName, '${WORKSPACE}-${SERVICE}-fg-alb') && starts_with(GroupName, '${WORKSPACE}')].GroupId" --output text` +terraform import \ + "module.api.aws_security_group_rule.alb_egress" \ + "${SGID}_egress_all_0_0_0.0.0.0/0" + +terraform import \ + "module.api.aws_security_group_rule.alb_egress_ipv6[0]" \ + "${SGID}_egress_all_0_0_::/0" diff --git a/terraform/fargate.tf b/terraform/fargate.tf index 5447e0b..ec36b85 100644 --- a/terraform/fargate.tf +++ b/terraform/fargate.tf @@ -18,7 +18,7 @@ locals { module "api" { source = "USSBA/easy-fargate-service/aws" - version = "~> 7.0" + version = "~> 11.0" # cloudwatch logging log_group_name = "/ecs/${terraform.workspace}/${local.env.service_name}" @@ -27,18 +27,19 @@ module "api" { # access logs # note: bucket permission may need to be adjusted # https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-access-logs.html#access-logging-bucket-permissions - alb_log_bucket_name = local.env.log_bucket - alb_log_prefix = "${terraform.workspace}/alb/${local.env.service_name}" + alb_log_bucket_name = "${local.account_id}-${local.region}-logs" + alb_log_prefix = "alb/${local.env.service_name}/${terraform.workspace}" family = "${terraform.workspace}-${local.env.service_name}-fg" task_cpu = local.env.task_cpu_rails task_memory = local.env.task_memory_rails enable_execute_command = true + ipv6 = false #alb_idle_timeout = 60 ## If the ecs task needs to access AWS API for any reason, grant ## it permissions with this parameter and the policy resource below - #task_policy_json = data.aws_iam_policy_document.fargate.json + task_policy_json = data.aws_iam_policy_document.fargate.json # Deployment enable_deployment_rollbacks = true @@ -81,14 +82,19 @@ module "api" { } ## If the ecs task needs to access AWS API for any reason, grant it permissions with this -# -#data "aws_iam_policy_document" "fargate" { -# statement { -# sid = "AllResources" -# actions = [ -# "s3:ListAllMyBuckets", -# "s3:GetBucketLocation", -# ] -# resources = ["*"] -# } -#} \ No newline at end of file + +data "aws_iam_policy_document" "fargate" { + statement { + sid = "AllResources" + actions = [ + "s3:GetObject", + "s3:PutObject", + "s3:List*", + "s3:GetBucketLocation", + ] + resources = [ + "${data.aws_s3_bucket.logs.arn}", + "${data.aws_s3_bucket.logs.arn}/*" + ] + } +} diff --git a/terraform/infrastructure-resources.tf b/terraform/infrastructure-resources.tf index b0dff1e..d6ce2e1 100644 --- a/terraform/infrastructure-resources.tf +++ b/terraform/infrastructure-resources.tf @@ -72,3 +72,7 @@ data "aws_sns_topic" "alerts" { for_each = toset(["green", "yellow", "red", "security"]) name = "${local.account_name}-teams-${each.value}-notifications" } + +data "aws_s3_bucket" "logs" { + bucket = "${local.account_ids[terraform.workspace]}-${local.region}-logs" +} diff --git a/terraform/locals.tf b/terraform/locals.tf index a8fcef9..468c6db 100644 --- a/terraform/locals.tf +++ b/terraform/locals.tf @@ -26,7 +26,6 @@ locals { rails_port = 3001 task_cpu_rails = "256" task_memory_rails = "512" - log_bucket = "${local.account_id}-logs" health_check_path = "/api/aws-hc" desired_container_count_rails = 1 # the starting number of containers diff --git a/terraform/versions.tf b/terraform/versions.tf index ed00e8a..bb4f669 100644 --- a/terraform/versions.tf +++ b/terraform/versions.tf @@ -1,10 +1,9 @@ terraform { + required_version = "1.6.1" required_providers { aws = { - version = ">= 3.69, < 5.0" + version = "~> 5.0" source = "hashicorp/aws" } } - required_version = "~> 1.0" } - diff --git a/terraform/write-tfvars.sh b/terraform/write-tfvars.sh new file mode 100755 index 0000000..1afebf4 --- /dev/null +++ b/terraform/write-tfvars.sh @@ -0,0 +1,4 @@ +#!/bin/bash + +TAG=`terraform state show module.api.aws_ecs_task_definition.fargate | grep -E 'image\s+=' | cut -d: -f2 | sed -e 's/"//g'` +echo "image_tag = \"${TAG}\"" > terraform.tfvars