diff --git a/.github/workflows/aws-template-terraform.yml b/.github/workflows/aws-template-terraform.yml index 574e1987..db6db7d0 100644 --- a/.github/workflows/aws-template-terraform.yml +++ b/.github/workflows/aws-template-terraform.yml @@ -14,7 +14,7 @@ on: type: string TEST_BUCKET_NAME: required: true - type: string + type: string permissions: id-token: write @@ -35,10 +35,10 @@ jobs: env: CONTEXT_FOLDER: ${{ inputs.CONTEXT_FOLDER }} CHANGE_FOLDER_NAME: ${{ inputs.CHANGE_FOLDER_NAME }} - run: | + run: | echo "=============== list modified files ===============" git diff --name-only HEAD^ HEAD - + echo "========== check paths of modified files ==========" git diff --name-only HEAD^ HEAD >> files.txt infra_changed=false @@ -55,54 +55,53 @@ jobs: deploy_infra: name: Deploy Infra runs-on: ubuntu-latest - environment: + environment: name: ${{ inputs.ENVIRONMENT_NAME }} + env: + TF_VAR_app_name: ${{ vars.APP_NAME }} + TF_VAR_environment: ${{ vars.ENVIRONMENT_NAME }} + TF_VAR_kms_key_name: ${{ vars.KMS_KEY_NAME }} needs: [check_changes] steps: - - name: Checkout repository - uses: actions/checkout@v4 - - - name: Configure AWS credentials - uses: aws-actions/configure-aws-credentials@v4 - with: - role-skip-session-tagging: true - aws-region: ${{ vars.AWS_REGION }} - role-to-assume: ${{ vars.AWS_ROLE_ARN }} - role-duration-seconds: 1800 - role-session-name: ci-deployment - - - name: Setup Terraform - uses: hashicorp/setup-terraform@v3 - with: - terraform_version: 1.9.0 - - name: Terraform Init - id: init - env: - CONTEXT_FOLDER: ${{ inputs.CONTEXT_FOLDER }} - run: | - terraform init -input=false - working-directory: ${{ inputs.CONTEXT_FOLDER }} - - name: Terraform Plan - id: plan - env: - CONTEXT_FOLDER: ${{ inputs.CONTEXT_FOLDER }} - TF_VAR_test_s3_bucket_name: ${{ inputs.TEST_BUCKET_NAME }} - run: | - terraform plan -no-color -input=false - continue-on-error: true - working-directory: ${{ inputs.CONTEXT_FOLDER }} - - name: Terraform Plan Status - if: steps.plan.outcome == 'failure' - run: exit 1 - - name: Terraform Apply - env: - CONTEXT_FOLDER: ${{ inputs.CONTEXT_FOLDER }} - TF_VAR_test_s3_bucket_name: ${{ inputs.TEST_BUCKET_NAME }} - run: | - terraform apply --auto-approve -input=false - working-directory: ${{ inputs.CONTEXT_FOLDER }} - - + - name: Checkout repository + uses: actions/checkout@v4 + - name: Configure AWS credentials + uses: aws-actions/configure-aws-credentials@v4 + with: + role-skip-session-tagging: true + aws-region: ${{ vars.AWS_REGION }} + role-to-assume: ${{ vars.AWS_ROLE_ARN }} + role-duration-seconds: 1800 + role-session-name: ci-deployment - \ No newline at end of file + - name: Setup Terraform + uses: hashicorp/setup-terraform@v3 + with: + terraform_version: 1.9.0 + - name: Terraform Init + id: init + env: + CONTEXT_FOLDER: ${{ inputs.CONTEXT_FOLDER }} + run: | + terraform init -input=false -backend-config=backend.tfvars -var-file=${{ inputs.ENVIRONMENT_NAME }}.tfvars + working-directory: ${{ inputs.CONTEXT_FOLDER }} + - name: Terraform Plan + id: plan + env: + CONTEXT_FOLDER: ${{ inputs.CONTEXT_FOLDER }} + #TF_VAR_test_s3_bucket_name: ${{ inputs.TEST_BUCKET_NAME }} + run: | + terraform plan -no-color -input=false -var-file=${{ inputs.ENVIRONMENT_NAME }}.tfvars + continue-on-error: true + working-directory: ${{ inputs.CONTEXT_FOLDER }} + - name: Terraform Plan Status + if: steps.plan.outcome == 'failure' + run: exit 1 + - name: Terraform Apply + env: + CONTEXT_FOLDER: ${{ inputs.CONTEXT_FOLDER }} + #TF_VAR_test_s3_bucket_name: ${{ inputs.TEST_BUCKET_NAME }} + run: | + terraform apply --auto-approve -input=false -var-file=${{ inputs.ENVIRONMENT_NAME }}.tfvars + working-directory: ${{ inputs.CONTEXT_FOLDER }} diff --git a/.github/workflows/deploy-infra-dev.yml b/.github/workflows/deploy-infra-dev.yml new file mode 100644 index 00000000..d6497a50 --- /dev/null +++ b/.github/workflows/deploy-infra-dev.yml @@ -0,0 +1,14 @@ +name: Deploy AWS Infra to Dev + +on: + workflow_dispatch: + +jobs: + infrastructure_deploy_snd: + uses: ./.github/workflows/aws-template-terraform.yml + with: + CONTEXT_FOLDER: ./infrastructure/cloud/environments/dev + CHANGE_FOLDER_NAME: environments/dev + ENVIRONMENT_NAME: dev + TEST_BUCKET_NAME: jasper-test-bucket + secrets: inherit diff --git a/infrastructure/cloud/README.md b/infrastructure/cloud/README.md new file mode 100644 index 00000000..96f5fd1d --- /dev/null +++ b/infrastructure/cloud/README.md @@ -0,0 +1,44 @@ +# JASPER's AWS Infrastructure Setup + +This repository includes Terraform scripts for provisioning and managing JASPER's AWS infrastructure. The team has adopted a modularized folder structure to enhance reusability, maintainability, and separation of concerns. The infrastructure-as-code is organized into reusable, encapsulated components known as modules, along with environment-specific configurations. This structure enables consistent and efficient management of infrastructure across various environments, such as development, testing, and production. + +## Prerequisites + +1. Navigate to [BC Gov's AWS instance](https://login.nimbus.cloud.gov.bc.ca/api). +2. Configure AWS CLI + +``` +aws configure sso +``` + +3. Follow instructions from CLI. + +## Running Terraform Scripts Locally + +1. Navigate to the desired environment (`/dev` or `/test`) where you want the Terraform scripts to be executed. +2. Initialize the working directory. + +``` +terraform init -backend-config=backend.tfvars +``` + +3. Preview the changes that Terraform plans to deploy. + +``` +terraform plan -var-file="./.tfvars" +``` + +4. If everything looks good, execute the actions propsed Terraform plan. + +``` +terraform apply -var-file="./.tfvars" +``` + +## Deploying Terraform changes via Github Actions + +1. Commit and push your working branch to Github. +2. Navigate to [Actions](https://github.com/bcgov/jasper/actions) tab. +3. Select the desired workflow (Deploy AWS Infra to ``). +4. Click `Run workflow` dropdown. +5. Select working branch +6. Click `Run workflow` button. diff --git a/infrastructure/cloud/environments/dev/.gitkeep b/infrastructure/cloud/environments/dev/.gitkeep deleted file mode 100644 index e69de29b..00000000 diff --git a/infrastructure/cloud/environments/dev/backend.tfvars b/infrastructure/cloud/environments/dev/backend.tfvars new file mode 100644 index 00000000..ae3a4b7a --- /dev/null +++ b/infrastructure/cloud/environments/dev/backend.tfvars @@ -0,0 +1,4 @@ +bucket = "terraform-remote-state-dev" +dynamodb_table = "terraform-remote-state-lock" +key = "terraform.tfstate" +region = "ca-central-1" diff --git a/infrastructure/cloud/environments/dev/dev.tfvars b/infrastructure/cloud/environments/dev/dev.tfvars new file mode 100644 index 00000000..3e76a60f --- /dev/null +++ b/infrastructure/cloud/environments/dev/dev.tfvars @@ -0,0 +1,2 @@ +region = "ca-central-1" +test_s3_bucket_name = "test-s3-bucket" diff --git a/infrastructure/cloud/environments/dev/providers.tf b/infrastructure/cloud/environments/dev/providers.tf new file mode 100644 index 00000000..4cafa436 --- /dev/null +++ b/infrastructure/cloud/environments/dev/providers.tf @@ -0,0 +1,21 @@ +terraform { + required_version = "~> 1.9.0" + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 5.0" + } + + tls = { + source = "hashicorp/tls" + version = "4.0.5" + } + } + + backend "s3" { + } +} + +provider "aws" { + region = var.region +} diff --git a/infrastructure/cloud/environments/dev/variables.tf b/infrastructure/cloud/environments/dev/variables.tf new file mode 100644 index 00000000..95616419 --- /dev/null +++ b/infrastructure/cloud/environments/dev/variables.tf @@ -0,0 +1,24 @@ +variable "test_s3_bucket_name" { + description = "The name of the S3 bucket to create for testing" + type = string +} + +variable "region" { + description = "The AWS region" + type = string +} + +variable "kms_key_name" { + description = "Name of KMS key" + type = string +} + +variable "app_name" { + description = "The name of the application" + type = string +} + +variable "environment" { + description = "The AWS environment to deploy to" + type = string +} diff --git a/infrastructure/cloud/environments/dev/webapp.tf b/infrastructure/cloud/environments/dev/webapp.tf new file mode 100644 index 00000000..09e5baed --- /dev/null +++ b/infrastructure/cloud/environments/dev/webapp.tf @@ -0,0 +1,41 @@ +module "security" { + source = "../../modules/security" + environment = var.environment + app_name = var.app_name + kms_key_name = var.kms_key_name +} + +module "storage" { + source = "../../modules/storage" + environment = var.environment + app_name = var.app_name + kms_key_name = module.security.kms_key_alias + test_s3_bucket_name = var.test_s3_bucket_name + depends_on = [module.security] +} + +module "networking" { + source = "../../modules/networking" + environment = var.environment + app_name = var.app_name + region = var.region + subnet_ids = module.networking.subnet_ids +} + +module "container" { + source = "../../modules/container" + environment = var.environment + app_name = var.app_name + region = var.region + ecs_execution_role_arn = module.security.ecs_execution_role_arn + subnet_ids = module.networking.subnet_ids + sg_id = module.networking.sg_id + lb_tg_arn = module.networking.lb_tg_arn + ecs_web_log_group_name = module.monitoring.ecs_web_log_group_name +} + +module "monitoring" { + source = "../../modules/monitoring" + environment = var.environment + app_name = var.app_name +} diff --git a/infrastructure/cloud/environments/sandbox/.gitkeep b/infrastructure/cloud/environments/sandbox/.gitkeep deleted file mode 100644 index e69de29b..00000000 diff --git a/infrastructure/cloud/environments/sandbox/backend.tfvars b/infrastructure/cloud/environments/sandbox/backend.tfvars new file mode 100644 index 00000000..e28c510f --- /dev/null +++ b/infrastructure/cloud/environments/sandbox/backend.tfvars @@ -0,0 +1,4 @@ +bucket = "terraform-remote-state-sandbox-12345" +dynamodb_table = "terraform-remote-state-lock-12345" +key = "terraform.tfstate" +region = "ca-central-1" diff --git a/infrastructure/cloud/environments/sandbox/providers.tf b/infrastructure/cloud/environments/sandbox/providers.tf index 4d740a4b..4cafa436 100644 --- a/infrastructure/cloud/environments/sandbox/providers.tf +++ b/infrastructure/cloud/environments/sandbox/providers.tf @@ -13,16 +13,9 @@ terraform { } backend "s3" { - bucket = "terraform-remote-state-sandbox-12345" - key = "terraform.tfstate" - region = "ca-central-1" - dynamodb_table = "terraform-remote-state-lock-12345" } - } - - provider "aws" { - region = "ca-central-1" -} \ No newline at end of file + region = var.region +} diff --git a/infrastructure/cloud/environments/sandbox/sandbox.tfvars b/infrastructure/cloud/environments/sandbox/sandbox.tfvars new file mode 100644 index 00000000..3e76a60f --- /dev/null +++ b/infrastructure/cloud/environments/sandbox/sandbox.tfvars @@ -0,0 +1,2 @@ +region = "ca-central-1" +test_s3_bucket_name = "test-s3-bucket" diff --git a/infrastructure/cloud/environments/sandbox/variables.tf b/infrastructure/cloud/environments/sandbox/variables.tf index 19abccf5..95616419 100644 --- a/infrastructure/cloud/environments/sandbox/variables.tf +++ b/infrastructure/cloud/environments/sandbox/variables.tf @@ -1,6 +1,24 @@ +variable "test_s3_bucket_name" { + description = "The name of the S3 bucket to create for testing" + type = string +} +variable "region" { + description = "The AWS region" + type = string +} -variable test_s3_bucket_name { - type = string - description = "The name of the S3 bucket to create for testing" -} \ No newline at end of file +variable "kms_key_name" { + description = "Name of KMS key" + type = string +} + +variable "app_name" { + description = "The name of the application" + type = string +} + +variable "environment" { + description = "The AWS environment to deploy to" + type = string +} diff --git a/infrastructure/cloud/environments/sandbox/webapp.tf b/infrastructure/cloud/environments/sandbox/webapp.tf index 8b533410..09e5baed 100644 --- a/infrastructure/cloud/environments/sandbox/webapp.tf +++ b/infrastructure/cloud/environments/sandbox/webapp.tf @@ -1,23 +1,41 @@ +module "security" { + source = "../../modules/security" + environment = var.environment + app_name = var.app_name + kms_key_name = var.kms_key_name +} - -locals { - environment = "snd" - application_name = "jasper-aws" +module "storage" { + source = "../../modules/storage" + environment = var.environment + app_name = var.app_name + kms_key_name = module.security.kms_key_alias + test_s3_bucket_name = var.test_s3_bucket_name + depends_on = [module.security] } -module "security" { - source = "../../modules/security" - environment = local.environment - application_name = local.application_name - kms_key_name = "jasper-kms-key" +module "networking" { + source = "../../modules/networking" + environment = var.environment + app_name = var.app_name + region = var.region + subnet_ids = module.networking.subnet_ids +} +module "container" { + source = "../../modules/container" + environment = var.environment + app_name = var.app_name + region = var.region + ecs_execution_role_arn = module.security.ecs_execution_role_arn + subnet_ids = module.networking.subnet_ids + sg_id = module.networking.sg_id + lb_tg_arn = module.networking.lb_tg_arn + ecs_web_log_group_name = module.monitoring.ecs_web_log_group_name } -module "storage" { - source = "../../modules/storage" - environment = local.environment - application_name = local.application_name - kms_key_name = module.security.kms_key_alias - test_s3_bucket_name = var.test_s3_bucket_name - depends_on = [ module.security ] -} \ No newline at end of file +module "monitoring" { + source = "../../modules/monitoring" + environment = var.environment + app_name = var.app_name +} diff --git a/infrastructure/cloud/modules/container/ecr.tf b/infrastructure/cloud/modules/container/ecr.tf new file mode 100644 index 00000000..4f5e7cc2 --- /dev/null +++ b/infrastructure/cloud/modules/container/ecr.tf @@ -0,0 +1,12 @@ +resource "aws_ecr_repository" "ecr_repository" { + name = "${var.app_name}-ecr-repo-${var.environment}" + force_delete = true + + image_scanning_configuration { + scan_on_push = true + } + + tags = { + name = "${var.app_name}-ecr-repo-${var.environment}" + } +} diff --git a/infrastructure/cloud/modules/container/ecs.tf b/infrastructure/cloud/modules/container/ecs.tf new file mode 100644 index 00000000..dd7ab894 --- /dev/null +++ b/infrastructure/cloud/modules/container/ecs.tf @@ -0,0 +1,58 @@ +resource "aws_ecs_cluster" "ecs_cluster" { + name = "${var.app_name}-ecs-cluster-${var.environment}" + + tags = { + name = "${var.app_name}-ecs-cluster-${var.environment}" + } +} + +# Web +resource "aws_ecs_task_definition" "ecs_web_task_definition" { + family = "${var.app_name}-web-task-definition-${var.environment}" + network_mode = "awsvpc" + requires_compatibilities = ["FARGATE"] + cpu = 256 + memory = 512 + execution_role_arn = var.ecs_execution_role_arn + + container_definitions = jsonencode([ + { + name = "${var.app_name}-web-container-${var.environment}" + image = "${aws_ecr_repository.ecr_repository.repository_url}:${var.app_name}-web" + essential = true + portMappings = [ + { + containerPort = 8080 + } + ], + logConfiguration = { + logDriver = "awslogs", + options = { + awslogs-group = var.ecs_web_log_group_name, + awslogs-region = var.region, + awslogs-stream-prefix = "ecs" + } + } + } + ]) +} + +resource "aws_ecs_service" "ecs_web_service" { + name = "${var.app_name}-ecs-web-service-${var.environment}" + cluster = aws_ecs_cluster.ecs_cluster.id + task_definition = aws_ecs_task_definition.ecs_web_task_definition.arn + launch_type = "FARGATE" + desired_count = 1 + + network_configuration { + subnets = var.subnet_ids + security_groups = [var.sg_id] + assign_public_ip = true + } + + load_balancer { + target_group_arn = var.lb_tg_arn + container_name = "${var.app_name}-web-container-${var.environment}" + container_port = 8080 + } +} diff --git a/infrastructure/cloud/modules/container/outputs.tf b/infrastructure/cloud/modules/container/outputs.tf new file mode 100644 index 00000000..3f7af474 --- /dev/null +++ b/infrastructure/cloud/modules/container/outputs.tf @@ -0,0 +1,3 @@ +output "ecr_url" { + value = try(aws_ecr_repository.ecr_repository.repository_url, "") +} diff --git a/infrastructure/cloud/modules/container/variables.tf b/infrastructure/cloud/modules/container/variables.tf new file mode 100644 index 00000000..34cc2464 --- /dev/null +++ b/infrastructure/cloud/modules/container/variables.tf @@ -0,0 +1,39 @@ +variable "environment" { + description = "The environment to deploy the application to" + type = string +} + +variable "app_name" { + description = "The name of the application" + type = string +} + +variable "region" { + description = "The AWS region" + type = string +} + +variable "ecs_execution_role_arn" { + description = "ECS Execution Role ARN" + type = string +} + +variable "subnet_ids" { + description = "Public Subnet IDs" + type = list(string) +} + +variable "sg_id" { + description = "Load Balancer Security Group ID" + type = string +} + +variable "lb_tg_arn" { + description = "Load Balancer Target Group ARN" + type = string +} + +variable "ecs_web_log_group_name" { + description = "ECS Web Log Group Name in CloudWatch" + type = string +} diff --git a/infrastructure/cloud/modules/monitoring/logs.tf b/infrastructure/cloud/modules/monitoring/logs.tf new file mode 100644 index 00000000..f57c3359 --- /dev/null +++ b/infrastructure/cloud/modules/monitoring/logs.tf @@ -0,0 +1,4 @@ +resource "aws_cloudwatch_log_group" "ecs_web_log_group" { + name = "${var.app_name}-ecs-web-log-group-${var.environment}" + retention_in_days = 30 +} diff --git a/infrastructure/cloud/modules/monitoring/outputs.tf b/infrastructure/cloud/modules/monitoring/outputs.tf new file mode 100644 index 00000000..c35f6515 --- /dev/null +++ b/infrastructure/cloud/modules/monitoring/outputs.tf @@ -0,0 +1,3 @@ +output "ecs_web_log_group_name" { + value = aws_cloudwatch_log_group.ecs_web_log_group.name +} diff --git a/infrastructure/cloud/modules/monitoring/variables.tf b/infrastructure/cloud/modules/monitoring/variables.tf new file mode 100644 index 00000000..7d95abc7 --- /dev/null +++ b/infrastructure/cloud/modules/monitoring/variables.tf @@ -0,0 +1,9 @@ +variable "environment" { + description = "The environment to deploy the application to" + type = string +} + +variable "app_name" { + description = "The name of the application" + type = string +} diff --git a/infrastructure/cloud/modules/networking/elb.tf b/infrastructure/cloud/modules/networking/elb.tf new file mode 100644 index 00000000..2e5e1a50 --- /dev/null +++ b/infrastructure/cloud/modules/networking/elb.tf @@ -0,0 +1,43 @@ +resource "aws_lb" "lb" { + name = "${var.app_name}-lb-${var.environment}" + internal = false + load_balancer_type = "application" + subnets = var.subnet_ids + security_groups = [aws_security_group.sg.id] + enable_deletion_protection = false + + tags = { + Name = "${var.app_name}-lb-${var.environment}" + } +} + + +resource "aws_lb_target_group" "lb_target_group" { + name = "${var.app_name}-lb-tg-${var.environment}" + port = 8080 + protocol = "HTTP" + vpc_id = data.aws_vpc.default.id + target_type = "ip" + + health_check { + port = 8080 + healthy_threshold = 3 + unhealthy_threshold = 2 + timeout = 3 + interval = 30 + path = "/" + protocol = "HTTP" + matcher = "200" + } +} + +resource "aws_lb_listener" "lb_listener" { + load_balancer_arn = aws_lb.lb.arn + port = 80 + protocol = "HTTP" + + default_action { + type = "forward" + target_group_arn = aws_lb_target_group.lb_target_group.arn + } +} diff --git a/infrastructure/cloud/modules/networking/outputs.tf b/infrastructure/cloud/modules/networking/outputs.tf new file mode 100644 index 00000000..8b98bcb6 --- /dev/null +++ b/infrastructure/cloud/modules/networking/outputs.tf @@ -0,0 +1,11 @@ +output "sg_id" { + value = aws_security_group.sg.id +} + +output "lb_tg_arn" { + value = aws_lb_target_group.lb_target_group.arn +} + +output "subnet_ids" { + value = data.aws_subnets.default_public.ids +} diff --git a/infrastructure/cloud/modules/networking/securitygroup.tf b/infrastructure/cloud/modules/networking/securitygroup.tf new file mode 100644 index 00000000..d3f56ea2 --- /dev/null +++ b/infrastructure/cloud/modules/networking/securitygroup.tf @@ -0,0 +1,47 @@ +# Load Balancer Security Group +resource "aws_security_group" "sg" { + name = "${var.app_name}-lb-sg-${var.environment}" + vpc_id = data.aws_vpc.default.id + + ingress { + from_port = 80 + to_port = 80 + protocol = "tcp" + cidr_blocks = ["0.0.0.0/0"] + } + + ingress { + from_port = 8080 + to_port = 8080 + protocol = "tcp" + cidr_blocks = ["0.0.0.0/0"] + } + + egress { + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["0.0.0.0/0"] + } +} + + +# # ECS Security Group +# resource "aws_security_group" "ecs_sg" { +# name = "${var.app_name}-ecs-sg-${var.environment}" +# vpc_id = aws_vpc.vpc.id + +# ingress { +# from_port = 80 +# to_port = 80 +# protocol = "tcp" +# security_groups = [aws_security_group.sg.id] +# } + +# egress { +# from_port = 0 +# to_port = 0 +# protocol = "-1" +# cidr_blocks = ["0.0.0.0/0"] +# } +# } diff --git a/infrastructure/cloud/modules/networking/variables.tf b/infrastructure/cloud/modules/networking/variables.tf new file mode 100644 index 00000000..4aa5942f --- /dev/null +++ b/infrastructure/cloud/modules/networking/variables.tf @@ -0,0 +1,20 @@ +variable "app_name" { + description = "The name of the application" + type = string +} + +variable "environment" { + description = "The AWS environment to deploy to" + type = string +} + +variable "region" { + description = "The AWS region" + type = string +} + +variable "subnet_ids" { + description = "The default VPC subnet ids" + type = list(string) +} + diff --git a/infrastructure/cloud/modules/networking/vpc.tf b/infrastructure/cloud/modules/networking/vpc.tf new file mode 100644 index 00000000..5e79ecd5 --- /dev/null +++ b/infrastructure/cloud/modules/networking/vpc.tf @@ -0,0 +1,15 @@ +data "aws_vpc" "default" { + default = true +} + +data "aws_subnets" "default_public" { + filter { + name = "vpc-id" + values = [data.aws_vpc.default.id] + } + + filter { + name = "default-for-az" + values = ["true"] + } +} diff --git a/infrastructure/cloud/modules/security/iam.tf b/infrastructure/cloud/modules/security/iam.tf new file mode 100644 index 00000000..2c0a892a --- /dev/null +++ b/infrastructure/cloud/modules/security/iam.tf @@ -0,0 +1,54 @@ +resource "aws_iam_role" "ecs_execution_role" { + name = "${var.app_name}-ecs-execution-role-${var.environment}" + + assume_role_policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Effect = "Allow" + Principal = { + Service = "ecs-tasks.amazonaws.com" + } + Action = "sts:AssumeRole" + } + ] + }) +} + +resource "aws_iam_role_policy" "ecs_execution_policy" { + name = "${var.app_name}-ecs-execution-policy-${var.environment}" + role = aws_iam_role.ecs_execution_role.id + + policy = jsonencode({ + Version = "2012-10-17", + Statement = [ + { + Action = [ + "ecr:GetAuthorizationToken", + "ecr:BatchCheckLayerAvailability", + "ecr:GetDownloadUrlForLayer", + "ecr:GetRepositoryPolicy", + "ecr:DescribeRepositories", + "ecr:ListImages", + "ecr:DescribeImages", + "ecr:BatchGetImage", + "ecr:GetLifecyclePolicy", + "ecr:GetLifecyclePolicyPreview", + "ecr:ListTagsForResource", + "ecr:DescribeImageScanFindings" + ], + Effect = "Allow", + Resource = "*" + }, + { + Action = [ + "logs:CreateLogStream", + "logs:PutLogEvents", + "logs:CreateLogGroup" + ], + Effect = "Allow", + Resource = "arn:aws:logs:*:*:*" + } + ] + }) +} diff --git a/infrastructure/cloud/modules/security/kms.tf b/infrastructure/cloud/modules/security/kms.tf index 1acf6bb1..e06d1c7f 100644 --- a/infrastructure/cloud/modules/security/kms.tf +++ b/infrastructure/cloud/modules/security/kms.tf @@ -5,12 +5,12 @@ resource "aws_kms_key" "kms_key" { description = "KMS key for encryption" deletion_window_in_days = 10 enable_key_rotation = true - is_enabled = true + is_enabled = true # policy = data.aws_iam_policy_document.kms_policy.json tags = { - Application="${var.application_name}-${var.environment}" - Name="${var.kms_key_name}-${var.environment}" - Environment="${var.environment}" + Application = "${var.app_name}-${var.environment}" + Name = "${var.kms_key_name}-${var.environment}" + Environment = "${var.environment}" } } diff --git a/infrastructure/cloud/modules/security/outputs.tf b/infrastructure/cloud/modules/security/outputs.tf index 5a0cf3dd..cdcab9a5 100644 --- a/infrastructure/cloud/modules/security/outputs.tf +++ b/infrastructure/cloud/modules/security/outputs.tf @@ -1,4 +1,8 @@ -output kms_key_alias { +output "kms_key_alias" { value = aws_kms_alias.kms_alias.name -} \ No newline at end of file +} + +output "ecs_execution_role_arn" { + value = aws_iam_role.ecs_execution_role.arn +} diff --git a/infrastructure/cloud/modules/security/variables.tf b/infrastructure/cloud/modules/security/variables.tf index d01e7022..5b6b2611 100644 --- a/infrastructure/cloud/modules/security/variables.tf +++ b/infrastructure/cloud/modules/security/variables.tf @@ -1,19 +1,14 @@ +variable "kms_key_name" { + description = "Name of KMS key" + type = string +} - -variable application_name { - type = string +variable "app_name" { description = "The name of the application" - default = "bcgov-jasper-aws-bootstrap" + type = string } -variable environment { - type = string - description = "The environment to deploy the application to" - default = "dev" +variable "environment" { + description = "The AWS environment to deploy to" + type = string } - -variable kms_key_name { - type = string - description = "The name of the KMS key to create" - default = "jasper-kms-key" -} \ No newline at end of file diff --git a/infrastructure/cloud/modules/storage/s3buckets.tf b/infrastructure/cloud/modules/storage/s3buckets.tf index 3b52c52c..cbcfb222 100644 --- a/infrastructure/cloud/modules/storage/s3buckets.tf +++ b/infrastructure/cloud/modules/storage/s3buckets.tf @@ -10,9 +10,9 @@ resource "aws_s3_bucket" "test_s3_bucket" { bucket = "${var.test_s3_bucket_name}-${var.environment}" tags = { - Application="${var.application_name}-${var.environment}" - Name="${var.test_s3_bucket_name}-${var.environment}" - Environment="${var.environment}" + Application = "${var.app_name}-${var.environment}" + Name = "${var.test_s3_bucket_name}-${var.environment}" + Environment = "${var.environment}" } } diff --git a/infrastructure/cloud/modules/storage/variables.tf b/infrastructure/cloud/modules/storage/variables.tf index d861ae30..b84b2529 100644 --- a/infrastructure/cloud/modules/storage/variables.tf +++ b/infrastructure/cloud/modules/storage/variables.tf @@ -1,23 +1,20 @@ -variable test_s3_bucket_name { - type = string +variable "test_s3_bucket_name" { + type = string description = "The name of the S3 bucket to create for testing" } -variable application_name { - type = string - description = "The name of the application" - default = "bcgov-jasper-aws-bootstrap" +variable "kms_key_name" { + description = "Name of KMS key" + type = string } -variable environment { - type = string - description = "The environment to deploy the application to" - default = "dev" +variable "app_name" { + description = "The name of the application" + type = string } -variable kms_key_name { - type = string - description = "The name of the KMS key" - default = "jasper-kms-key" -} \ No newline at end of file +variable "environment" { + description = "The AWS environment to deploy to" + type = string +}