Add ECS Terraform

#minor
ministryofjustice · Mar 21, 2024 · 0b4c294 · 0b4c294
1 parent c8a2bd9
commit 0b4c294
Show file tree

Hide file tree

Showing 13 changed files with 261 additions and 1 deletion.
diff --git a/terraform/environment/region/dns.tf b/terraform/environment/region/dns.tf
@@ -43,3 +43,5 @@ resource "aws_api_gateway_domain_name" "lpa_store" {
 
   provider = aws.region
 }
+
+# record for ECS
diff --git a/terraform/environment/region/fixtures.tf b/terraform/environment/region/fixtures.tf
@@ -0,0 +1,14 @@
+module "fixtures" {
+  count  = var.has_fixtures ? 1 : 0
+  source = "../../modules/fixtures_service"
+
+  environment_name      = var.environment_name
+  cloudwatch_kms_key_id = aws_kms_key.cloudwatch.arn
+  service_url           = local.domain_name
+
+  providers = {
+    aws.global     = aws.global
+    aws.management = aws.management
+    aws.region     = aws.region
+  }
+}
diff --git a/terraform/environment/region/terraform.tf b/terraform/environment/region/terraform.tf
@@ -5,8 +5,9 @@ terraform {
     aws = {
       source = "hashicorp/aws"
       configuration_aliases = [
-        aws.region,
+        aws.global,
         aws.management,
+        aws.region,
       ]
     }
   }

diff --git a/terraform/environment/region/variables.tf b/terraform/environment/region/variables.tf
@@ -43,6 +43,12 @@ variable "event_bus" {
   description = "Event bus to send events to"
 }
 
+variable "has_fixtures" {
+  description = "Whether the environment should have a fixtures container"
+  type        = bool
+  default     = false
+}
+
 variable "lpa_store_static_bucket" {
   description = "LPA Store Static bucket object for the region"
 }

diff --git a/terraform/environment/regions.tf b/terraform/environment/regions.tf
@@ -10,10 +10,12 @@ module "eu_west_1" {
   dynamodb_name_changes           = aws_dynamodb_table.changes_table.name
   environment_name                = local.environment_name
   event_bus                       = aws_cloudwatch_event_bus.main
+  has_fixtures                    = local.environment.has_fixtures
   lpa_store_static_bucket         = module.s3_lpa_store_static_eu_west_1.bucket
   lpa_store_static_bucket_kms_key = module.s3_lpa_store_static_eu_west_1.encryption_kms_key
 
   providers = {
+    aws.global     = aws.global
     aws.region     = aws.eu_west_1
     aws.management = aws.management_eu_west_1
   }
@@ -31,10 +33,12 @@ module "eu_west_2" {
   dynamodb_name_changes           = aws_dynamodb_table.changes_table.name
   environment_name                = local.environment_name
   event_bus                       = aws_cloudwatch_event_bus.main
+  has_fixtures                    = false
   lpa_store_static_bucket         = module.s3_lpa_store_static_eu_west_2.bucket
   lpa_store_static_bucket_kms_key = module.s3_lpa_store_static_eu_west_2.encryption_kms_key
 
   providers = {
+    aws.global     = aws.global
     aws.region     = aws.eu_west_2
     aws.management = aws.management_eu_west_2
   }

diff --git a/terraform/environment/terraform.tfvars.json b/terraform/environment/terraform.tfvars.json
@@ -4,6 +4,7 @@
       "account_id": "493907465011",
       "account_name": "development",
       "is_production": false,
+      "has_fixtures": true,
       "allowed_arns": [
         "arn:aws:iam::493907465011:role/operator",
         "arn:aws:iam::493907465011:role/lpa-store-ci"
@@ -16,6 +17,7 @@
       "account_id": "493907465011",
       "account_name": "development",
       "is_production": false,
+      "has_fixtures": true,
       "allowed_arns": [
         "arn:aws:iam::493907465011:role/operator",
         "arn:aws:iam::493907465011:role/lpa-store-ci",
@@ -31,6 +33,7 @@
       "account_id": "493907465011",
       "account_name": "development",
       "is_production": false,
+      "has_fixtures": true,
       "allowed_arns": [
         "arn:aws:iam::493907465011:role/operator",
         "arn:aws:iam::493907465011:role/lpa-store-ci",
@@ -44,6 +47,7 @@
       "account_id": "936779158973",
       "account_name": "preproduction",
       "is_production": false,
+      "has_fixtures": false,
       "allowed_arns": [
         "arn:aws:iam::936779158973:role/breakglass",
         "arn:aws:iam::936779158973:role/lpa-store-ci",
@@ -57,6 +61,7 @@
       "account_id": "764856231715",
       "account_name": "production",
       "is_production": true,
+      "has_fixtures": false,
       "allowed_arns": [
         "arn:aws:iam::764856231715:role/breakglass",
         "arn:aws:iam::764856231715:role/lpa-store-ci",

diff --git a/terraform/environment/variables.tf b/terraform/environment/variables.tf
@@ -29,6 +29,7 @@ variable "environments" {
       account_id         = string
       account_name       = string
       is_production      = bool
+      has_fixtures       = bool
       allowed_arns       = list(string)
       target_event_buses = list(string)
     })

diff --git a/terraform/modules/fixtures_service/cloudwatch.tf b/terraform/modules/fixtures_service/cloudwatch.tf
@@ -0,0 +1,7 @@
+resource "aws_cloudwatch_log_group" "fixtures" {
+  name              = "/ecs/fixtures-${var.environment_name}"
+  kms_key_id        = var.cloudwatch_kms_key_id
+  retention_in_days = 400
+
+  provider = aws.region
+}
diff --git a/terraform/modules/fixtures_service/ecr.tf b/terraform/modules/fixtures_service/ecr.tf
@@ -0,0 +1,4 @@
+data "aws_ecr_repository" "fixtures" {
+  name     = "lpa-store/fixtures"
+  provider = aws.management
+}
diff --git a/terraform/modules/fixtures_service/ecs.tf b/terraform/modules/fixtures_service/ecs.tf
@@ -0,0 +1,85 @@
+# networking + sg
+# loadbalancer + dns
+
+resource "aws_ecs_cluster" "main" {
+  name = "fixtures-${var.environment_name}"
+
+  provider = aws.region
+}
+
+resource "aws_ecs_service" "fixtures" {
+  name                  = "fixtures"
+  cluster               = aws_ecs_cluster.main.id
+  task_definition       = aws_ecs_task_definition.fixtures.arn
+  desired_count         = 1
+  platform_version      = "1.4.0"
+  wait_for_steady_state = true
+  propagate_tags        = "SERVICE"
+  launch_type           = "FARGATE"
+
+  # load_balancer {
+  #   target_group_arn = aws_lb_target_group.foo.arn
+  #   container_name   = "mongo"
+  #   container_port   = 8080
+  # }
+
+  # network_configuration {
+  #   security_groups  = [aws_security_group.mock_onelogin_ecs_service.id]
+  #   subnets          = var.network.application_subnets
+  #   assign_public_ip = false
+  # }
+
+  lifecycle {
+    create_before_destroy = true
+  }
+
+  provider = aws.region
+}
+
+resource "aws_ecs_task_definition" "fixtures" {
+  family                   = "fixtures-${var.environment_name}"
+  requires_compatibilities = ["FARGATE"]
+  network_mode             = "awsvpc"
+  cpu                      = 512
+  memory                   = 512
+  container_definitions    = "[${local.container_definition}]"
+  task_role_arn            = aws_iam_role.task_role.arn
+  execution_role_arn       = aws_iam_role.execution_role.arn
+
+  provider = aws.region
+}
+
+locals {
+  container_definition = jsonencode(
+    {
+      cpu                    = 1,
+      essential              = true,
+      image                  = "${data.aws_ecr_repository.fixtures.repository_url}:latest",
+      mountPoints            = [],
+      readonlyRootFilesystem = true
+      name                   = "fixtures",
+      portMappings = [
+        {
+          containerPort = 5000,
+          hostPort      = 80,
+          protocol      = "tcp"
+        }
+      ],
+      volumesFrom = [],
+      logConfiguration = {
+        logDriver = "awslogs",
+        options = {
+          awslogs-group         = aws_cloudwatch_log_group.fixtures.name,
+          awslogs-region        = data.aws_region.current.name,
+          awslogs-stream-prefix = var.environment_name
+        }
+      },
+      environment = [
+        {
+          name  = "BASE_URL",
+          value = "https://${var.service_url}",
+        }
+      ]
+    }
+  )
+}
diff --git a/terraform/modules/fixtures_service/iam.tf b/terraform/modules/fixtures_service/iam.tf
@@ -0,0 +1,99 @@
+resource "aws_iam_role" "task_role" {
+  name_prefix        = "fixtures-task-role-${var.environment_name}-"
+  assume_role_policy = data.aws_iam_policy_document.ecs_task_role_assume_policy.json
+
+  provider = aws.global
+}
+
+data "aws_iam_policy_document" "ecs_task_role_assume_policy" {
+  statement {
+    effect  = "Allow"
+    actions = ["sts:AssumeRole"]
+
+    principals {
+      identifiers = ["ecs-tasks.amazonaws.com"]
+      type        = "Service"
+    }
+  }
+
+  provider = aws.region
+}
+
+resource "aws_iam_role_policy" "task_role" {
+  name   = "fixtures-task-role-${var.environment_name}-${data.aws_region.current.name}"
+  role   = aws_iam_role.task_role.id
+  policy = data.aws_iam_policy_document.task_role.json
+
+  provider = aws.region
+}
+
+data "aws_iam_policy_document" "task_role" {
+  statement {
+    sid    = "AllowInvokeOnLpaStoreRestAPIs"
+    effect = "Allow"
+    actions = [
+      "execute-api:Invoke",
+      "execute-api:ManageConnections"
+    ]
+    resources = ["arn:aws:execute-api:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:*"]
+  }
+
+  provider = aws.region
+}
+
+
+resource "aws_iam_role" "execution_role" {
+  name_prefix        = "fixtures-execution-role-${var.environment_name}-"
+  assume_role_policy = data.aws_iam_policy_document.execution_assume_role.json
+
+  provider = aws.global
+}
+
+data "aws_iam_policy_document" "execution_assume_role" {
+  statement {
+    effect  = "Allow"
+    actions = ["sts:AssumeRole"]
+
+    principals {
+      identifiers = ["ecs-tasks.amazonaws.com"]
+      type        = "Service"
+    }
+  }
+
+  provider = aws.region
+}
+
+resource "aws_iam_role_policy" "execution_role" {
+  name   = "fixtures-execution-role-${var.environment_name}-${data.aws_region.current.name}"
+  role   = aws_iam_role.execution_role.id
+  policy = data.aws_iam_policy_document.execution_role.json
+
+  provider = aws.region
+}
+
+data "aws_iam_policy_document" "execution_role" {
+  statement {
+    effect = "Allow"
+    resources = [
+      "${data.aws_ecr_repository.fixtures.arn}",
+    ]
+    actions = [
+      "ecr:GetAuthorizationToken",
+      "ecr:BatchCheckLayerAvailability",
+      "ecr:GetDownloadUrlForLayer",
+      "ecr:BatchGetImage",
+    ]
+  }
+  statement {
+    effect = "Allow"
+    resources = [
+      "${aws_cloudwatch_log_group.fixtures.arn}*",
+    ]
+    actions = [
+      "logs:CreateLogStream",
+      "logs:PutLogEvents",
+    ]
+  }
+
+  provider = aws.region
+}
diff --git a/terraform/modules/fixtures_service/terraform.tf b/terraform/modules/fixtures_service/terraform.tf
@@ -0,0 +1,18 @@
+terraform {
+  required_version = ">= 1.4.0"
+
+  required_providers {
+    aws = {
+      source = "hashicorp/aws"
+      configuration_aliases = [
+        aws.global,
+        aws.management,
+        aws.region,
+      ]
+    }
+  }
+}
+
+data "aws_region" "current" {}
+
+data "aws_caller_identity" "current" {}
diff --git a/terraform/modules/fixtures_service/variables.tf b/terraform/modules/fixtures_service/variables.tf
@@ -0,0 +1,14 @@
+variable "environment_name" {
+  description = "The name of the environment the fixtures container is deployed to"
+  type        = string
+}
+
+variable "cloudwatch_kms_key_id" {
+  description = "KMS key used to encrypt CloudWatch logs"
+  type        = string
+}
+
+variable "service_url" {
+  description = "URL of the LPA Store service in this environment"
+  type        = string
+}
Original file line number	Diff line number	Diff line change
Expand Up		@@ -43,3 +43,5 @@ resource "aws_api_gateway_domain_name" "lpa_store" {

		provider = aws.region
		}

		# record for ECS