WIP

somleng · Aug 23, 2024 · 7cf0804 · 7cf0804
1 parent 809c7e0
commit 7cf0804
Show file tree

Hide file tree

Showing 11 changed files with 103 additions and 55 deletions.
diff --git a/infrastructure/modules/efs/efs.tf b/infrastructure/modules/efs/efs.tf
@@ -0,0 +1,32 @@
+locals {
+  create_efs_file_system = var.file_system == null
+  efs_file_system        = local.create_efs_file_system ? aws_efs_file_system.this[0] : var.file_system
+}
+
+resource "aws_efs_file_system" "this" {
+  count          = local.create_efs_file_system ? 1 : 0
+  creation_token = var.name
+  encrypted      = true
+
+  tags = {
+    Name = var.name
+  }
+
+  lifecycle_policy {
+    transition_to_ia = "AFTER_30_DAYS"
+  }
+
+  lifecycle_policy {
+    transition_to_primary_storage_class = "AFTER_1_ACCESS"
+  }
+}
+
+resource "aws_efs_backup_policy" "this" {
+  count = local.create_efs_file_system ? 1 : 0
+
+  file_system_id = aws_efs_file_system.this[0].id
+
+  backup_policy {
+    status = "DISABLED"
+  }
+}
diff --git a/infrastructure/modules/efs/mount_targets.tf b/infrastructure/modules/efs/mount_targets.tf
@@ -0,0 +1,29 @@
+locals {
+  security_group_name = var.security_group_name == null ? var.name : var.security_group_name
+}
+
+resource "aws_efs_mount_target" "this" {
+  for_each = toset(var.vpc.intra_subnets)
+
+  file_system_id  = local.efs_file_system.id
+  subnet_id       = each.value
+  security_groups = [aws_security_group.this.id]
+}
+
+resource "aws_security_group" "this" {
+  name   = local.security_group_name
+  vpc_id = var.vpc.vpc_id
+
+  tags = {
+    Name = local.security_group_name
+  }
+}
+
+resource "aws_security_group_rule" "ingress" {
+  type              = "ingress"
+  protocol          = "TCP"
+  security_group_id = aws_security_group.this.id
+  cidr_blocks       = [var.vpc.vpc_cidr_block]
+  from_port         = 2049
+  to_port           = 2049
+}
diff --git a/infrastructure/modules/efs/outputs.tf b/infrastructure/modules/efs/outputs.tf
@@ -0,0 +1,3 @@
+output "file_system" {
+  value = local.efs_file_system
+}
diff --git a/infrastructure/modules/efs/variables.tf b/infrastructure/modules/efs/variables.tf
@@ -0,0 +1,8 @@
+variable "name" {}
+variable "vpc" {}
+variable "security_group_name" {
+  default = null
+}
+variable "file_system" {
+  default = null
+}
diff --git a/infrastructure/modules/switch/cache.tf b/infrastructure/modules/switch/cache.tf
@@ -0,0 +1,11 @@
+locals {
+  cache_file_system = var.cache_file_system != null ? var.cache_file_system : module.cache.file_system
+}
+
+module "cache" {
+  source              = "../efs"
+  vpc                 = var.vpc
+  name                = var.cache_name
+  security_group_name = var.cache_security_group_name
+  file_system         = var.cache_file_system
+}
diff --git a/infrastructure/modules/switch/ecs.tf b/infrastructure/modules/switch/ecs.tf
@@ -326,7 +326,7 @@ resource "aws_ecs_task_definition" "this" {
     name = "cache"
 
     efs_volume_configuration {
-      file_system_id     = aws_efs_file_system.cache.id
+      file_system_id     = local.cache_file_system.id
       transit_encryption = "ENABLED"
     }
   }

diff --git a/infrastructure/modules/switch/efs.tf b/infrastructure/modules/switch/efs.tf
diff --git a/infrastructure/modules/switch/outputs.tf b/infrastructure/modules/switch/outputs.tf
@@ -37,3 +37,7 @@ output "iam_task_role" {
 output "iam_task_execution_role" {
   value = local.iam_task_execution_role
 }
+
+output "cache_file_system" {
+  value = local.cache_file_system
+}
diff --git a/infrastructure/modules/switch/variables.tf b/infrastructure/modules/switch/variables.tf
@@ -66,7 +66,15 @@ variable "iam_task_execution_role" {
 
 variable "json_cdr_password_parameter" {}
 variable "services_function" {}
-variable "efs_cache_name" {}
+variable "cache_name" {
+  default = null
+}
+variable "cache_security_group_name" {
+  default = null
+}
+variable "cache_file_system" {
+  default = null
+}
 variable "internal_route53_zone" {}
 variable "internal_load_balancer" {}
 variable "internal_listener" {}

diff --git a/infrastructure/production/switch.tf b/infrastructure/production/switch.tf
@@ -5,7 +5,8 @@ module "switch" {
   app_environment                                    = var.app_environment
   json_cdr_url                                       = "https://api.internal.somleng.org/services/call_data_records"
   subdomain                                          = "switch"
-  efs_cache_name                                     = "somleng-switch-cache"
+  cache_name                                         = "somleng-switch-cache"
+  cache_security_group_name                          = "switch-efs-cache"
   recordings_bucket_name                             = "raw-recordings.somleng.org"
   application_master_key_parameter_name              = "somleng-switch.${var.app_environment}.application_master_key"
   rayo_password_parameter_name                       = "somleng-switch.${var.app_environment}.rayo_password"

diff --git a/infrastructure/staging/switch.tf b/infrastructure/staging/switch.tf
@@ -5,7 +5,8 @@ module "switch" {
   app_environment                                    = var.app_environment
   json_cdr_url                                       = "https://api-staging.internal.somleng.org/services/call_data_records"
   subdomain                                          = "switch-staging"
-  efs_cache_name                                     = "switch-staging-cache"
+  cache_name                                         = "switch-staging-cache"
+  cache_security_group_name                          = "switch-staging-efs-cache"
   recordings_bucket_name                             = "raw-recordings-staging.somleng.org"
   application_master_key_parameter_name              = "somleng-switch.${var.app_environment}.application_master_key"
   rayo_password_parameter_name                       = "somleng-switch.${var.app_environment}.rayo_password"
@@ -44,7 +45,7 @@ module "switch_helium" {
   app_environment                               = var.app_environment
   json_cdr_url                                  = "https://api-staging.internal.somleng.org/services/call_data_records"
   subdomain                                     = "switch-staging"
-  efs_cache_name                                = "switch-staging-cache"
+  cache_security_group_name                     = "switch-staging-efs-cache"
   recordings_bucket                             = module.switch.recordings_bucket
   recordings_bucket_access_key_id_parameter     = module.switch.recordings_bucket_access_key_id_parameter
   recordings_bucket_secret_access_key_parameter = module.switch.recordings_bucket_secret_access_key_parameter
@@ -54,6 +55,7 @@ module "switch_helium" {
   container_instance_profile                    = module.switch.container_instances.iam_instance_profile
   iam_task_role                                 = module.switch.iam_task_role
   iam_task_execution_role                       = module.switch.iam_task_execution_role
+  cache_file_system                             = module.switch.cache_file_system
 
   min_tasks = 0
   max_tasks = 2