diff --git a/terraform/ghg-features-api-shared-vpc/.gitignore b/terraform/ghg-features-api-shared-vpc/.gitignore new file mode 100644 index 0000000..4056b35 --- /dev/null +++ b/terraform/ghg-features-api-shared-vpc/.gitignore @@ -0,0 +1,3 @@ +*.tfstate +.terraform +*.zip diff --git a/terraform/ghg-features-api-shared-vpc/.terraform.lock.hcl b/terraform/ghg-features-api-shared-vpc/.terraform.lock.hcl new file mode 100644 index 0000000..82855e2 --- /dev/null +++ b/terraform/ghg-features-api-shared-vpc/.terraform.lock.hcl @@ -0,0 +1,123 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/hashicorp/aws" { + version = "4.67.0" + constraints = "~> 4.0, >= 4.22.0, >= 4.63.0" + hashes = [ + "h1:dCRc4GqsyfqHEMjgtlM1EympBcgTmcTkWaJmtd91+KA=", + "zh:0843017ecc24385f2b45f2c5fce79dc25b258e50d516877b3affee3bef34f060", + "zh:19876066cfa60de91834ec569a6448dab8c2518b8a71b5ca870b2444febddac6", + "zh:24995686b2ad88c1ffaa242e36eee791fc6070e6144f418048c4ce24d0ba5183", + "zh:4a002990b9f4d6d225d82cb2fb8805789ffef791999ee5d9cb1fef579aeff8f1", + "zh:559a2b5ace06b878c6de3ecf19b94fbae3512562f7a51e930674b16c2f606e29", + "zh:6a07da13b86b9753b95d4d8218f6dae874cf34699bca1470d6effbb4dee7f4b7", + "zh:768b3bfd126c3b77dc975c7c0e5db3207e4f9997cf41aa3385c63206242ba043", + "zh:7be5177e698d4b547083cc738b977742d70ed68487ce6f49ecd0c94dbf9d1362", + "zh:8b562a818915fb0d85959257095251a05c76f3467caa3ba95c583ba5fe043f9b", + "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425", + "zh:9c385d03a958b54e2afd5279cd8c7cbdd2d6ca5c7d6a333e61092331f38af7cf", + "zh:b3ca45f2821a89af417787df8289cb4314b273d29555ad3b2a5ab98bb4816b3b", + "zh:da3c317f1db2469615ab40aa6baba63b5643bae7110ff855277a1fb9d8eb4f2c", + "zh:dc6430622a8dc5cdab359a8704aec81d3825ea1d305bbb3bbd032b1c6adfae0c", + "zh:fac0d2ddeadf9ec53da87922f666e1e73a603a611c57bcbc4b86ac2821619b1d", + ] +} + +provider "registry.terraform.io/hashicorp/external" { + version = "2.3.1" + constraints = ">= 1.0.0" + hashes = [ + "h1:bROCw6g5D/3fFnWeJ01L4IrdnJl1ILU8DGDgXCtYzaY=", + "zh:001e2886dc81fc98cf17cf34c0d53cb2dae1e869464792576e11b0f34ee92f54", + "zh:2eeac58dd75b1abdf91945ac4284c9ccb2bfb17fa9bdb5f5d408148ff553b3ee", + "zh:2fc39079ba61411a737df2908942e6970cb67ed2f4fb19090cd44ce2082903dd", + "zh:472a71c624952cff7aa98a7b967f6c7bb53153dbd2b8f356ceb286e6743bb4e2", + "zh:4cff06d31272aac8bc35e9b7faec42cf4554cbcbae1092eaab6ab7f643c215d9", + "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", + "zh:7ed16ccd2049fa089616b98c0bd57219f407958f318f3c697843e2397ddf70df", + "zh:842696362c92bf2645eb85c739410fd51376be6c488733efae44f4ce688da50e", + "zh:8985129f2eccfd7f1841ce06f3bf2bbede6352ec9e9f926fbaa6b1a05313b326", + "zh:a5f0602d8ec991a5411ef42f872aa90f6347e93886ce67905c53cfea37278e05", + "zh:bf4ab82cbe5256dcef16949973bf6aa1a98c2c73a98d6a44ee7bc40809d002b8", + "zh:e70770be62aa70198fa899526d671643ff99eecf265bf1a50e798fc3480bd417", + ] +} + +provider "registry.terraform.io/hashicorp/local" { + version = "2.4.0" + constraints = ">= 1.0.0" + hashes = [ + "h1:R97FTYETo88sT2VHfMgkPU3lzCsZLunPftjSI5vfKe8=", + "zh:53604cd29cb92538668fe09565c739358dc53ca56f9f11312b9d7de81e48fab9", + "zh:66a46e9c508716a1c98efbf793092f03d50049fa4a83cd6b2251e9a06aca2acf", + "zh:70a6f6a852dd83768d0778ce9817d81d4b3f073fab8fa570bff92dcb0824f732", + "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", + "zh:82a803f2f484c8b766e2e9c32343e9c89b91997b9f8d2697f9f3837f62926b35", + "zh:9708a4e40d6cc4b8afd1352e5186e6e1502f6ae599867c120967aebe9d90ed04", + "zh:973f65ce0d67c585f4ec250c1e634c9b22d9c4288b484ee2a871d7fa1e317406", + "zh:c8fa0f98f9316e4cfef082aa9b785ba16e36ff754d6aba8b456dab9500e671c6", + "zh:cfa5342a5f5188b20db246c73ac823918c189468e1382cb3c48a9c0c08fc5bf7", + "zh:e0e2b477c7e899c63b06b38cd8684a893d834d6d0b5e9b033cedc06dd7ffe9e2", + "zh:f62d7d05ea1ee566f732505200ab38d94315a4add27947a60afa29860822d3fc", + "zh:fa7ce69dde358e172bd719014ad637634bbdabc49363104f4fca759b4b73f2ce", + ] +} + +provider "registry.terraform.io/hashicorp/null" { + version = "3.2.1" + constraints = ">= 2.0.0" + hashes = [ + "h1:FbGfc+muBsC17Ohy5g806iuI1hQc4SIexpYCrQHQd8w=", + "zh:58ed64389620cc7b82f01332e27723856422820cfd302e304b5f6c3436fb9840", + "zh:62a5cc82c3b2ddef7ef3a6f2fedb7b9b3deff4ab7b414938b08e51d6e8be87cb", + "zh:63cff4de03af983175a7e37e52d4bd89d990be256b16b5c7f919aff5ad485aa5", + "zh:74cb22c6700e48486b7cabefa10b33b801dfcab56f1a6ac9b6624531f3d36ea3", + "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", + "zh:79e553aff77f1cfa9012a2218b8238dd672ea5e1b2924775ac9ac24d2a75c238", + "zh:a1e06ddda0b5ac48f7e7c7d59e1ab5a4073bbcf876c73c0299e4610ed53859dc", + "zh:c37a97090f1a82222925d45d84483b2aa702ef7ab66532af6cbcfb567818b970", + "zh:e4453fbebf90c53ca3323a92e7ca0f9961427d2f0ce0d2b65523cc04d5d999c2", + "zh:e80a746921946d8b6761e77305b752ad188da60688cfd2059322875d363be5f5", + "zh:fbdb892d9822ed0e4cb60f2fedbdbb556e4da0d88d3b942ae963ed6ff091e48f", + "zh:fca01a623d90d0cad0843102f9b8b9fe0d3ff8244593bd817f126582b52dd694", + ] +} + +provider "registry.terraform.io/hashicorp/random" { + version = "3.5.1" + hashes = [ + "h1:VSnd9ZIPyfKHOObuQCaKfnjIHRtR7qTw19Rz8tJxm+k=", + "zh:04e3fbd610cb52c1017d282531364b9c53ef72b6bc533acb2a90671957324a64", + "zh:119197103301ebaf7efb91df8f0b6e0dd31e6ff943d231af35ee1831c599188d", + "zh:4d2b219d09abf3b1bb4df93d399ed156cadd61f44ad3baf5cf2954df2fba0831", + "zh:6130bdde527587bbe2dcaa7150363e96dbc5250ea20154176d82bc69df5d4ce3", + "zh:6cc326cd4000f724d3086ee05587e7710f032f94fc9af35e96a386a1c6f2214f", + "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", + "zh:b6d88e1d28cf2dfa24e9fdcc3efc77adcdc1c3c3b5c7ce503a423efbdd6de57b", + "zh:ba74c592622ecbcef9dc2a4d81ed321c4e44cddf7da799faa324da9bf52a22b2", + "zh:c7c5cde98fe4ef1143bd1b3ec5dc04baf0d4cc3ca2c5c7d40d17c0e9b2076865", + "zh:dac4bad52c940cd0dfc27893507c1e92393846b024c5a9db159a93c534a3da03", + "zh:de8febe2a2acd9ac454b844a4106ed295ae9520ef54dc8ed2faf29f12716b602", + "zh:eab0d0495e7e711cca367f7d4df6e322e6c562fc52151ec931176115b83ed014", + ] +} + +provider "registry.terraform.io/hashicorp/template" { + version = "2.2.0" + hashes = [ + "h1:0wlehNaxBX7GJQnPfQwTNvvAf38Jm0Nv7ssKGMaG6Og=", + "h1:94qn780bi1qjrbC3uQtjJh3Wkfwd5+tTtJHOb7KTg9w=", + "zh:01702196f0a0492ec07917db7aaa595843d8f171dc195f4c988d2ffca2a06386", + "zh:09aae3da826ba3d7df69efeb25d146a1de0d03e951d35019a0f80e4f58c89b53", + "zh:09ba83c0625b6fe0a954da6fbd0c355ac0b7f07f86c91a2a97849140fea49603", + "zh:0e3a6c8e16f17f19010accd0844187d524580d9fdb0731f675ffcf4afba03d16", + "zh:45f2c594b6f2f34ea663704cc72048b212fe7d16fb4cfd959365fa997228a776", + "zh:77ea3e5a0446784d77114b5e851c970a3dde1e08fa6de38210b8385d7605d451", + "zh:8a154388f3708e3df5a69122a23bdfaf760a523788a5081976b3d5616f7d30ae", + "zh:992843002f2db5a11e626b3fc23dc0c87ad3729b3b3cff08e32ffb3df97edbde", + "zh:ad906f4cebd3ec5e43d5cd6dc8f4c5c9cc3b33d2243c89c5fc18f97f7277b51d", + "zh:c979425ddb256511137ecd093e23283234da0154b7fa8b21c2687182d9aea8b2", + ] +} + diff --git a/terraform/ghg-features-api-shared-vpc/dns.tf b/terraform/ghg-features-api-shared-vpc/dns.tf new file mode 100644 index 0000000..65ab077 --- /dev/null +++ b/terraform/ghg-features-api-shared-vpc/dns.tf @@ -0,0 +1,34 @@ +data "aws_route53_zone" "zone" { + provider = aws.west2 + name = var.dns_zone_name +} + +resource "aws_acm_certificate" "cert" { + provider = aws.west2 + domain_name = "*.${data.aws_route53_zone.zone.name}" + validation_method = "DNS" + tags = var.tags + + lifecycle { + create_before_destroy = true + } +} + +resource "aws_route53_record" "subdomain_record" { + provider = aws.west2 + name = "${var.dns_subdomain}.${data.aws_route53_zone.zone.name}" + zone_id = data.aws_route53_zone.zone.id + type = "A" + + alias { + name = aws_alb.alb_ecs.dns_name + zone_id = aws_alb.alb_ecs.zone_id + evaluate_target_health = true + } +} + +resource "aws_lb_listener_certificate" "cert" { + provider = aws.west2 + listener_arn = aws_alb_listener.alb_listener_ecs.arn + certificate_arn = aws_acm_certificate.cert.arn +} \ No newline at end of file diff --git a/terraform/ghg-features-api-shared-vpc/ecr.tf b/terraform/ghg-features-api-shared-vpc/ecr.tf new file mode 100644 index 0000000..b09467a --- /dev/null +++ b/terraform/ghg-features-api-shared-vpc/ecr.tf @@ -0,0 +1,10 @@ +module "ecr_registry" { + source = "github.com/developmentseed/tf-seed/modules/aws_ecr" + environment = var.env + registry_name = var.project_name + enable_registry_scanning = true + mutable_image_tags = true + enable_deploy_user = true + iam_deploy_username = aws_iam_user.deploy_user.name + tags = var.tags +} \ No newline at end of file diff --git a/terraform/ghg-features-api-shared-vpc/ecs_api.tf b/terraform/ghg-features-api-shared-vpc/ecs_api.tf new file mode 100644 index 0000000..644f944 --- /dev/null +++ b/terraform/ghg-features-api-shared-vpc/ecs_api.tf @@ -0,0 +1,133 @@ +data "aws_subnets" "private" { + filter { + name = "vpc-id" + values = [var.vpc_id] + } + + tags = { + "aws-cdk:subnet-name" = "private" + } +} + +module "ecs_cluster" { + source = "../modules/aws_ecs_service" + environment = var.env + region = var.region + vpc_id = var.vpc_id + subnet_ids = data.aws_subnets.private.ids + + service_name = "${var.project_name}-service" + service_port = var.service_port + service_protocol = "tcp" + cpu = 2048 + memory = 4096 + instance_count = 1 + log_retention_days = 60 + + container_command = ["/bin/bash", "startup.sh"] + container_working_directory = "/tmp/" + + container_secrets = [ + { + name = "AWS_CONFIG" + valueFrom = aws_secretsmanager_secret.config.arn + }, + { + name = "DB_CONFIG" + valueFrom = aws_secretsmanager_secret.db_config.arn + }, + ] + + container_environment = [ + { + name = "ENVIRONMENT" + value = var.env + }, + { + name = "IS_ECS" + value = "True" + }, + { + name = "OTEL_PROPAGATORS" + value = "xray" + }, + { + name = "OTEL_PYTHON_ID_GENERATOR" + value = "xray" + }, + { + name = "OTEL_RESOURCE_ATTRIBUTES" + value = "service.name=veda-wfs3-${var.env}" + }, + { + name = "OTEL_RESOURCE_ATTRIBUTES" + value = "service.name=veda-wfs3-${var.env}" + }, + { + name = "OTEL_TRACES_SAMPLER" + value = "traceidratio" + }, + { + name = "OTEL_TRACES_SAMPLER_ARG" + value = "0.5" + }, + { + name = "FORWARDED_ALLOW_IPS" + value = "*" + }, + { + // stupid hack b/c of FastAPI and Starlette bug + name = "FAST_API_SCHEME" + value = var.env == "dev" ? "https" : "http" //quick hack for now, TODO: include 'contains' function + } + ] + + container_ingress_cidrs = ["0.0.0.0/0"] + container_ingress_sg_ids = [] + + use_adot_as_sidecar = false + use_ecr = true + ecr_repository_name = module.ecr_registry.registry_name + ecr_repository_arn = module.ecr_registry.registry_arn + image = "${module.ecr_registry.repository_url}:latest" + + load_balancer = true + lb_type = "application" + lb_target_group_arn = aws_alb_target_group.alb_target_group.arn + lb_security_group_id = aws_security_group.web_inbound_sg.id + lb_container_port = var.service_port + + tags = var.tags +} + +############################################################## +# The ECS task execution role represented by the output +# `module.ecs_cluster.ecs_execution_role_id` +# requires additional policies depending on what it needs +# to access in AWS. Hence the attachments below +############################################################## + +############################################################## +# give acess to AWS secret manager to access +# `container_secrets` pumped into the task above +# +data "aws_iam_policy_document" "api_ecs_execution_attachment" { + statement { + actions = [ + "secretsmanager:DescribeSecret", + "secretsmanager:GetSecretValue", + "kms:Decrypt", + ] + + resources = [ + aws_secretsmanager_secret.config.arn, + aws_secretsmanager_secret.db_config.arn + ] + } +} + +resource "aws_iam_role_policy" "api_ecs_execution_role_policy" { + name = "${var.project_name}-api-access-secret-manager" + role = module.ecs_cluster.ecs_execution_role_id + policy = data.aws_iam_policy_document.api_ecs_execution_attachment.json +} diff --git a/terraform/ghg-features-api-shared-vpc/github_deploy_user.tf b/terraform/ghg-features-api-shared-vpc/github_deploy_user.tf new file mode 100644 index 0000000..ad737c6 --- /dev/null +++ b/terraform/ghg-features-api-shared-vpc/github_deploy_user.tf @@ -0,0 +1,32 @@ +resource "aws_iam_user" "deploy_user" { + name = "veda-wfs3-${var.env}-deploy-user" + path = "/" + tags = var.tags +} + +// NOTE: we need to have extra policies added to our +// deploy user for Github AWS Actions to work +resource "aws_iam_user_policy" "deploy" { + name = "${var.registry_name}_deploy_extended" + user = aws_iam_user.deploy_user.name + policy = data.aws_iam_policy_document.extended_deploy.json +} + +data "aws_iam_policy_document" "extended_deploy" { + statement { + actions = [ + "iam:PassRole", + "ecr:InitiateLayerUpload", + "ecs:RegisterTaskDefinition", + "ecs:DescribeServices", + "ecs:UpdateService", + ] + + resources = [ + module.ecr_registry.registry_arn, + module.ecs_cluster.service_cluster_arn, + module.ecs_cluster.service_arn, + module.ecs_cluster.ecs_execution_role_arn, + ] + } +} \ No newline at end of file diff --git a/terraform/ghg-features-api-shared-vpc/init.tf b/terraform/ghg-features-api-shared-vpc/init.tf new file mode 100644 index 0000000..276e1c3 --- /dev/null +++ b/terraform/ghg-features-api-shared-vpc/init.tf @@ -0,0 +1,24 @@ +provider "aws" { + alias = "west1" + region = "us-west-1" +} + +provider "aws" { + alias = "west2" + region = "us-west-2" +} + +terraform { + required_version = "1.3.9" + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 4.0" + } + } + backend "s3" { + bucket = "ghg-wfs3-tf-state-bucket" + key = "root" + region = "us-west-2" + } +} diff --git a/terraform/ghg-features-api-shared-vpc/load_balancer_west_2.tf b/terraform/ghg-features-api-shared-vpc/load_balancer_west_2.tf new file mode 100644 index 0000000..60b6033 --- /dev/null +++ b/terraform/ghg-features-api-shared-vpc/load_balancer_west_2.tf @@ -0,0 +1,144 @@ +data "aws_subnets" "public" { + filter { + name = "vpc-id" + values = [var.vpc_id] + } + + tags = { + "aws-cdk:subnet-name" = "public" + } +} + +data "aws_security_groups" "security_groups" { + filter { + name = "vpc-id" + values = [var.vpc_id] + } +} + +/* security group for ALB */ +resource "aws_security_group" "web_inbound_sg" { + name = "tf-${var.project_name}-${var.env}-web-inbound-sg" + description = "Allow HTTP from Anywhere into ALB" + vpc_id = var.vpc_id + + ingress { + from_port = 80 + to_port = 80 + protocol = "tcp" + cidr_blocks = ["0.0.0.0/0"] + } + + ingress { + from_port = 8 + to_port = 0 + protocol = "icmp" + cidr_blocks = ["0.0.0.0/0"] + } + + egress { + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["0.0.0.0/0"] + } + + tags = { + Name = "tf-${var.project_name}-${var.env}-web-inbound-sg" + } +} + +resource "aws_security_group" "https_web_inbound_sg" { + name = "tf-${var.project_name}-${var.env}-https-web-inbound-sg" + description = "Allow HTTPS from Anywhere into ALB" + vpc_id = var.vpc_id + + ingress { + from_port = 443 + to_port = 443 + protocol = "tcp" + cidr_blocks = ["0.0.0.0/0"] + } + + ingress { + from_port = 8 + to_port = 8 + protocol = "icmp" + cidr_blocks = ["0.0.0.0/0"] + } + + egress { + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["0.0.0.0/0"] + } + + tags = { + Name = "tf-${var.project_name}-${var.env}-https-web-inbound-sg" + } +} + +resource "aws_alb" "alb_ecs" { + name = "tf-${var.project_name}-${var.env}-alb" + subnets = data.aws_subnets.public.ids + security_groups = [aws_security_group.https_web_inbound_sg.id] + + tags = merge({ + Name = "tf-${var.project_name}-alb" + }, var.tags) +} + +resource "aws_alb_target_group" "alb_target_group" { + name = "tf-${var.project_name}-${var.env}-tgp" + port = var.service_port + protocol = "HTTP" + vpc_id = var.vpc_id + target_type = "ip" + deregistration_delay = 60 + + lifecycle { + create_before_destroy = true + } + + health_check { + interval = 60 + path = "/healthz" + port = var.service_port + protocol = "HTTP" + matcher = "200" + timeout = 5 + healthy_threshold = 2 + unhealthy_threshold = 4 + } + + depends_on = [ + aws_alb.alb_ecs + ] +} + +#resource "aws_alb_listener" "alb_listener_ecs" { +# load_balancer_arn = aws_alb.alb_ecs.arn +# port = 80 +# protocol = var.alb_protocol +# depends_on = [aws_alb_target_group.alb_target_group] +# +# default_action { +# target_group_arn = aws_alb_target_group.alb_target_group.arn +# type = "forward" +# } +#} + +resource "aws_alb_listener" "alb_listener_ecs" { + load_balancer_arn = aws_alb.alb_ecs.arn + port = 443 + protocol = var.alb_protocol + ssl_policy = "ELBSecurityPolicy-2016-08" + certificate_arn = aws_acm_certificate.cert.arn + depends_on = [aws_alb_target_group.alb_target_group] + + default_action { + target_group_arn = aws_alb_target_group.alb_target_group.arn + type = "forward" + } +} \ No newline at end of file diff --git a/terraform/ghg-features-api-shared-vpc/outputs.tf b/terraform/ghg-features-api-shared-vpc/outputs.tf new file mode 100644 index 0000000..24013cc --- /dev/null +++ b/terraform/ghg-features-api-shared-vpc/outputs.tf @@ -0,0 +1,19 @@ +output "rds_hostname" { + description = "RDS instance hostname" + value = aws_db_instance.db.address +} + +output "rds_port" { + description = "RDS instance port" + value = aws_db_instance.db.port +} + +output "rds_username" { + description = "RDS instance root username" + value = aws_db_instance.db.username +} + +output "protocol_on_aws_alb_listener" { + description = "HTTP/HTTPS protocol on the ALB Listener" + value = aws_alb_listener.alb_listener_ecs.protocol +} diff --git a/terraform/ghg-features-api-shared-vpc/rds.tf b/terraform/ghg-features-api-shared-vpc/rds.tf new file mode 100644 index 0000000..9727790 --- /dev/null +++ b/terraform/ghg-features-api-shared-vpc/rds.tf @@ -0,0 +1,65 @@ +resource "aws_db_subnet_group" "db" { + name = "tf-${var.project_name}-${var.env}-subnet-group" + subnet_ids = data.aws_subnets.private.ids + tags = { + Name = "tf-${var.project_name}-subnet-group" + } +} + +resource "aws_db_parameter_group" "default" { + name = "tf-${var.project_name}-${var.env}-postgres14-param-group" + family = "postgres14" + + parameter { + name = "work_mem" + # NOTE: I had `work_mem` set to ~100MB and `max_connections` around 75 and TileJSON completely failed + # 16MB + value = var.env == "staging" ? "16384" : "8192" + } + + parameter { + name = "max_connections" + value = "475" + apply_method = "pending-reboot" + } + + # NOTE: here to show what shared_buffers are but doesn't really make sense why it won't provision with these + # parameter { + # name = "shared_buffers" + # value = var.env == "staging" ? "8064856" : "4032428" + # apply_method = "pending-reboot" + # } + + parameter { + name = "seq_page_cost" + value = "1" + } + + parameter { + name = "random_page_cost" + value = "1.2" + } +} + +resource "aws_db_instance" "db" { + db_name = "veda" + identifier = "${var.project_name}-${var.env}" + engine = "postgres" + engine_version = "14.3" + // https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_CreateDBInstance.html + allocated_storage = 100 + max_allocated_storage = 500 + storage_type = "gp2" + instance_class = var.env == "staging" ? "db.r5.xlarge" : "db.r5.large" + db_subnet_group_name = aws_db_subnet_group.db.name + skip_final_snapshot = true + apply_immediately = true + backup_retention_period = 7 + vpc_security_group_ids = [aws_security_group.default_sg.id] + username = "postgres" + password = random_password.master_password.result + allow_major_version_upgrade = true + parameter_group_name = aws_db_parameter_group.default.name +} + + diff --git a/terraform/ghg-features-api-shared-vpc/secret_manager.tf b/terraform/ghg-features-api-shared-vpc/secret_manager.tf new file mode 100644 index 0000000..eee26e8 --- /dev/null +++ b/terraform/ghg-features-api-shared-vpc/secret_manager.tf @@ -0,0 +1,53 @@ +######################################################################## +# Key for secrets +######################################################################## +data "aws_kms_key" "secretsmanager" { + key_id = "alias/aws/secretsmanager" +} + + +######################################################################## +# Secrets +######################################################################## +resource "random_id" "sm_suffix" { + byte_length = 2 +} + +resource "random_password" "master_password" { + length = 16 + special = false +} + +resource "aws_secretsmanager_secret" "config" { + name = "aws-config-${random_id.sm_suffix.hex}" + kms_key_id = data.aws_kms_key.secretsmanager.id + tags = var.tags +} + +resource "aws_secretsmanager_secret" "db_config" { + name = "veda-wfs3-${var.env}-db-config-v3" + kms_key_id = data.aws_kms_key.secretsmanager.id + tags = var.tags +} + +resource "aws_secretsmanager_secret_version" "db_credentials" { + secret_id = aws_secretsmanager_secret.db_config.id + secret_string = < /dev/null + | AWS_PROFILE=$AWS_PROFILE xargs -I{} aws ecs update-service --cluster {} --service {} --task-definition {} --force-new-deployment > /dev/null echo "[ SUCCESS ]:..."